Office delegation permissions

Similar Messages

• Web console - delegating permissions correctly - Advice on best practice

  Hi,
  I'm in the process of rolling out the Orchestrator Console for wider use within our department.  After reading some posts on Console delegation I have been able to set a group up which when added to the Orchestrator root and Sub dirs, allows the folder
  views to be controlled, but only to some degree/very basic.
  What I mean - or what I'm finding is that I have what is turning out to be quite a 'deep' tree/subtree folder structure for my runbooks (currently about 4 levels) eg from root folder Runbooks->ProductionRunbooks->ServiceDeskRunbooks->ExchangeRunbooks
  - containing 2 exchange runbooks.
  So for this structure to delegate to Service desk staff I have created a security group (service desk_console) and given the basic Read permission at Runbook and ProductionRunbooks folder and then Full control (inc child Objects) at ServicedeskRunbooks folder
  to allow exectution of any runbooks below this level.
  My query is is this the way it should work - I initially thought I could set the read permission at the top level but then just at the Full control permission on the specific low level folder but this didnt work - I had to apply the read permission at each
  of the folders between root at target folder.
  So as the number of runbooks/folders grows and the possible mix of user groups who will require access to run a particular runbook I can see the delegation of permissions becoming very messy using the method I currently got working - ie with potentially
  several 'user groups' I will have to basically set explicitly the permissions for each user group at all levels on all folders?
  A possible solution I'm thinking of is to create a 'general console users' group and add the specific user groups to that (eg service desk,Exchange Team,VDI Team) to then set the read permissions on root Runbooks and Production Runbooks folders and then
  set Full control specific for the user groups on the folders containing the runbooks pertaining to that user group - any runbooks required by multiple groups could be set in a 'general folder with all groups having FC permissions to it.
  Thats my thoughts - seems a bit messy to me but just interested to hear and confirm that thats just the limitation and way console delegation is supposed to work or if there is a neater way I'd like to know!!
  Cheers - PS I know this descended into a bit of a ramble/discussion in my own head so apologies ;-)

  Hi Stefan, thanks for your reply and suggestion.  What I probably didnt explain, and what I was hoping to achieve in the delegation model was to try and only make visible the folders/runbooks to the relevant operators/user groups.
  The issue probably stems from me having a pretty messy folder structure (generally) and me wanting to hide that mess and confusion from operators who will be new to the console.  Basically I have a high level folder called production which underneath
  that I create neat and tidy folders/runbooks following a good naming convention - only production ready stuff goes in here and this is the focus of what I want to make visible and control access to.  However I also have High level folder for PreProduction
  and Also Testing and within those are a very large number of Folders/runbook which dont follow good naming and can easily loose track when multiple folders are expanded fully.
  So my issue with doing the List permission and let it be inherited down the tree then I assume I will be giving the console user the full (list) view of that structure even if they cant execute and runbooks.
  So is the only way to enforce views/ and run permission to specify explicit permissions accordingly at each level in the tree, ie you can't skip setting folder permissions at some of the in between 'organizational type' folders - eg from my example above
  the ProductionRunbooks->ServiceDeskrunbooks folder/subfolder are just to logically organize the folders containing runbooks such as Exchangerunbooks.  Ideally I would like to set the permissions in such a way that allows the service Desk group to view
  the runbooks at the Ecxhangerunbooks subfolder level.
  Hope that makes sense - I get the feeling to answer is no and the only way to enforce it is to use the multiple groups/explicit permissions at each level in the folder structure.  Happy to be told otherwise!!...

• Allocating and delegating permissions in Exchange Server 2010 between two AD security group.

  People,
  Can anyone please assist me in where and how to assign the following two AD security group in Exchange Server 2010?
  IT Admin group (Full access and permission for all AD and Exchange related).
  IT Helpdesk group (can only create mailbox and modify the mailbox properties including AD distribution group and contacts).
  Because in Exchange Server 2007, everything can be managed easily through the AD security group that is created during the installation such as
  Exchange Organization Administrators group for full access for IT Admin team and Exchange Recipient Administrators group for managing the mailbox user for Help Desk team.
  /* Server Support Specialist */

