I get an Access is Denied error when creating a DMA project (NETIQKB47165)

  • 7747165
  • 02-Feb-2007
  • 18-Oct-2007


Domain Migration Administrator 7.x

I get an Access is Denied error when creating a DMA project

I am unable to create a new DMA project


Several situations can cause this problem:

  • You logged on to the DMA console with a user account that is not known in the specified domain
  • The Everyone or Pre-Windows 2000 Compatible Access Group has been denied access or has the Access this computer from a network user right removed on the DC of the specified domain
  • DMA functions that use NTLM authentication are being denied access by an LMCompatibilityLevel registry key setting of 4 or 5 on the source or target DC

The NTLM authentication issue may also be identified under the following circumstances:

  • Running the NET VIEW sourceDC command results in Access Denied
  • When you enable auditing for logon and account logon events on the specified domain, you receive an ?Invalid user name or bad password? error
  • Running ADSI Edit for the default domain results in an error, but running it with a specified domain name is successful
  • Remote registry access is denied even though the Winreg key is populated with local Administrators and Local Service


To resolve these issues:

  • Add the logged-on user account to a local group in the specified domain.
  • Add the Pre-Windows 2000 Compatible Access group to the Access this computer from the network user right on the specified domain DC.
  • Set the LMCompatibilityLevel registry key to level 2 on both the source and target DCs. As an alternative, you can log on to the DMA console computer using an account from the domain that is denying access.


For more information about resetting the LMCompatibilityLevel registry key, see the following Microsoft Knowledge Base article:

How to enable NTLM 2 Authentication


Additional Information

Formerly known as NETIQKB47165