HelloI am trying to run the script add-tpmselfwriteace.vbs and receiving an error message:(120,1) Active Directory: A constraint violation occured.I am running it on a Windows Server 2008 R2 machine. I am logged in as a domain admin account which i believe has all the necessary permissions. (enterprise, domain, schema, admin rights)I'm not sure where to go with this one. I know I need to run the script because i can;t backup TPM info to active directory. When i try to enable bit locker i get an error that access is denied when i am at the "initializing TPM" step. the event log on the client says it failed to backup TPM Owner Authorization information to active directory. All 3 of my domain controllers are Windows Server 2008 R2. My domain function level is still windows 2003. Any suggestions would be appreciated.thanks

just to add.... i searched for add-tpmselfwriteace.vbs and constraint violation in google and got absolutly nothing. not even a single hit.

if anyone has some information on how i can just manually add the correct permission using adsiedit i'll take that as well.thanks

ZackinMA,This isn't the correct forum to ask this kind of a question. It is for IT Manager discussions (people management, IT Planning, etc.) I've moved this thread to another TechNet forum that might be a little better suited for this.. but you probably should check out the MSDN forums also. -KevinKevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde

I'm fairly certain that you don't need to run that script on an R2 domain. You can check the ACL on the domain object through Active Directory Users and Computers. There should be 2 SELF entries in Advanced, one of which should be the TPM ACE.What is the full error message you're getting in the event log?Paul Adare CTO IdentIT Inc. ILM MVP

I discovered that you need to run the script adding the permissions as an administrator. I did right click and selected "run as" and entered domain admin credentials. This did not work. However when I right clicked and just selected "run as administrator", it worked. I was logged in as a domain admin. I don't know why one method worked and the other did not, but that was the case. In any case the issue is resolved. I hope this post helps others in then future.