  Hi,
  Based on my knowledge, Exchange 2010 has an Organization Management group instead of the Exchange Organization Administrators group. Use the Recipient Management group instead of the Exchange Recipient Administrators group. In your case, you can add the
  IT Admin group to the Organization Management group, add the IT Helpdesk group to the Recipient Management group.
  Hope this can be helpful to you.
  Best regards,  
  Amy Wang
  TechNet Community Support
  Thanks, Amy,
  But for some reason I cannot see those built in AD security group in my ADUC?
  So should I recreate it manually by right clicking on the AD user and Console ?
  /* Server Support Specialist */

• Delegation of permissions to join computers to domain

  Hi
  Am having some issues with delegating permissions to users for joining machines to the domain.
  I have delegated permissions to a group of users which allows then to join machines to the domain, they can join and disjoin but the only problem is they cannot rejoin if the computer account still exists. 
  They get the following error
  The Join operation was not successful, This could be becuase an existing computer account having name xxxxxx  was previously created
  using a different set of credentials.
  Access Denied
  Can someone tell me what extra delegation permissions i need to give to these users to be able to do this.
  Thanks

  Hello,
  please see http://support.microsoft.com/kb/932455/en-us "Users cannot reset passwords" how to configure the permission to reset the machine password which is required to rejoin machines
  to the domain where the machine name already exist in AD.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Opening xls or doc file with MS Office sets user permissions to no access.

  We have a problem with MS Office and permissions. Basically, opening an MSOffice file removes that user's permissions, not just for that file, but for the entire fileserver. Going back to the server as Admin and resetting the permissions does not take effect immediately, but at some seemingly random point later that same day. The Win XP users also find themselves locked out of using the files sometimes, when one user opens the file the permissions seem to change to give that user ownership and others only Read Only access. I have not experienced this problem, but I do not use MS Office.
  We run a mixed PC and Mac office. We have a Mac miniserver with Snow Leopard Server. Client computers use Win XP, or OS X Leopard 10.5.8. Previously we were running the same clients from a G5 PowerMac running Tiger server. This also had problems with permissions changing themselves after opening MSOffice for Mac 2004 files, but nothing quite as bad as this.
  We also have had problems with MSOffice crashing when for some reason the sharepoints disconnected themselves.
  Any suggestions please? This is the kind of issue that will force a change away from Mac... sadly I will be in a minority if I cannot find a fix.
  TIA
  Message was edited by: Basilisk

  Further Info:
  We appear to have both oplock and Strict Locking enabled, as well as AFP and SMP in operation. Of these two protocols, we have to keep SMB so the PCs can access the files; AFP we could give up if necessary, although that makes connection times slow on the Macs.
  I read that if we enable both AFP and SMB our data could be corrupted, but it didn't say what would happen to file permissions, nor how we could prevent multiple users accessing the same file simultaneously if we switched the locking off.

• Access to office 365 api

  Hi team, 
  i have been building up native applications and has access to Microsoft tenant in azure and there i have already the mobile application. Also i can add the webapi's to my application once when i went to configure tab and hit add on the bottom.
  So from here i can add office 365 exchange online api and set the delegated permissions to required field.
  Also i went through couple of articles and videos which shows how to get access to office 365 api.
  http://www.microsoftvirtualacademy.com/training-courses/deep-dive-integrate-office-365-apis-in-your-mobile-device-apps?m=11496
  As mentioned in video we add the connected service and it sign in to microsoft account and register the app.
  Also add some client id to App.xaml . And when we went to tenant application page we can see the new registered app with a client id.
  Please let me know if i already has the application in azure and i have added the office 365 exchange online api , then shall i need to do above steps or i can directly hit the api service Uri's.
  thanks,
  NItesh

  Hi,
  need to add the office 365 exchange online web api in Azure and set the required permissions.
  then following this video code we can connect with office apis
  http://www.microsoftvirtualacademy.com/training-courses/deep-dive-integrate-office-365-apis-in-your-mobile-device-apps?m=11496
  also following url can be referred if we need directly to communicate with office 365 api using Oauth authentication method.
  https://msdn.microsoft.com/en-us/office/office365/api/api-catalog
  Thanks,
  Nitesh

• Server 2012 R2 Active Directory delegation and access

  May be a simple question...
  In my company I have installed a backup domain controller on hyper-v for IT administration. All I want the IT admin guy to do is create users, modify their password and join clients to domain. He should not be allowed to change group memberships, or tweak
  group policies. 
  I understand the delegation process - using the wizard I assigned the tasks create/delete/change password and join domain. Als created a policy that allows IT admins to login to this backup domain controller. 
  However since the IT admins are just domain users, they are unable to open dsa.msc without providing a admin password. If i make the users Member of "Account Manager" then they are able to open the dsa after providing credential but can also change
  the group permissions. 
  How can I implement this lock down in my environment?

