Hello, I'm attmpting to install Ex2007 x64 on a Windows 2003 SP1 x64 system and am recieving this error: You do not have permissions to read the security descriptor on CN=Deleted Objects,CN=Configuration,DC=robinwoodcentral,DC=net. The snippet below is from the logfile on my last attempt. Any ideas? Thanks, Sonny [2/11/2007 9:34:53 PM] [2] Adding access control entries to security descriptor for object CN=Sites,CN=Configuration,DC=robinwoodcentral,DC=net.[2/11/2007 9:34:53 PM] [2] Appropriate ACE is already present on object "CN=Sites,CN=Configuration,DC=robinwoodcentral,DC=net" for account "ROBINWOODCNTRL\Exchange Organization Administrators".[2/11/2007 9:34:53 PM] [2] Appropriate ACE is already present on object "CN=Sites,CN=Configuration,DC=robinwoodcentral,DC=net" for account "ROBINWOODCNTRL\Exchange Organization Administrators".[2/11/2007 9:34:53 PM] [2] Appropriate ACE is already present on object "CN=Sites,CN=Configuration,DC=robinwoodcentral,DC=net" for account "ROBINWOODCNTRL\Exchange Organization Administrators".[2/11/2007 9:34:53 PM] [2] Appropriate ACE is already present on object "CN=Sites,CN=Configuration,DC=robinwoodcentral,DC=net" for account "ROBINWOODCNTRL\Exchange Organization Administrators".[2/11/2007 9:34:53 PM] [2] Adding access control entries to security descriptor for object CN=Deleted Objects,CN=Configuration,DC=robinwoodcentral,DC=net.[2/11/2007 9:34:53 PM] [2] [ERROR] You do not have permissions to read the security descriptor on CN=Deleted Objects,CN=Configuration,DC=robinwoodcentral,DC=net.[2/11/2007 9:34:53 PM] [2] Ending processing.[2/11/2007 9:34:53 PM] [1] The following 1 error(s) occurred during task execution:[2/11/2007 9:34:53 PM] [1] 0. ErrorRecord: You do not have permissions to read the security descriptor on CN=Deleted Objects,CN=Configuration,DC=robinwoodcentral,DC=net.[2/11/2007 9:34:53 PM] [1] 0. ErrorRecord: Microsoft.Exchange.Management.Tasks.SecurityDescriptorAccessDeniedException: You do not have permissions to read the security descriptor on CN=Deleted Objects,CN=Configuration,DC=robinwoodcentral,DC=net. at Microsoft.Exchange.Management.Tasks.DirectoryCommon.ApplyAcesOnSd(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, TaskErrorLoggingDelegate errorLogger, ADObjectId id, RawSecurityDescriptor rsd, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, TaskErrorLoggingDelegate errorLogger, ADSession session, ADObjectId id, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.InitializeConfigPermissions.SetDeletedObjectsSecurityDescriptor(SecurityIdentifier sid, ActiveDirectoryRights adr) at Microsoft.Exchange.Management.Tasks.InitializeConfigPermissions.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()[2/11/2007 9:34:53 PM] [1] [ERROR] You do not have permissions to read the security descriptor on CN=Deleted Objects,CN=Configuration,DC=robinwoodcentral,DC=net.[2/11/2007 9:34:53 PM] [1] Setup is halting task execution because of one or more errors in a critical task.[2/11/2007 9:34:53 PM] [1] Finished executing component tasks.

Try and start the Exchange installation from d:\setup.com (where d: is your CD-Rom) Regards Finn

I had the same problem when running "preparead" from a Remote Desktop session. After logging on to mstsc /console it worked fine. "preparelegacy..." and "prepareschema" worked fine from a normal RD session funny enough /Christian

I came across the same situation. I took your advice and performed the install from the console and things worked fine. Thank you for the post.

