While preparing Active Directory for Exchange you may run into the following error.
F:\> Setup /PrepareAD /IAcceptExchangeServerLicenseTerms Microsoft Exchange Server 2016 Cumulative Update 6 Unattended Setup Copying files... File copy complete. Setup will now collect additional information needed for installation. Preforming Microsoft Exchange Server Prerequisite Check Prerequisite Analysis Setup will prepare the organization for Exchange Server 2016 by using 'Setup /PrepareAD'. Active Directory must be prepared with 'Setup /PrepareAD'. However, the current user account doesn't have the permissions required even though it's a member of the 'Enterprise Admins' group. Check whether this is a valid user account.
We ran into this recently at a client. This was an odd error because it indicated we had all the necessary group memberships to perform this task. We had also just used this account to successfully extend the schema moments before.
Fixing ‘User does not have permissions’
We quickly discovered that the Default Domain Controllers Policy (which is a group policy assigned to the domain controllers OU) had been removed. It was uncertain when this may have happened but the absence of this policy was not the issue itself. Moreover it was a setting that comes predefined by that policy. The error we were receiving was due to the absence of the User Rights Assignment, Manage auditing and security logs. This right is granted to the Exchange Servers and Administrators builtin groups.
The fix was to create a new policy with these permissions defined. Let’s explore those steps.
From the Group Policy Management Console, expand the domain and right click on the Domain Controllers OU. From the context menu select Create a GPO in this domain, and Link it here. Give the new policy a name and click Ok. In our case we called it User Rights Assignment for Exchange.
Right click on the new policy and select Edit. This will launch the Group Policy Management Editor. Expand the following nodes.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Under User Rights Assignments double-click Manage auditing and security log.
Check the box Define these policy settings. Click Add User or Group and then Browse. From the Select Users and Computers dialog add Exchange Servers. Repeat this process to add Administrators. Click Ok.
Allow time for Active Directory replication. You should then be able to rerun Setup /PrepareAD without issue.
We would love to hear from you. Have you seen any of these errors before? What did you do to fix it? Drop a comment below or come join the conversation on Twitter @SuperTekBoy.