Support-Info: (INSTALLATION): Exception has been thrown by the target of an invocation. System.UnauthorizedAccessException: Access is denied.

Article
03/30/2018

PRODUCTS INVOLVED

Microsoft Identity Manager 2016 Service Pack 1 (4.4.1302.0)
- Service and Portal Installation

PROBLEM SCENARIO DESCRIPTION

Attempting to install the Service and Portal, it rolls back just after the copying new files process in the installation. Review of the Windows Installer Verbose Log shows the below exception.

LOGGING TOOLS

Here are the logging tools I utilized to assist in troubleshooting this issue.

Windows Installer Verbose Log

NOTE

How to get a windows installer verbose log?1. Open an administrative command prompt and navigate to the installation media2. Execute the following command-line:

msiexec /iI"Service and Portal.msi" /l*v myinstalllog.txt

Documentation (Knowledge Base Article):

https://support.microsoft.com/en-us/help/223300/how-to-enable-windows-installer-logging

Process Monitor: /en-us/sysinternals/downloads/procmon

WINDOWS INSTALLER VERBOSE LOG

Exception thrown by custom action:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied.

at System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsContainer.GetObject(String className, String relativeName)

at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)

at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.ChangeUserMembershipInGroup(Session session, Boolean addUser)

--- End of inner exception stack trace ---

at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)

at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)

at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)

at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)

CustomAction AddServiceToPerformanceMonitors returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

PROCESS MONITOR LOG

You will notice in the process monitor log "ACCESS DENIED" results on the %Windir%\System32 folder.

2:38:58.2013136 PM msiexec.exe 6724 CreateFile C:\Windows\System32 ACCESS DENIED Desired Access: Write DAC, Write Owner, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 00000000:000003e7 8092 620

2:38:58.2038367 PM msiexec.exe 6724 CreateFile C:\Windows\System32 ACCESS DENIED Desired Access: Write DAC, Write Owner, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 00000000:000003e7 8092 620

CAUSE

The machine account needs access to the %windir%\System32 folder

RESOLUTION

The resolution here can be a couple different methods

1	Add the machine account that you are installing the Service and Portal on to the Domain Admins, which should in theory make it part of the Local Administrators group if Domain Admins is listed there. You will need to reboot the machine
2	Add the machine account that you are installing the Service and Portal on, to the Local Administrators group. You will need to reboot the machine.
3	Provide the machine account with Full Control to the %windir%\System32 folder

ADDITIONAL INFORMATION

Process Monitor Download: /en-us/sysinternals/downloads/procmon
Windows Installer Verbose Log: https://support.microsoft.com/en-us/help/223300/how-to-enable-windows-installer-logging