JSI Tip 7746. Windows Messenger users cannot sign in to Microsoft Office Live Communications Server 2003?

Windows Messenger users cannot sign in to a Microsoft Office Live Communications Server 2003. The server's Application event log contains:

Event Source: Live Communications Active Directory Connector
Event Category: None
Event ID: 29
Time: HH:MM:SS
Event Type: Error
Computer: <ComputewrName>
Description: Encountered an unknown failure while attempting to process a user entry. The entry came from naming context DC=contoso,DC=com. This error has caused the replication cycle to fail. It will be retried.
Diagnostic information: User DN attribute value: CN=Guest,CN=Users,DC=contoso,DC=com Guid Active Directory attribute name: objectGUID Guid Active Directory attribute value: \{A5E68767-26D9-4843-9B07-FDE285F87996\} The error occurred while processing attribute isDeleted. The description of the error that occurred is: Decoding Error (hr=0x8007003b).

This behavior is symptomatic of the RTCHSDomainServices, RTCDomainServerAdmins, and RTCDomainUserAdmins groups having insufficient permissions to the user objects in Active Directory directory.

NOTE: If you removed permission inheritance from the domain container in Active Directory prior to installing the Live Communications Server, you will experience this behavior.

The minimum required permissions are:

Group name Permission Property name
RTCHSDomainServices Read RTCPropertySet
RTCHSDomainServices Read RTCUserSearchPropertySet
RTCDomainServerAdmins Read RTCPropertySet
RTCDomainServerAdmins Write RTCPropertySet
RTCDomainUserAdmins Read RTCPropertySet
RTCDomainUserAdmins Write RTCPropertySet
RTCDomainUserAdmins Read RTCUserSearchPropertySet
RTCDomainUserAdmins Write RTCUserSearchPropertySet
RTCDomainUserAdmins Read Public Information
RTCDomainUserAdmins Write Public Information

To resolve this behavior:

  1. Start / Run / adsiedit.msc / OK, where ADSI Edit is installed from the Support\Tools folder of the Windows Server 2003 CD.

  2. Expand the domain controller name.

  3. Right-click the container or OU where you want to assign permissions and press Properties.

  4. Select the Security tab and press Advanced.

  5. Press Add, type rtchsdomainservices, press Check Names, and press OK.

  6. In the Permission Entry for <Container or OU Name> box, select the Properties tab.

  7. In the Apply onto list, press User objects.

  8. In the Allow column, select the Read RTCPropertySet and Read RTCUserSearchPropertySet check boxes.

  9. Press OK.

  10. Press Add, type rtcdomainserveradmins, press Check Names, and press OK.

  11. Select the Properties tab, press User objects in the Apply onto list, check the Allow boxes for Read RTCPropertySet and Write RTCPropertySet.

  12. Press OK.

  13. Press Add, type rtcdomainuseradmins, press Check Names, and press OK.

  14. Select the Properties tab, press User objects in the Apply onto list, check the Allow boxes for Read Public Information, Write Public Information, Read RTCPropertySet, Write RTCPropertySet, Read RTCUserSearchPropertySet, and Write RTCUserSearchPropertySet.

  15. Press OK, OK, and OK to close all dialog boxes.

  16. NOTE: Repeat the above for any other containers or OUs that contain Live Communications Server users.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.