Re: SA for one user only - You are not authorized to view this p

maratimer_2 · ‎05-29-2006

unity 4.05 - when in the SA, none of the support folks can view one specific unity account, when I try to view the properties for this user specifically, I get an HTTP 403 Error - Forbidden. States I do not have permission to view the directory or page. Funny thing is that I can open and view/edit any other user on this server. I have checked the advanced AD properties for this user and do not see anything out of the ordinary - has anyone run into this before or any suggestion as to what Im seeing (or not seeing)? thanks. User is working fine.

maratimer_2 · ‎05-30-2006

I have noticed in the event logs that the CSA is preventing access to this user in the SA - when I stop the CSA, I can view this users properties in the SA - how can I get around this without having to disable the CSA and why would it prevent access to this user who is in the same OU as all the other users, nothing special about thier AD account. I have even deleted the user from Unity, and re-imported successfully but still experience this issue with just this one user.

dubrennan · ‎07-10-2006

Were you able to resolve this issue? I am having the same problem in Unity 4.1.

Thanks,

Duane Brennan

Tommer Catlin · ‎07-11-2006

We have a large enviroment here and there a "couple cooks" in the AD kitchen from time to time. When we deployed Unity, I created a voicemail only domain and had the META guys push me a copy of their AD to my AD so I can keep the account names, first last, alias, etc. This has been great. Except when this scenario happens what you are talking about.

Security had a problem with an account in the production AD. They deleted the account and recreated it. META, pushed me a disabled flag on the account leaving me trying to figure out why I cannot view the profile of this person in Unity.

Sure enough, the account was recreated with a new alias, different SID in AD. Unity did not like that so much and pretty much made the account unusable. A good way to test is to go your Unity VM messenging store and see if you can log into through OWA to see if the account works:

http://mail.unitymessengingserver/exchange/alias

login with domain\unitymsgstrsvc (since it has rights to all mailboxes)

The account may look fine in AD and it's not disabled, but if you look at the Exchange Advance properties, you will probably see the security properties of "Self" and that's it. The account has lost all permissions. You can try and manually add them back in, but you are better off just starting over.

I always tend to ask the subscriber questions like "have you had any problems logging into your workstation or email? Have you called the help desk lately regarding your login account to AD" This usually puts a red flag up for us that the account has been altered someway from the AD guys and pushed to us, which broke the Unity account connection.

95 percent of the time, this all works fine. AD Admins are not supposed to delete accounts in AD at all. Lazy admins delete accounts, good ones figure out why it does not work.

anyways.. maybe this long winded story will help point you in the right direction

Ginger Dillon · ‎07-11-2006

Hi -

Another thing that may cause this - the user's account has had inheritance disabled (or the box has gotten unchecked) which would block the permissions needed.

Ginger

SA for one user only - You are not authorized to view this page