Troubleshooting Delegated Administration Console

What problem are you having?

Users cannot log on to Delegated Administration Console after being moved to another Active Directory container

Cause: When a user is manually moved to a new parent container without having their group membership updated to reflect the change, Active Directory's security model is broken. Although the user will be able to access directory objects underneath the new container, the user will lose access to all other containers in the directory, even if the user has been granted permissions on the containers. This behavior is deliberate and consistent with Active Directory's authentication procedures.

Solution: If the user is manually moved to a new container, the user's parent object changes. The user's group membership is not automatically updated to reflect its new location in the directory, however: the user retains the previous parent object. In this case, when Active Directory checks to determine whether the user has access permissions to its parent object, it will fail because the user object is no longer a member of its parent object.

In Active Directory, a user is also an object that exists within the directory's security framework. Each user object has permissions associated with it that determine its level of access to other objects within the directory. When a user logs on to Delegated Administration Console, Active Directory verifies that the user object has permissions to its parent organization. It then determines whether the user has permissions to access its parent object. If the user has access permissions, Active Directory continues its permissions verification to determine the user's explicit permissions. If the user does not have access permissions to its parent object, Active Directory cannot determine any information about the user object. Consequently, Active Directory cannot verify the user's permissions and the user will be unable to log on to Delegated Administration Console.

Debugging information is not available

Cause: The debug function is not enabled by default.

Solution: You must turn on debugging through Delegated Administration Console.

  1. Log on to Delegated Administration Console as a domain administrator.
  2. From the default page, click Config Center, and then click View and Edit Delegated Administration Console Configuration Settings
  3. On the left pane, click Debug Options.
  4. Select Write XML requests to file.
  5. In the XML output path, type the path to a directory where you want the XML files to be saved (for example, C:\debug).
  6. In MPF audit database server, type the name of the SQL Server running the MPF audit database, and then click Save.
  7. In the tasks pane, click Load configuration into memory.

When debug is turned on, Delegated Administration Console will create XML files that track all requests and responses and place those files in the specified debug folder.


  • If you want to include full Microsoft Provisioning Framework (MPF) audit in the debug files, you must configure MPF to send all transactions to the audit database. For more information on configuring auditing, see To change the audit level for provisioning engines.

    For more information on using debugging options, see "Working with debugging options" and "Configure debugging options" in Delegated Administration Console Help.

  • By default, user accounts other than the domain administrator will not have access to the MPF audit database. If you want to allow users other than the domain administrator to access audit database information as part of the debugging information, you must manually add the user accounts.

I cannot provision File Transfer Protocol (FTP) sites

Cause: This can occur if the FTP service was not installed and running on the Internet Information Services (IIS) server prior to registering its resources with Resource Manager. It is not possible to add additional services to an IIS server, such as FTP, after its resources have been registered.

Solution: Restore the version of the IIS metabase that was backed up prior to attempting to add the FTP service. You will still be unable to install the FTP service or provision FTP sites on the server. For more information about restoring the IIS metabase, see article Q302573, "HOW TO: Backup and Restore IIS" in the Microsoft Knowledge Base.

MPF audit database information is not available to users other than domain administrators

Cause: By default, only domain administrators have access to the MPF audit database.

Solution: You must grant read-access permissions to the group to whom you want to grant access to the MPF audit database:

  1. Log on the computer where SQL Server 2000 is installed as a domain administrator.
  2. Click Start, point to Programs, point to Microsoft SQL Server, and then click Enterprise Manager.
  3. The SQL Server Enterprise Manager will start. In the console tree, double click Microsoft SQL Servers, double-click SQL Server Group, double-click the name of the server, click Security, right-click Logins, and then click New Login.
  4. In SQL Server Login Properties - New Login, in Name, type the name of the group to which you want to grant access (for example, admins@hosting).
  5. On the General tab, in Defaults, in the Database drop-down menu, click MPFAudit.
  6. On the Database access tab, in the Permit column, select the MPFAudit check box, and then click OK.