PRB: Special Privilege Must Be Added After Delegate Wizard for Commerce Server Active Directory Container (303373)


The information in this article applies to:

  • Microsoft Commerce Server 2002
  • Microsoft Commerce Server 2000
This article was previously published under Q303373

SYMPTOMS

When an account that is only delegated specific permissions to the MSCS40_ROOT container is used to connect to the Active Directory, and you use BizDesk to create users or organizations, you may receive the following error message:
An error occurred while retrieving the security descriptor object. The directory service can perform the requested operation only on a leaf object.
0000208C: UpdErr:DSID-030A02AF, problem 6003 (CANT_ON_NON_LEAF), data 0

CAUSE

The Microsoft Commerce Server Profile Service needs a user account and password for connecting to Active Directory.

This error occurs when SetGroupPermissions is running within Daroutines.asp. The Commerce Server provider uses IDirectorySearch to retrieve the security setting. IDirectorySearch returns an empty ntsecuritydescriptor if the user does not have rights to read the system access-control list (SACL). This causes a failure when you attempt to create an organization from BizDesk.

RESOLUTION

To retrieve the SACL, the user must have the "Manage auditing and security log" right assigned on the Group Policy object of the Domain Controllers organizational unit. To add this right, follow these steps:
  1. Open the Active Directory User and Computers snap-in.
  2. In the Domain Controllers folder, right-click the Domain Controllers organizational unit and click Properties.
  3. On the Group Policy tab, click Default Domain Controllers Policy and then click Edit. This opens the Group Policy object snap-in.
  4. In the Group Policy object snap-in, click Computer Configuration, click Windows Setting, click Security Setting, click Local Policies, and then click User Rights.
  5. Double-click Manage auditing and security log.
  6. Add the user account.
  7. Restart the Commerce Server computer.
NOTE: Users with the "Manage Auditing and Security Log" right can only change auditing on an object for which they have Read permissions. If a user does not have Read permissions on the object, nothing can be done in that user's security context. This right is only active when auditing is enabled on the domain.

STATUS

This behavior is by design.

MORE INFORMATION

Steps to Reproduce Behavior

  1. In Active Directory, create a new user named supplier_admin.
  2. Unpackage the SupplierAD Solution Site. When you are asked for the Active Directory user, make sure that you use an account that is a member of the Domain Admins group or the containers in Active Directory will not be created correctly.
  3. After the site is unpackaged, open the Active Directory Users and Computers MMC snap-in and run the Delegated Admin Wizard on the container for the Supplier site (for example, OU=MSCS40_ROOT, OU=SupplierAD).
  4. Grant the user full control over the container by using the Custom option in the wizard.
  5. Start BizDesk and attempt to create a new organization. Note that initially the operation appears to succeed, but BizDesk then reports that the organization failed to be created.
Modification Type:MajorLast Reviewed:10/9/2003
Keywords:kbprb KB303373
©2003 Microsoft Corporation. All rights reserved.