  Thank you so much guys. So I demoted the computer, and installed RSAT. Now the IT Managers can log onto the machine. Although had to maually set the delegation permissions (The wizard kept giving full rights on a particular condition, will discuss more on
  this when i find out whats happening)
  I have another problem though .. 
  So we have an OU: Employees, Inside the OU: I have created many template user accounts, such as Sales.Test, Service.Test, etc. 
  The idea is to allow IT admins to create new users by copying these templates, so that proper group association are set. However, since, I have not allowed the IT admins to change group associations, the copying fails in the end with error: cannot add user
  xxx to group yyy. 
  Any suggestions?
  -- The groups are in a seperate OU, it will be also be okay if the IT admins can change associations for selected. groups.. 
  Why don't you simply use the Powershell method I already shared in the Wiki? That way, you should not be facing these problems.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• MS Office 2004 Install on 10.4.8 Macbook

  I have successfully installed MS Office 2004 for Mac on my other 2 iMacs (non-intel), but when i installed it on my new Intel Macbook (OSX 10.4), it appeared to install but the programs (i.e. Word, Excel, Entourage) wouldn't open. I then removed the MS Office Test version and the Office 2004 version, deleted plists associated with Office, repaired permissions, and rebooted. Then when i tried to reinstall Office for Mac 2004, it doesn't install. In other words, the autosetup execute off the install CD doesn't work. Nothing happens. I tried to then drag the folder from the CD into Applications. Again, the files seemed to have copied over, but the applications don't open. I'd appreciate any help. Thanks!!
  Intel MacBook and 17" iMac Flat Panel G4   Mac OS X (10.3.9)  

  Have you tried looking over at the Microsoft Office support center? It may be an issue with Rosetta (the translator from PPC to Intel code), but since Microsoft hasn't released any date for when we can expect an Intel native version of Office, we don't know how long that type of issue will still be around...)
  Maybe posting on the MS support page would let them know that Mac users are anxiously waiting for their participation in the switch to Intel.....
  http://support.microsoft.com/?scid=ph;en-us;2490
  Hope this helps,
  kjester

• Hyper-V 2012 R2 Console Permissions

  Hi guys
  I asked this question before, but i'm not sure i phrased it correctly. It is now extremely critical I find some kind of answer, so i though i'd try and break it down a bit more in a new thread. 
  - Previously, in Windows 2008 R2, you could delegate per VM Hyper-V console permissions using AzMan. This worked great. 
  - In 2012 R2 this does not seem to be possible. AzMan is now deprecated. Fine. I get this. 
  - What is now possible is that a user be a member of the Hyper-V administrators groups, this grants console access to all VMs. All previous mechanisms of obtaining console access work using any user that is a member of this group. 
  - If you wish to delegate console permissions that are granular to a single VM in 2012 R2, how do you do this? Is it even possible now?
  - I am not using SCVMM, and will not be using SCVMM at any point in the future, although the real issue here is the scoping of permissions. So if SCVMM can do it somehow, it must be delegating permissions some how?
  Thanks for your time. Really appreciate it. 

  Hi Hob_Gadling,
  I am afraid you can not achieve that with only server2012r2 hyper-v role at present.
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Report on OU Delegations?

  Hi,
  Over the years people have delegated various permissions on OUs - what are some of the ways to export those delegations (perhaps into a human readable format?). We are running Windows 2008 R2 DCs.
  Thanks,
  SK

  Below link might be helpful,
  http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
  Regards,
  Gopi
  JiJi
  Technologies

• Check Delegated user permission with AD Domain and OU levels

  Hi
  We are looking for a way to check all user permissions at domain / OU levels. Is there a script or tool available for this?
  Regards
  LMS

  Hi
  We are looking for a way to check all user permissions at domain / OU levels. Is there a script or tool available for this?
  Regards
  LMS
  You can try this Powershell script:
  $ou = "AD:\OU=Users,DC=contoso,DC=com"
  $group = Get-ADGroup MyGroup
  $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
  $acl = get-acl $ou
  $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"GenericAll, ","Allow"
  $acl.AddAccessRule($ace)
  set-acl -aclobject $acl $ou
  and you can also look at these given below links:
  http://technet.microsoft.com/en-us/library/cc775585(v=ws.10).aspx
  http://auditingactivedirectory.blogspot.in/2014/08/how-to-view-active-directory-delegated-permissions.html

