Error: 'Access denied' When Renaming a Windows NT 4 global group using Directory and Resource Admini (NETIQKB8977)

  • 7708977
  • 02-Feb-2007
  • 20-Jun-2007


Directory and Resource Administrator 6.50

Error: 'Access denied' When Renaming a Windows NT 4 global group using Directory and Resource Admininstrator

When attempting to rename a global security group in a Windows NT4 domain using either the DRA MMC interface or the CLI, the Assistant Admin will receive an error that access is denied and the operation is not completed.


The following event is written to the Application event log on the DRA Administration server:

Event Type: Failure Audit
Event Source: MCSAdminSvc
Event Category: GroupSetInfo
Event ID: 16007
Date: 6/27/2002
Time: 1:29:37 PM
User: user_ID
Computer: DRA_server_name
ReturnCode: 0x80070005:Access is denied.
Action: SetInfo
ObjectType: Group
Target: OnePoint://CN=target_group_name,DC=domain_name
Operands: Name,
Policy: $GroupNameLengthPolicy[Disabled], $SpecialGroupsPolicy[OK]
Trigger: <none>


The call made by DRA during this operation uses a serverless bind method.  This method does not assure binding to the PDC, whereas a server bind does.  This issue occurs because DRA uses a serverless bind method during the GroupRename operation


Hotfix 8977 ensures the Administration server successfully renames a group when managing a Windows NT domain.  If you receive an access denied error when attempting to rename a group, apply this hotfix.
To install this hotfix, run the DRA65000_Hotfix8977.exe file on the Administration server computer.

This hotfix modifies the following files on the Administration server computer:

  • Accounts.dll
  • ResProvider.dll

By default, these files are located in the C:\Program Files\NetIQ\DRA folder.

Hotfix 8977 also includes files from Hotfix 10167:

  • \lib\js\Cached_forms\ContactProperties.js
  • \lib\js\Cached_forms\GroupProperties.js
  • \lib\js\Cached_forms\UserProperties.js
  • \lib\js\common\getManagerProperties.js
  • \lib\js\PathParseUtility.js
  • \scripts\ComputerProperties.asp
  • \scripts\OuProperties.asp

By default, these files are located in the Web server root folder (C:\InetPub\wwwroot\DRAWeb\Admin) on the Administration server computer.


For more information regarding Hotfix 10167, please refer to the following Knowledge Base article:

  • NetIQKB10167: Error: 'A constraint violation occurred.' When Adding a User Account to Certain Fields in Directory and Resource Administrator

Directory and Resource Administrator uses ADSI to rename a group while Enterprise Administrator uses an API call.

The issue can be address by one of the following:

Use the command line utility called renamegg.exe which uses an API to rename groups instead of ADSI.
An Account.dll buddy drop addresses this issue.

Additional Information

Formerly known as NETIQKB8977