Last post Feb 11, 2006 04:00 AM by ktan67
Feb 03, 2006 12:58 AM|ktan67|LINK
Hope someone can help,
I get this error whenever I try to login as an admin user of a hosted domain and try to create a new user.
Error: Failed to get the registry value specified. Machine:'.', Rootkey:'HKEY_LOCAL_MACHINE', Subkey:'SOFTWARE\Microsoft\Provisioning\CustomerPlansDb', Item:'Customer Database'./Access is denied./GetRegValue
Security on the registry key in the eror message on MPSSQL server shows MPFServiceAccounts having Read permissionas and MPFAdmins having Full Control.
Thanks in Advance.
Feb 03, 2006 05:34 AM|dbrannan|LINK
On your MPS server, run Provisioning Manager and look in the Managed Helpers namespace. I've seen this error before when the GetPlanDBConnString_ procedure is not set to execute as your MPSPrivAcct-XXXXX account.
If you find it isn't set, also check the other two procedures in that namespace that also need to execute as the MPSPrivAcct (which are ExecPlanSQL_ and TryGUIDToLDAP_).
Feb 03, 2006 11:40 AM|ktan67|LINK
I should have specified that we're using Consolidated HMC 3.5. And domain admins can change user passwords and add users with no difficulties.
I'm not sure how to find the Managed Helpers namespace, it doesn't show up in the Provisioning Deployment Tool, or if it is applicable in the HMC 3.5 environment.
Feb 04, 2006 01:11 PM|dbrannan|LINK
Its still applicable to HMC 3.5. On the MPS server, you don't want to look at the Deployment Tool but the Provisioning Manager (Start - All Programs - Microsoft Provisioning Server - Provisioning Manager). Click on Managed Helpers in the left hand pane,
and then check the GetPlanDBConnString_ It sounds like it is isn't set to execute as your Priv account.
Feb 04, 2006 05:09 PM|ktan67|LINK
Actually all three helpers are set to run as the MPSPrivAcct-XXXXX. Any other ideas?
Thanks for the help, BTW.
Feb 09, 2006 03:24 PM|v-vladm|LINK
There is a procedure in the Managed Helpers namespace that reads this key and needs a particular security configuration. Normally this
should be set by installation. I recommend the following:
Feb 10, 2006 03:34 AM|ktan67|LINK
Thanks for replying, I re-ran the Initialize Namespace Security and rebooted the servers (DC's, Exchange and MPS. I then created a new organization with a new admin user - same problem - I've even waited an hour and tried again - same problem.
Funny thing is, the other user I was having the problem with previously can now change passwords and add users. Perhaps the server reboots 'fixed' something. I will reboot the servers again and see if the new user can make admin changes in the MPS control
panel as well.
Feb 11, 2006 04:00 AM|ktan67|LINK
Actually re-initializing the namespace security seems to have solved the problem - I was using the change password functionality of the MPS control panel to test whether or not it worked but was running into the domain password policy minimum password age
= 1 day - which kept me from changing the admin users own password.
Thanks for the help!