• Question mark around names received in Delegate email -- Outlook 2011

  Looking for some guidance... Office for Mac 2011 / Outlook / 14.2.4 / Exchange 2010 SP1
  Just installed Update Rollup 7 v2 last weekend.
  Yesterday, a client called me to say that Outlook was reporting database corruption. I ask her to choose the option to rebuild since relaunching Outlook 2011 brought her back to same screen. The rebuild seemed to complete successfully and she used Outlook
  the rest of the day.
  This morning I came in to her office on an unrelated matter and she reported that she had a couple of items stuck in her outbox. I looked at them and, to make a long story short, found that the following is happening.
  For this story:
  * Steve delegates to Jo the ability to accept/decline meetings on his behalf.
  * Jo, naturally, gets a copy of all meeting requests. 
  * Outlook 2011 is set up so that Jo is listed as a delegate for Steve.
  Reproducible Steps:
  1. I send a meeting request to Steve's email address. My email address is at a completely different FQDN.
  2. Jo gets a copy of that meeting request.
  3. If Jo opens up the meeting request email in Steve's inbox, the To: field shows "Lastname, Steve" which is how the display name is set on the Exchange server.
  4. If Jo opens the meeting request and looks at the To: field in Outlook 2011 in HER inbox, the name shows as "Lastname; Steve;". Both names are highlighted in orange with a white question mark. Hover over the names shows an "Unknown" presence. Opening the
  contact for "Lastname" shows a completely different Exchange user. Opening the contact for "Steve" doesn't do anything.
  5. If Jo makes accepts or declines the invitation in HER inbox, the message gets stuck in the outbox and the Outlook logs an HTTP 500 error for every mail send attempt.
  What I've attempted to resolve the problem:
  1. Deleted, created, rebuilt the various identities on the Mac.
  2. Changing the Directory Lookup URL within Outlook 2011 to the https:// FQDN. 
  3. Followed instructions found elsewhere to delete the Mac-equivalent OAB and attempted redownload of the OAB. Searching for names in the company directory seems to work fine.
  4. Created a new Mac user and tested from there. (Same issue.)
  5. Followed instructions (here) to completely remove Office and reinstall. (Although I must have missed something because Jo's open windows and position were retained.)
  6. Set up a new Exchange account before and after reinstall and before and after installation of latest Office 2011 updates. (The download of Office 2011 available to me is Post-SP2. I understand that some folks on this forum have had to go back to a version
  somewhere between SP1 and SP2. I cannot test this, at least right now.)
  Other bits of information:
  * The Exchange server (2010 inside SBS 2011) is not on-premises. This is a satellite office. Mac and PC Outlooks are configured to use Outlook Anywhere.
  * MCRA tests are successful.
  * I have tested on another Mac running Outlook 2011 14.2.1. Same problem.
  * I have tested another user who is also a Delegate. The other person doesn't use a Mac, but when I set her up in Outlook 2011 14.2.1, she has the same issue.
  * Mac is running Mountain Lion, 10.8.2. The Mac is about two weeks old.
  * I do not know that any of our other Mac users are experiencing anything similar, although I think that none of them are Delegates.
  * Mails directly from Steve to Jo show the proper name within the To: field
  * I have not tested setting up an auto-forward from Steve to Jo's mailbox, sending mail to Steve, and seeing what the To: field shows in Jo's copy. (Might be interesting.)
  * If Jo accepts/declines appointments from within Steve's Inbox directly, those acceptances and declines transmit successfully.
  The most disheartening thing about all of this is that I see that other people are having the problem. Some of you have contributed to
  a fairly large thread about it the Answers forum. However that is literally ALL of the information I can find in my searching. (The Answers guys asked me to post here.)
  At the moment, I have a workaround in that Jo can accept/decline directly from Steve's inbox. 
  Any help -- any -- even new career thoughts are appreciated!!

  Simon,
  Here's an update:
  I opened up a case with Microsoft PSS.
  After speaking to the SBS team for a few days -- and they did a stellar job, in my opinion -- the tech suggested we speak to the Outlook for Mac team, just in case there was something there. The OFM team had one request:
  Remove Jo from "Full Access" Exchange permissions on Steve's account.
  Boom. That did it. Outlook 2011 (Mac) accepts/declines work fine now.
  According to the OFM team, FA and Delegation permissions can conflict with one another over EWS. They have admitted that they are not doing a root-cause analysis. Perhaps, I can request that. However, I am pretty
  pleased and relieved that I didn't have to rebuild mailboxes or something just as onerous. 