I also getthis error: You do not have permissions to read the security descriptor on DC=<domain>,DC=<xxxx>,DC=<de> Istarted setup/PrepareADfrom console but this did not help in my case ! This is my log entry: [26.04.2007 08:36:31] [1] Processing component 'Legacy Global AD Configuration' (Vorbereiten der Legacygesamtstruktur.).[26.04.2007 08:36:31] [1] Executing 'if ($RoleDomain -ne $null) { initialize-ExchangeLegacyPermissions -Domain $RoleDomain -DomainController $RoleDomainController; } else { initialize-ExchangeLegacyPermissions -AllDomainstrue -DomainController $RoleDomainController; }', handleError = False[26.04.2007 08:36:31] [2] Launching sub-task '$error.Clear(); if ($RoleDomain -ne $null) { initialize-ExchangeLegacyPermissions -Domain $RoleDomain -DomainController $RoleDomainController; } else { initialize-ExchangeLegacyPermissions -AllDomainstrue -DomainController $RoleDomainController; }'.[26.04.2007 08:36:31] [2] Beginning processing.[26.04.2007 08:36:31] [2] Used domain controller <xxx> to read object DC=<xxx>,DC=de[26.04.2007 08:36:31] [2] Used domain controller <xxx> to read object CN=<xxx>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<xxx>,DC=de[26.04.2007 08:36:31] [2] [ERROR] You do not have permissions to read the security descriptor on DC=<xxx>,DC=<xxx>,DC=de.[26.04.2007 08:36:31] [2] Ending processing.[26.04.2007 08:36:31] [1] The following 1 error(s) occurred during task execution:[26.04.2007 08:36:31] [1] 0. ErrorRecord: You do not have permissions to read the security descriptor on DC=<xxx>,DC=<xxx>,DC=de.[26.04.2007 08:36:31] [1] 0. ErrorRecord: Microsoft.Exchange.Management.Tasks.SecurityDescriptorAccessDeniedException: You do not have permissions to read the security descriptor on DC=<xxx>,DC=<xxx>,DC=de. at Microsoft.Exchange.Management.Tasks.DirectoryCommon.FindAces(ADObjectId id, RawSecurityDescriptor rsd, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.InitializeExchangeLegacyPermissions.IsDomainSetupNeeded(ADObjectId domainId) at Microsoft.Exchange.Management.Tasks.DomainSetupTaskBase.InternalValidate() at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()[26.04.2007 08:36:31] [1] [ERROR] You do not have permissions to read the security descriptor on DC=<xxx>,DC=<xxx>,DC=de.[26.04.2007 08:36:31] [1] Setup is halting task execution because of one or more errors in a critical task.[26.04.2007 08:36:31] [1] Finished executing component tasks.[26.04.2007 08:36:31] [1] Ending processing.[26.04.2007 08:36:31] [0] The Exchange Server setup operation did not complete. Visit http://support.microsoft.com and enter the Error ID to find more information.[26.04.2007 08:36:31] [0] End of Setup[26.04.2007 08:36:31] [0] ********************************************** regards Michael

Just had the same problem and running setup again from the console sorted it......many thanks. Russell

Hey guys - this worked for me: I first ran the Setup from the X: drive (cd-rom drive) then I changed the drive letter to E: and it worked like a charm! I can't believe that this should be an issue in 2007!! Anyways, I'm happy it all went (almost) according to plan... Code Snippet Error: You do not have permissions to read the security descriptor on CN=Deleted Objects,CN=Configuration,DC=testdomain,DC=local. Hope this helpes a few fellow it-specialist in their Exchange 2007 setup environment... Regards, Satheesh Varadharajan www.satheesh.net

May I also thank MS for that T-Sandwich. I also had to change the CD drive letter to E and the same error went away... Is this 3.1 or 2k3 SP2 R2 x64?????

I think you got this error cause Directory replication latency. http://technet.microsoft.com/en-us/library/bb288907.aspx

Thanks for the reply! Although that may have been the case, this is unlikely. The domain had replicated and the top level domains were able to access the configuration screens... it sounds like this may be a bug in the installer for certain systems? Could it be an issue with multiple CD drives on a server? Thanks again! Brad

Bradley Johnson wrote: May I also thank MS for that T-Sandwich. I also had to change the CD drive letter to E and the same error went away... Is this 3.1 or 2k3 SP2 R2 x64????? Me too solved the installation procedure by mapping the network DVD-Drive to E: instead of installing directly from the UNC path...

Thanks for the tip! Changing the dvd rom drive letter to E: worked! Thanks Again! Nate Dell MCSE CCNP

You guys rock, It workedonceI changed the CD\DVD drive to drie E:. I was running it from Drive D: CD\DVD drive letter. Thanks

Hi,I already had the CD/DVD drive mapped to E: and I still got the error message during the installation, but I tried running the installation again without making any changes and then it worked just fine.

I also already had my CD/DVD drive as E:, and after re-running setup (from the command line, both times, same command, it worked fine. Thanks Microsoft!

I also had the same problem... And my CD/DVD drive was already E:. After reading this article, I re-ran the same command script as I had before, and it worked fine. Thanks Microsoft!

The whole thing is that active directory synchronisation didn't happen the first time; now it did and every thing works...

Glad I came across this....was trying to install e2007 from a folder on D:. I shared it out and mapped the drive to E: and now all is peachy... Thanks Microsoft!

LOL same fix worked here too. Was installing it off of the CDROM D: so I shared it out and mapped it as E: and now it installed fine. How retarded really!

The CD/DVD drive bit made no difference for me. I did stumble upon this article which allows you to take ownership of the object that it complains about. That does fix it and it installed perfectly. http://www.capslockassassin.com/2008/09/09/security-descriptor-error-during-exchange-server-2007-schema-extension/

Thank you very much! Changing Drive Letter from D to E and restarting Worked. LONG LIVE MICROSOFT Hahaha Thanks for the post!

Same issue. Checked this. I was originally trying to install from an ISO folder as well as local copy installation. Just had to change the cdrom to a different drive letter, share out the installation folder on the server, map E: to the shared installation folder, re-run the setup from E: and everything was good to go. Thanks for all of the posts...

Just had the same problem. I exited the setup and started it again, and it went fine the 2nd time. Don't think changing the cd/dvd drive mapping has anything to do with anything. Just try again. Ole Drews Jensen MCSE/MCP+I/CCNP

Yes, u r right. I restarted my Exchange 2007 installation and it went fine. I was installing via the exchange2007 SP1 installer file. Thus i couldn't even change Drive name. :-)