Support-Info: (INSTALLATION): Exception has been thrown by the target of an invocation. System.UnauthorizedAccessException: Access is denied.

PRODUCTS INVOLVED

  • Microsoft Identity Manager 2016 Service Pack 1 (4.4.1302.0)
    • Service and Portal Installation

PROBLEM SCENARIO DESCRIPTION

  • Attempting to install the Service and Portal, it rolls back just after the copying new files process in the installation. Review of the Windows Installer Verbose Log shows the below exception.

LOGGING TOOLS

Here are the logging tools I utilized to assist in troubleshooting this issue.

  • Windows Installer Verbose Log
NOTE How to get a windows installer verbose log? 1. Open an administrative command prompt and navigate to the installation media 2. Execute the following command-line: msiexec /iI”Service and Portal.msi” /l*v myinstalllog.txt https://support.microsoft.com/en-us/help/223300/how-to-enable-windows-installer-logging

WINDOWS INSTALLER VERBOSE LOG

Exception thrown by custom action:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.UnauthorizedAccessException: Access is denied.

at System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsContainer.GetObject(String className, String relativeName)

at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)

at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.ChangeUserMembershipInGroup(Session session, Boolean addUser)

— End of inner exception stack trace —

at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)

at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)

at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)

at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)

CustomAction AddServiceToPerformanceMonitors returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

PROCESS MONITOR LOG

  • You will notice in the process monitor log “ACCESS DENIED” results on the %Windir%\System32 folder.

2:38:58.2013136 PM        msiexec.exe        6724        CreateFile        C:\Windows\System32        ACCESS DENIED        Desired Access: Write DAC, Write Owner, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a        00000000:000003e7        8092        620

2:38:58.2038367 PM        msiexec.exe        6724        CreateFile        C:\Windows\System32        ACCESS DENIED        Desired Access: Write DAC, Write Owner, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a        00000000:000003e7        8092        620

CAUSE

  • The machine account needs access to the %windir%\System32 folder

RESOLUTION

  • The resolution here can be a couple different methods
1 Add the machine account that you are installing the Service and Portal on to the Domain Admins, which should in theory make it part of the Local Administrators group if Domain Admins is listed there. You will need to reboot the machine
2 Add the machine account that you are installing the Service and Portal on, to the Local Administrators group. You will need to reboot the machine.
3 Provide the machine account with Full Control to the %windir%\System32 folder

ADDITIONAL INFORMATION