• Reminders share calendar outlook 2010

  My
  environment is as follows:
  Two mailboxes of exchange 2010
  mailbox 1
  mailbox 2
  I am sharing
  the calendar from Outlook 2010
  mailbox 1
  I have delegated permissions on the calendar to the
  mailbox 2
  User 1 can see the calendar of the
  mailbox 2
  The problem is it does not display shared calendar
  notifications
  I use the option manage
  full access permission exchange
  from outlook I use the option
  open additional mailbox opening the
  mailbox 1
      Then see this
  calendar reminders work
  my goal is to limit the mailbox 1 to
  user 2 cannot send email with
  that account and can only display the calendar
  and reminders.

  Hi,
  Outlook only supports firing reminders in your own mailbox or default PST file. Therefore, reminders are available only for items stored in the main calendar:
  http://office.microsoft.com/en-us/training/see-and-share-multiple-calendars-RZ001030994.aspx?section=8
  With full access mailbox permission, the user has owner permission to the mailbox. So the reminder can be work in shared mailbox as an additional mailbox. But for shared calendar, the reminder can’t be displayed. The reminder added in
  the shared calendar can only remind the mailbox owner instead of calendar owner.
  Thanks,
  Winnie Liang
  TechNet Community Support

• Server 2012 R2 STD RODC Installation Failure

  Hello,
  I am running into issues installing a Windows Server 2012 R2 RODC, i have pre-created the RODC account, and set the proper delegation permissions. I have DNS configured properly and verified everything in DNS is good,
  i also verified the firewall between sites and everything is open for AD traffic, all communication is also good. I'm not sure if this is isolated to 2012 R2 RODC installations, because a couple months back i successfully implemented a 2008 R2 RODC. Anyways,
  the error i keep seeing in the wizard, powershell and dcpromo logs are " The wizard cannot access the list of domains in the forest. the error is: the specified network name is no longer available. Below is part of the error, i can  get the full
  log if needed. 
           Enter MyDsGetDcName2
  dcpromoui 890.CE8 2B04 21:09:11.585                 Calling DsGetDcName
  dcpromoui 890.CE8 2B05 21:09:11.585                 ComputerName : (null)
  dcpromoui 890.CE8 2B06 21:09:11.585                 DomainName   : bcc.pg.com
  dcpromoui 890.CE8 2B07 21:09:11.585                 DomainGuid   : (null)
  dcpromoui 890.CE8 2B08 21:09:11.585                 SiteName     : (null)
  dcpromoui 890.CE8 2B09 21:09:11.585                 Flags        : 0x40000000
  dcpromoui 890.CE8 2B0A 21:09:11.586                 HRESULT = 0x00000000
  dcpromoui 890.CE8 2B0B 21:09:11.586                 DomainControllerName    : \\DCWHBC02.bcc.pg.com
  dcpromoui 890.CE8 2B0C 21:09:11.586                 DomainControllerAddress : \\155.118.153.249
  dcpromoui 890.CE8 2B0D 21:09:11.586                 DomainGuid              : {F42A2C4C-5E7B-48A8-BF8B-B5324677A050}
  dcpromoui 890.CE8 2B0E 21:09:11.586                 DomainName              : bcc.pg.com
  dcpromoui 890.CE8 2B0F 21:09:11.586                 DnsForestName           : bcc.pg.com
  dcpromoui 890.CE8 2B10 21:09:11.586                 Flags                   : 0xE0007178:
  dcpromoui 890.CE8 2B11 21:09:11.586                 DcSiteName              : WHBC2
  dcpromoui 890.CE8 2B12 21:09:11.586                 ClientSiteName          : Gebze
  dcpromoui 890.CE8 2B13 21:09:11.586           using forest name bcc.pg.com
  dcpromoui 890.CE8 2B14 21:09:11.586           Enter State::GetOperation REPLICA
  dcpromoui 890.CE8 2B15 21:09:11.586           Enter State::SetForestName bcc.pg.com
  dcpromoui 890.CE8 2B16 21:09:11.586           Enter State::SetTargetDomainName bcc.pg.com
  dcpromoui 890.CE8 2B17 21:09:11.586           Enter MyCredUIParseUserName
  dcpromoui 890.CE8 2B18 21:09:11.586             userName: romero.r.18 defaultDomainName: bcc.pg.com
  dcpromoui 890.CE8 2B19 21:09:11.586             pszParsedUserName:  pszParsedDomainName:  dwRc: 1315
  dcpromoui 890.CE8 2B1A 21:09:11.586             Now trying to parse newUserName: bcc.pg.com\romero.r.18
  dcpromoui 890.CE8 2B1B 21:09:11.586             pszParsedUserName: romero.r.18 pszParsedDomainName: bcc.pg.com dwRc: 0
