Share via


"Access is denied" is so frustrating!!!

Grrr....  I spent a bunch of time recently troubleshooting one of these, so I thought I'd share in case it saves someone else some trouble.

We setup some Exchange 2003 servers on Windows 2003.  Some clustered and some not.  In a number of places, we would get “Access is denied” messages and error ID c0070005.  In the most critical case, we saw it when trying to join a second node to our cluster.  Since access was denied, we could not continue.  We would also see it when using Exchange System Manager and accessing some of the properties of a server. 

Of course, we checked all the usual stuff and the accounts in question had all the rights you could possibly want.

In the end, it was caused by permissions on a particular registry entry:  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SecurePipeServers\winreg

This registry key is used by a number of different things and often impacts remote registry access, performance counter access, etc.  In our case, the LOCAL SERVICE account did not have read permissions on this reg key.  Many of the things we were trying to do were really being performed by the local service.  I did some google searching and it seems that some security scanners will remove this permission to stop certain issues.  I was never able to determine if this was the root cause for us because the security people would not tell us anything.  Refused to come out of their boxes I guess....  :)

Comments

  • Anonymous
    June 09, 2004
    There was a comment here that I accidentally deleted. Anyway, the comment was that tools like filemon and regmon are invaluable here. I completely agree.

    In our case, we used the security event log and auditing to find the issue. It is amazing how often the event log gets ignored in troubleshooting issues. Anyway, we turned up failure logging on the servers and filtered the event log. It told us the exact reg key and account that was giving us a problem.

    Anyway, it is still aggrevating to troubleshoot. I always make all of the accounts domain admins... ;) ha, ha!
  • Anonymous
    August 03, 2004
    Thanks for your blog, would have saved me endless hours of trawling MSKB if I had read it first.

    Anyhow, adding permission on the HKEY_LOCAL_MACHINESYSTEMControlSetControlSecurePipeServerswinreg entry allowed me to finally remove the MS Mail connector, a prerequisite to upgrading to Exchange Server 2003.