OCS 2007 R2 Group Chat on Windows Server 2008

Recently I worked with a customer who was trying to install OCS 2007 R2 Group Chat on a member server running Windows Server 2008.  Each time the customer launched ServerSetup.EXE to install Group Chat, he encountered error 0x80070005 (Access is Denied) while binding to the IIS metabase path IIS://localhost/W3SVC/1, as shown in the following screenshot:




The user account used to install Group Chat should meet the following criteria:

  • Member of the Domain Admins Group
  • Member of local Administrators Group
  • Member of RTCUniversalServerAdmins Group

Additionally, the computer should meet the following prerequisites before installing Group Chat:

Microsoft .NET Framework 3.0

Manages the execution of the program. During the installation of Group Chat, if this version or a later version of the software is not already installed on the computer, Group Chat installs it.

Internet Information Services (IIS)

Hosts the Web Service for the purpose of posting files to chat rooms. Windows Server 2008 users must enable the IIS 6.0 Compatibility feature.


Used to build dynamic Web sites, Web applications, and XML Web services. ASP.NET 2.0 is a Web application.

Message Queuing

Used by the Group Chat Compliance service, if deployed.

Microsoft Web Services Enhancements (WSE) 3.0

Implements additional Web service specifications in areas including security, reliable messaging, and sending attachments. WSE is required on the Group Chat Server only, not the Compliance service. WSE is an add-on to the .NET Framework.

Even after meeting these requirements, you may still encounter this error during Group Chat setup.  During installation, a new virtual directory called MGCWebService is created under the Default Web Site in IIS.  For this task to succeed, the SeImpersonatePrivilege is required.  On a Windows 2008 computer, this privilege is automatically granted in the security token of the Domain\Administrator account (Built-in account for administering the computer/domain), but not for other members of Domain Admins.  To prove this we can use the Whoami utility.


Whoami.exe /all (logged in as a member of Domain Admins)

Privilege Name                Description                          State  
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled


Whoami.exe /all (logged in as Domain\Administrator)

Privilege Name                  Description                               State  
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

Here you can see that the SeImpersonatePrivilege right is clearly missing in the security token of the Domain Admin account.  Without this privilege, Group Chat setup will fail.  To work around this problem, launch ServerSetup.EXE with elevated privileges (Run as Administrator) or log on using the Domain\Administrator account and launch Group Chat setup.


-- Dave

Skip to main content