  dcpromoui 890.CE8 2B1C 21:09:11.586             user: romero.r.18 domain: bcc.pg.com fullUserName: bcc.pg.com\romero.r.18 dwRc: 0
  dcpromoui 890.CE8 2B1D 21:09:11.586           Enter CheckUserIsLocal
  dcpromoui 890.CE8 2B1E 21:09:11.586           Enter State::GetOperation REPLICA
  dcpromoui 890.CE8 2B1F 21:09:11.586           Enter State::ReadDomains
  dcpromoui 890.CE8 2B20 21:09:11.586             Enter State::GetTargetDomainName
  dcpromoui 890.CE8 2B21 21:09:11.586               Enter State::GetOperation REPLICA
  dcpromoui 890.CE8 2B22 21:09:11.586               target domain name: bcc.pg.com
  dcpromoui 890.CE8 2B23 21:09:11.587             Enter CDomains::ReadDomains
  dcpromoui 890.CE8 2B24 21:09:11.587               Enter MyDsEnumerateDomainTrusts
  dcpromoui 890.CE8 2B25 21:09:11.587                 Enter GetDcName
  dcpromoui 890.CE8 2B26 21:09:11.587                   Enter GetDcName2
  dcpromoui 890.CE8 2B27 21:09:11.587                     Enter MyDsGetDcName2
  dcpromoui 890.CE8 2B28 21:09:11.587                       Calling DsGetDcName
  dcpromoui 890.CE8 2B29 21:09:11.587                       ComputerName : (null)
  dcpromoui 890.CE8 2B2A 21:09:11.587                       DomainName   : bcc.pg.com
  dcpromoui 890.CE8 2B2B 21:09:11.587                       DomainGuid   : (null)
  dcpromoui 890.CE8 2B2C 21:09:11.587                       SiteName     : (null)
  dcpromoui 890.CE8 2B2D 21:09:11.587                       Flags        : 0x40000011
  dcpromoui 890.CE8 2B2E 21:09:12.102                       HRESULT = 0x00000000
  dcpromoui 890.CE8 2B2F 21:09:12.102                       DomainControllerName    : \\DCWHBC02.bcc.pg.com
  dcpromoui 890.CE8 2B30 21:09:12.102                       DomainControllerAddress : \\155.118.153.249
  dcpromoui 890.CE8 2B31 21:09:12.102                       DomainGuid              : {F42A2C4C-5E7B-48A8-BF8B-B5324677A050}
  dcpromoui 890.CE8 2B32 21:09:12.102                       DomainName              : bcc.pg.com
  dcpromoui 890.CE8 2B33 21:09:12.102                       DnsForestName           : bcc.pg.com
  dcpromoui 890.CE8 2B34 21:09:12.102                       Flags                   : 0xE0007178:
  dcpromoui 890.CE8 2B35 21:09:12.102                       DcSiteName              : WHBC2
  dcpromoui 890.CE8 2B36 21:09:12.102                       ClientSiteName          : Gebze
  dcpromoui 890.CE8 2B37 21:09:12.102                     Enter Computer::RemoveLeadingBackslashes \\DCWHBC02.bcc.pg.com
  dcpromoui 890.CE8 2B38 21:09:12.102                     DCWHBC02.bcc.pg.com
  dcpromoui 890.CE8 2B39 21:09:12.102                 Enter AutoWNetConnection::Init
  dcpromoui 890.CE8 2B3A 21:09:12.102                   Enter AutoWNetConnection::CloseExistingConnection
  dcpromoui 890.CE8 2B3B 21:09:12.102                   pszComputerName : DCWHBC02.bcc.pg.com
  dcpromoui 890.CE8 2B3C 21:09:12.102                   pszUserName     : bcc.pg.com\romero.r.18
  dcpromoui 890.CE8 2B3D 21:09:14.648                   WNetAddConnection2W returned 64.
  dcpromoui 890.CE8 2B3E 21:09:14.648                   HRESULT = 0x80070040
  dcpromoui 890.CE8 2B3F 21:09:14.648                 Enter AutoWNetConnection::CloseExistingConnection
  dcpromoui 890.CE8 2B40 21:09:14.648                 HRESULT = 0x80070040
  dcpromoui 890.CE8 2B41 21:09:14.648               HRESULT = 0x80070040
  dcpromoui 890.CE8 2B42 21:09:14.648               HRESULT = 0x80070040
  dcpromoui 890.CE8 2B43 21:09:14.648           failed trying to read domains, returned 0x80070040
  dcpromoui 890.CE8 2B44 21:09:14.648           Enter GetErrorMessage 80070040
  dcpromoui 890.CE8 2B45 21:09:14.648       performed state 7, next state 37
  dcpromoui 890.CE8 2B46 21:09:14.648       Error: The wizard cannot access the list of domains in the forest. The error is:
  dcpromoui 890.CE8 2B47 21:09:14.648       Error: The specified network name is no longer available.
  dcpromoui 890.CE8 2B48 21:09:14.648       Enter State::GetHadNonCriticalFailures
  dcpromoui 890.CE8 2B49 21:09:14.648         bHadNonCriticalFailures = false
  dcpromoui 890.CE8 2B4A 21:09:14.648     Enter State::UnbindFromReplicationPartnetDC
  dcpromoui 890.CE8 2B4B 21:09:14.648     Exit code is 26
  Server 2008 MCTS - Applications Infrastructure, Network Infrastructure, Active Directory, Vista.

