The Exchange server does not have the Audit Security privilege on a Domain Controller


Topic Last Modified: 2007-11-16

The Microsoft Exchange Server 2007 Management Pack for Microsoft Operations Manager (MOM) monitors the Windows Application log on computers that are running Exchange Server 2007 and generates this alert when the event or events specified in the following Details table are logged.

To learn more about this event, do one or more of the following:

  • Review the description of the event that includes the variables specific to your environment. From the MOM Operator Console, select this alert, and then click the Properties tab.

  • Review all events that have been logged that meet the criteria of this MOM alert. From the MOM Operator Console, click the Events tab, and then double-click the event in the list for which you want to review the event description.


Product Name


Product Version

8.0 (Exchange Server 2007)

Event ID


Event Source

MSExchange ADAccess

Alert Type


MOM Rule Path

Microsoft Exchange Server/Exchange 2007/Common Components/Active Directory Access

MOM Rule Name

The Exchange server does not have the Audit Security privilege on a domain controller. This privilege is used by ADAccess. Run the policytest.exe tool. See Microsoft KB 314294.

This Warning event indicates that the Exchange server specified in the event description does not have the Audit Security Privilege on the domain controller specified in the event description. DSAccess will not use the domain controller specified in the event description until this warning is fixed. The possible causes of this event include the following:

  • A recent permissions change removed the rights required for the Exchange Security Group to enable DSAccess to communicate with the Active Directory® directory service.

  • Exchange groups such as Exchange Servers and Exchange Enterprise Servers were moved out of default Users container.

To resolve this warning, do one of more of the following:

  • Run the policytest.exe utility. This utility is located in the \i386\Server\Setup\ServerRoles\Common folder on the Microsoft Exchange Server CD. The policytest.exe utility produces a list of domain controllers and reports the presence or absence of the required privilege on these domain controllers.

    If policytest.exe reports that the required privileges are found on all domain controllers, review the System log on the domain controller to try to determine the root cause of this problem.

    If the policytest.exe indicates that the required privileges are not present, do the following:

    1. Open the Default Domain Controllers Security Settings snap-in on the domain controller specified in the event description.

    2. In the console tree, under Security Settings, expand Local Policies, and then click User Rights Assignments.

    3. In the results pane, double-click Manage auditing and security log. Verify that both the Exchange Servers group and the Exchange Enterprise Servers group are listed.

  • Make sure that the Exchange server is still a member of the Exchange Domain Servers group. Also, make sure that the Exchange Domain Servers group is a member of Exchange Enterprise Servers group.

  • Make sure that the group permissions are inherited by the Microsoft Exchange computer account.

For more information about Security Privilege issues and the policytest.exe tool, see Microsoft Knowledge Base article 314294, XADM: Exchange 2000 Error Messages Are Generated Because of SeSecurityPrivilege Right and Policytest Issues.

To search the Microsoft Knowledge Base articles based on criteria that generated this alert, visit the Search the Support Knowledge Base (KB) Web site.

To review Exchange 2007 event message articles that may not be represented by Exchange 2007 MOM alerts, see the Events and Errors Message Center.

If you are not already doing so, consider running the tools that Microsoft Exchange offers to help administrators analyze and troubleshoot their Exchange environment. These tools can help you make sure that your configuration is in line with Microsoft best practices. They can also help you identify and resolve performance issues, improve mail flow, and better manage disaster recovery scenarios. Go to the Toolbox node of the Exchange Management Console to run these tools now. For more information about these tools, see Toolbox in the Exchange Server 2007 Help.