When trying to launch an error is generated, "Project CN=Project_Name does not exist". When an attempt is made to connect to the Configuration context of ADAM using ADAM ADSIEdit, the error "The directory property cannot be found in the cache" is displayed. At the same time, connection to Schema and RootDSE contexts are successful, the ADAM service has been confirmed to be running and the project is located within this ADAM instance.
In most cases this indicates a permission related issue. The logged in account has not been given any roles for this ADAM instance or the project partition within this instance.
In order to be able to open the ADAM Project and make any changes, the logged in account must have at least one of following types of access configured:
I. Administrator rights on the ADAM instance level (this will be inherited down to the project level)
1. Connect to ADAM instance, Configuration context with ADSIEdit.
2. Drill down to CN=Configuration, CN=Roles, CN=Administrators
3. Right click - Properties. Select Member attribute and click Edit.
4. By default the account that was initially used to install ADAM instance is listed. More accounts or even AD groups can be added.
OR
II. Full Admin rights on the project level.
1. Open your project in console.
2. Right click on the very top level - Delegate.
3. Add needed account with Full Admin rights.
In this case you will still not be able to see Configuration context in ADSIEdit but will have Full control over your QMM project partition. This is similar to delegated rights over an OU in Active Directory.
If it is not possible to determine which account has Administrative rights over particular ADAM instance the following approaches can be used:
- Review local windows profiles under Documents and Settings (Users folder on Vista, Windows 7 and 2008 Server operating systems) on machine where ADAM is installed. One of these accounts was originally used to install ADAM and as such was automatically granted Full ADAM Admin access.
- Please refer to the following Microsoft KB article explaining how to gain ownership back (in other words the procedure explains how to take over an ADAM instance when the access is lost, for example the user who originally installed ADAM no longer available). This procedure essentially takes ownership of the ADAM Configuration container and assigns the required level of rights, which is possible when you have local administrative access to the server where ADAM instance runs - Not able to browse Application or Directory Partitions in ADAM - http://support.microsoft.com/kb/958973
Using ADAM LDP.exe (Start | Programs | ADAM | ADAM Tools Command Prompt)
Note: You must use the ADAM version of LDP (1.1.3790.2075 or later version).
1. Connect to the console (ADAM default location) on port 389 (or port 50000) and then Bind as "currently logged on user". (No need to have Admin rights in ADAM, just local Administrative access)
2. Click on View, select Tree, and then select the partition on which you want to assign permission. For example: CN=Configuration,CN={30C8CC67-9984-41B7-AEA0-E00DFE20F9B6}.
3. In the left hand window of LDP.exe, right click on Configuration Container | Advanced | Security Descriptor. A Security Descriptor Window will appear with DN attribute and the value would be the partition you selected above in 2, for example CN=Configuration,CN={30C8CC67-9984-41B7-AEA0-E00DFE20F9B6}.
4. Click OK and the Security descriptor window for the partition from above will open.
5. In the Owner field (contains NULL or something like "Unknown SID [S-1-391170883-2126081050-519]") enter the user account name that your currently running as. Make sure the checkbox for Update Owner (at bottom) is checked, click Update, and then click Close (the window may close automatically).
6. Right click on Configuration Container | Advanced |Security Descriptor. A Security Descriptor Window will appear with DN attribute and the value would be the partition you selected earlier.
7. Click OK and the Security descriptor window for the partition from above will open.
8. Click on a DACL in the list in the middle of the window, and then click on Add ACE. An ACE windows will pop up. In Trustee:, enter the account name which you want to assign permission.
9. Check all the checkboxes in Access mask, and the Inherit ACE flag and then click OK. The ACE window will close.
10. Click on Update and then click Close (the window may close when Update is clicked).
11. Start ADAM ADSI Edit, (Start | Programs | ADAM | ADAM ADSI Edit). In the left hand window right click on ADAM ADSI Edit and select "connect to..." Make sure the Connection Settings are pointing to the ADAM server and in the "Well-known naming context:" Configuration is displayed and then select Ok. Expand My Connection and the container CN=Configuration,CN={30C8CC67-9984-41B7-AEA0-E00DFE20F9B6} (from above) and then expand out Roles.
12. Click on Administrators, and then right click and select Properties.
13. Browse down thru the attributes and select the member attribute and then click Edit.
14. Click Add Windows Account and enter a specific account or domain\administrators or both and then click OK.
15. Select apply then OK then close ADSIEdit.
16. Go back in LDP, right click on Configuration Container | Advanced | Security Descriptor. A Security Descriptor Window will appear with DN attribute and the value would be the partition you selected earlier. Click on OK.
17. In the Security descriptor pop up window, the Group field should now be populated with:
CN=Administrators,
CN=Roles,
CN=Configuration,CN={GUID.EN}
18. Copy all the text in the Group field, and paste it into the Owner field (removing your account). Make sure the Update Owner checkbox is checked, click Update, and then click Close (the window may close when Update is clicked).
19. Right click on Configuration Container | Advanced | Security Descriptor. A Security Descriptor Window will appear with DN attribute and the value would be the partition you selected earlier. Click on OK.
20. Click on your user account in the DACL list, and click Delete ACE (you will have 2 entries, remove both)
21. Make sure that Update DACL is checked, and then click Update.
22. Close LDP, and reopen LDP. Connect and Bind.
23. Click on View, select Tree, and verify that you can access the configuration container and the application partition, for example: CN=QMMADProject. You should be able to browse into CN=AMMProject_A47ABFBE7C552E4792D3B88CAB176448,CN=QMMADProject. Be careful not to change anything and this may destroy your project data.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center