KB938627 - When you try to install Microsoft System Center Operations Manager 2007 Reporting, the installation is unsuccessful

KB938627 has been released https://support.microsoft.com/kb/938627/en-us

 

 

SYMPTOMS

When you try to install the Microsoft System Center Operations Manager 2007 Reporting feature, the installation is unsuccessful. When this problem occurs, the Operations Manager event log may contain the following error message:

Date: date
Source: OpsMgr SDK Service
Time: time
Category: None
Type: Error
Event ID: 26319
User: N/A
Computer: Computername
Description: An exception was thrown while processing GetUserRolesForOperationAndUser for session id uuid:UUID. Exception Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Full Exception: System.UnauthorizedAccessException: Access is denied. (Exception fro HRESULT: 0x80070005 (E_ACCESSDENIED))
Exception Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Full Exception: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.Interop.Security.AzRoles.IAzApplication2.InitializeClientContextFr omStringSid(String SidString, Int32 lOptions, Object varReserved) at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AzManHelper.GetScopedRo leAssignmentsForUser(IList`1 roleNames, String userName) at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AuthManager.GetUserRole sForOperationAndUser(Guid operationId, String userName) at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccess.GetUserRol esForOperationAndUser(Guid operationId, String userName) at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessTieringWrap per.GetUserRolesForOperationAndUser(Guid operationId, String userName) at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessExceptionTr acingWrapper.GetUserRolesForOperationAndUser(Guid operationId, String userName)

 

CAUSE

This problem occurs when the SDK service account does not have read access to the tokenGroupsGlobalAndUniversal attribute. The SDK service's authorization manager requires this access to determine the security groups to which a user belongs.
This problem occurs if one of the following conditions is true:


You install the Operations Manager 2007 Reporting feature in a Window Server 2003 domain environment, and the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems option is enabled.


You install the Operations Manager 2007 Reporting feature in a Windows 2000 domain environment, and the Permissions compatible only with Windows 2000 servers option is enabled.

 

RESOLUTION

To resolve this problem, add the SDK service account to the Windows Authorization Access group. To do this, follow these steps:

1.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2.
In Active Directory Users and Computers, click Builtin, and then double-click Windows Authorization Access Group.

3.
Click the Members tab, and then add the SDK service account to the members list.

 

MORE INFORMATION

By default, if the Permissions compatible with pre-Windows 2000 servers option is enabled when the domain is created, every member of the domain is added to the Pre-Windows 2000 Compatible Access group. In this situation, the Pre-Windows 2000 Compatible Access group has read access to the tokenGroupsGlobalAndUniversal attribute. Therefore, no action is required unless the Pre-Windows 2000 Compatible Access group name is manually changed.
For more information about this problem, click the following article number to view the article in the Microsoft Knowledge Base:

331951 (https://support.microsoft.com/kb/331951/) Some applications and APIs require access to authorization information on account objects