sesecurityprivilege access is denied

By | June 17, 2011

sesecurityprivilege access is denied

http://support.microsoft.com/kb/314294

Z:\MSExchange2003Enterprise\SUPPORT\EXDEPLOY>POLICYTEST.EXE

This tool will check every domain controller in the local domain to see if the “Manage auditing and security logs” privilege granted to the  Exchange Enterprise Servers” group by DomainPrep has replicated to that DC.  If the policy change has not yet replicated to all DCs, then you should avoid making policy changes on any DC that has not received those changes yet.

You must have Domain Admin rights to run this tool successfully.  If you see an error that says:   !! LsaEnumerateAccountRights returned error 5 !! then you don’t have permission to open the LSA on the given DC.
===============================================
Local domain is “magwinya.lan” (magwinya)
Account is “magwinya\Exchange Enterprise Servers”
========================
  DC      = “ESG_CEN14”
  In site = “Default-First-Site-Name”
  !!! Right NOT found !!!
========================
  DC      = “ESG_CEN16”
  In site = “Default-First-Site-Name”
  !!! Right NOT found !!!
========================
  DC      = “ESG_CEN18”
  In site = “Default-First-Site-Name”
  !!! Right NOT found !!!
========================
  DC      = “ESG_DC01”
  In site = “Default-First-Site-Name”
  !!! Right NOT found !!!
========================
  DC      = “ESG_DC02”
  In site = “Default-First-Site-Name”
  !!! Right NOT found !!!

To resolve this I followed the step-by-step below:

Start the Active Directory Users and Computers snap-in.
Right-click the Domain Controllers container, and then click Properties.
Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.
Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment. In the right pane, double-click Manage auditing and security log, click Add, click Browse, and then add the Exchange Enterprise Servers group. In the Add user or group dialog box, click OK. Then, click OK.
Quit the Group Policy snap-in, and then click OK in the Domain Controllers Properties dialog box.

NB: Interestingly,

Z:\MSExchange2003Enterprise\SUPPORT\EXDEPLOY>POLICYTEST.EXE

This tool will check every domain controller in the local domain to see if the “Manage auditing and security logs” privilege granted to the  Exchange Enterprise Servers” group by DomainPrep has replicated to that DC.  If the policy change has not yet replicated to all DCs, then you should avoid making policy changes on any DC that has not received those changes yet.

You must have Domain Admin rights to run this tool successfully.  If you see an error that says:   !! LsaEnumerateAccountRights returned error 5 !! then you don’t have permission to open the LSA on the given DC.
===============================================
Local domain is “magwinya.lan” (magwinya)
Account is “magwinya\Exchange Enterprise Servers”
========================
  DC      = “ESG_CEN14”
  In site = “Default-First-Site-Name”
  Right found:  “SeSecurityPrivilege”
========================
  DC      = “ESG_CEN16”
  In site = “Default-First-Site-Name”
  Right found:  “SeSecurityPrivilege”
========================
  DC      = “ESG_CEN18”
  In site = “Default-First-Site-Name”
  Right found:  “SeSecurityPrivilege”
========================
  DC      = “ESG_DC01”
  In site = “Default-First-Site-Name”
  Right found:  “SeSecurityPrivilege”
========================
  DC      = “ESG_DC02”
  In site = “Default-First-Site-Name”
  Right found:  “SeSecurityPrivilege”