Directory and Resource Administrator 6.50
Error: 'Access denied' When Renaming a Windows NT 4 global group using Directory and Resource Admininstrator
When attempting to rename a global security group in a Windows NT4 domain using either the DRA MMC interface or the CLI, the Assistant Admin will receive an error that access is denied and the operation is not completed.
The following event is written to the Application event log on the DRA Administration server:
Event Type: Failure Audit
Event Source: MCSAdminSvc
Event Category: GroupSetInfo
Event ID: 16007
Time: 1:29:37 PM
ReturnCode: 0x80070005:Access is denied.
Policy: $GroupNameLengthPolicy[Disabled], $SpecialGroupsPolicy[OK]
The call made by DRA during this operation uses a serverless bind method. This method does not assure binding to the PDC, whereas a server bind does. This issue occurs because DRA uses a serverless bind method during the GroupRename operation
Hotfix 8977 ensures the Administration server successfully renames a group when managing a Windows NT domain. If you receive an access denied error when attempting to rename a group, apply this hotfix.
To install this hotfix, run the DRA65000_Hotfix8977.exe file on the Administration server computer.
This hotfix modifies the following files on the Administration server computer:
By default, these files are located in the C:\Program Files\NetIQ\DRA folder.
Hotfix 8977 also includes files from Hotfix 10167:
By default, these files are located in the Web server root folder (C:\InetPub\wwwroot\DRAWeb\Admin) on the Administration server computer.
For more information regarding Hotfix 10167, please refer to the following Knowledge Base article:
- NetIQKB10167: Error: 'A constraint violation occurred.' When Adding a User Account to Certain Fields in Directory and Resource Administrator
Directory and Resource Administrator uses ADSI to rename a group while Enterprise Administrator uses an API call.
The issue can be address by one of the following:
Use the command line utility called renamegg.exe which uses an API to rename groups instead of ADSI.
An Account.dll buddy drop addresses this issue.