  Hi,
  As far as I know, this problem can occur if a domain controller in the domain has not registered an "A" record for itself in DNS.
  To solve this issue, we can add the A record for the domain controller with the
  ipconfig /registerdns command. Flush the DNS cache on the computer running the Active Directory Installation Wizard by using the
  ipconfig /flushdns command.
  Regarding this error, the following articles can be referred to for more information.
  Error message: The wizard cannot gain access to the list of domains in the forest
  http://support.microsoft.com/kb/259374
  Troubleshooting Active Directory Installation Wizard Problems
  http://technet.microsoft.com/en-us/library/bb727058.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• The user name or password is incorrect in the CRM system checks during installation

  Hi everyone
  I'm installing CRM 2013 on 2 servers (server 2012) - CRM Full server + SQL Server 2012.
  I created 2 service accounts for this - CRMSVC + CRMSANDBOX (one for sandbox and another one for all the rest).
  I'm getting the following error in the system checks during setup:
  I've verified a billion times that the service accounts and passwords are valid - I even tried using different service accounts - same problem. As for now I also added the service accounts to the local admins groups just to be sure that it's not some permissions
  issue (I also added them to the 'log on as service' & performance logs groups). 
  If i try to use NETWORK SERVICES instead of a service account - the installation goes through flawlessly - no issues at all.
  I'm also gonna say that i tried another installation on a fresh server - SAME ISSUE.
  So for now my ideas are either it's a GPO somehow blocking the service accounts - or some kind of other security issue.
  I also found out that the security event log shows these two errors when these show up in the system checks:
  Inside i found 'NULL SID' entry - it does not recognize the service accounts account and 0xC0000064 in the Sub
  Status Codes
  It's not a typo issue so don't bother - if i write a wrong password in purpose - it actually says that the password i typed for domain\service account is incorrect - here it seems that the service account is not being recognized.
  Any ideas anyone?
  Thanks
  Please vote if you find my post helpful - Thanks

  Not sure you understood my point.
  The installation process necessarily runs under the account of the installing user. The installation will query AD to identify information about the service accounts, and will add them to the relevant CRM AD groups. It is possible that the installing user
  account does not have sufficient privileges on the AD objects for the service accounts to be able to identify them, and to add them to groups. This scenario is consistent with the errors that you get, and also with being able to install CRM to run under NetworkServices
  (which doesn't have its own AD object)
  Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk
  Hi David
  I understand this, but as far as i know running it under NETWORK SERVICES will add the machine names to the OU security groups - hence the user installing still needs to have delegated permissions on that OU. Anyway as mentioned above - ignoring the checks
  and running the installation solved this and also added the accounts to the security groups - so this whole mess looks like some bug to me - not sure i will ever find out what it was :)
  Please vote if you find my post helpful - Thanks