Resolution
Directory and Resource Administrator 7.5
symptom
When you assign permissions to other user or group accounts to send or receive messages from the mailbox on the Mailbox securities tab on the User Properties window, DRA displays an error message.
symptom
Error: 'Server failed to complete the requested operation workflow successfully. Operation X2KSetMailboxRights failed.'
symptom
DRA writes the following error in the Windows Application event log:
ReturnCode: 0x64:Cannot create another system semaphore.
Action: X2KSetMailboxRights
cause
This is a known issue that occurs when you assign mailbox permissions to other user or group accounts on the Mailbox securities tab on the User Properties window. This error message occurs because when DRA tries to modify the security descriptor for mailbox permissions, DRA tries to modify the ownership information, user access or Discretionary Access Control List (DACL) information, and system auditing information of the security descriptor. However, the Windows security system only allows users who are owners of objects to modify the ownership information of the security descriptor. If a user tries to modify the ownership information of the security descriptor of an object and the user is not an owner of the object, the Windows security system does not allow the modification and generates an error. For more information, see Microsoft Knowledge Base Article KB 8323749, available at http://support.microsoft.com.
fix
NetIQ Directory and Resource Administrator and Exchange Administrator version 7.5 Hotfix 52932 addresses this issue.
Hotfix 52932 corrects an issue with how Directory and Resource Administrator (DRA) assigns mailbox permissions to other user or group accounts on the Mailbox securities tab on the User Properties window. When you assign permissions to other user or group accounts to send or receive messages from the mailbox, DRA displays an error message. This error message occurs because when DRA tries to modify the security descriptor for mailbox permissions, DRA tries to modify the ownership information, user access or Discretionary Access Control List (DACL) information, and system auditing information of the security descriptor. However, the Windows security system only allows users who are owners of objects to modify the ownership information of the security descriptor. If a user tries to modify the ownership information of the security descriptor of an object and the user is not an owner of the object, the Windows security system does not allow the modification and generates an error. For more information, see Microsoft Knowledge Base Article KB 323749, available at http://support.microsoft.com.
This hotfix corrects this issue and ensures DRA modifies only the user access or Discretionary Access Control List (DACL) information of the security descriptor when modifying mailbox permissions.
Note: This hotfix requires DRA version 7.5.
To download and install this hotfix:
- Close all DRA user interfaces.
- Run the DRA75000_Hotfix52932.msi file on each Administration server computer.
Hotfix 52932 modifies the X2KHelper.dll file on each computer where you installed the Administration server. By default, this file is located in the Program Files\NetIQ\DRA folder.
For more information, please contact NetIQ Technical Support at www.netiq.com/support .