While preparing Active Directory for Exchange you may run into the following error.
F:\> Setup /PrepareAD /IAcceptExchangeServerLicenseTerms Microsoft Exchange Server 2016 Cumulative Update 6 Unattended Setup Copying files... File copy complete. Setup will now collect additional information needed for installation. Preforming Microsoft Exchange Server Prerequisite Check Prerequisite Analysis Setup will prepare the organization for Exchange Server 2016 by using 'Setup /PrepareAD'. Active Directory must be prepared with 'Setup /PrepareAD'. However, the current user account doesn't have the permissions required even though it's a member of the 'Enterprise Admins' group. Check whether this is a valid user account.
We ran into this recently at a client. This was an odd error because it indicated we had all the necessary group memberships to perform this task. We had also just used this account to successfully extend the schema moments before.
Fixing ‘User does not have permissions’
We quickly discovered that the Default Domain Controllers Policy (which is a group policy assigned to the domain controllers OU) had been removed. It was uncertain when this may have happened but the absence of this policy was not the issue itself. Moreover, it was a setting that comes predefined by that policy. The error we were receiving was due to the absence of the User Rights Assignment, Manage auditing and security logs. This right is granted to the Exchange Servers and Administrators built-in groups.
The fix was to create a new policy with these permissions defined. Let’s explore those steps.
Note: Alternatively, you can replace the entire missing Default Domain Controller Policy by running the DCGPOFIX command:
dcgpofix /ignoreschema /target:dc
Special Thanks: Michael B. Smith
From the Group Policy Management Console, expand the domain and right-click on the Domain Controllers OU. From the context menu select Create a GPO in this domain, and Link it here. Give the new policy a name and click Ok. In our case, we called it User Rights Assignment for Exchange.
Right-click on the new policy and select Edit. This will launch the Group Policy Management Editor. Expand the following nodes.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Under User Rights Assignments double-click Manage auditing and security log.
Check the box Define these policy settings. Click Add User or Group and then Browse. From the Select Users and Computers dialog add Exchange Servers. Repeat this process to add Administrators. Click Ok.
Allow time for Active Directory replication. You should then be able to rerun Setup /PrepareAD without issue.
We would love to hear from you. Have you seen any of these errors before? What did you do to fix it? Drop a comment below or join the conversation on Twitter @SuperTekBoy.
Michael B. says
I think the proper way to have done this would be to “dcgpofix /ignoreschema /target:dc” then re-run “setup /PrepareSchema” and “setup /PrepareAD”.
Just this man’s opinion.
Gareth Gudger says
Hey Michael,
Excellent point. Yep that would replace the entire missing GPO. I forgot all about that trusty command. I will make an edit to the document tomorrow.
Alex Laurie says
I had a similar issue recently on an Exchange 2016 install. Install user had all the correct permissions, Exchange /PrepareSchema kept dropping out with errors saying the user didn’t have the relevant permissions.
The issue in the end turned out to be the FSMO roles holder was not a Global Catalog. Once that was added, everything went through just fine.
Exchange can be a funny thing sometimes!
Gareth Gudger says
Thanks Alex. Haven’t come across that scenario yet but definitely good to know. Thanks for sharing.