Topic Last Modified: 2007-09-20

This topic provides information about how to troubleshoot Microsoft Exchange Server 2007 Setup if Setup fails with the following error: "Requested registry access is not allowed."

The ExchangeSetup.log file will also include the following warning: "An unexpected error has occurred and a Watson dump is being generated: Requested registry access is not allowed."

This issue occurs when the Remote Registry service is not started or when permissions are not set correctly on the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

Resolution

To resolve the problem, perform the following tasks:

  • Confirm that the Remote Registry service is started.

  • Confirm that the LOCAL SERVICE account and that local Administrators group for the server have the correct permissions on the HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg subkey. The LOCAL SERVICE account should have the following permissions:

    • Read

    • Special permission

    The Administrators group should have the following permissions:

    • Full Control

    • Read

    • Special permission

    These permissions are the default permissions.

    Caution:
    Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
  • Confirm that a Group Policy is not overwriting the LOCAL SERVICE permissions for the winreg subkey. For more information about Group Policy in Windows Server 2003, see Windows Server 2003 Group Policy.

Before You Begin

To perform this procedure, the account you use must have membership in the local Administrators group. For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Procedure

To use Registry Editor to restore default permissions on the winreg subkey

  1. Start Registry Editor (regedit).

  2. Locate the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

  3. Right-click winreg and select Permissions.

  4. In the Permissions for winreg dialog box, under Group or user names, if Administrators (<computer name or domain name>\Administrators) does not exist, click Add. In the Select Users, Computers, or Groups dialog box, type Administrators, and then click OK.

  5. In the Permissions for winreg dialog box, under Group or user names, if LOCAL SERVICE does not exist, click Add. In the Select Users, Computers, or Groups dialog box, type LOCAL SERVICE, and then click OK.

  6. Under Group or user names, select Administrators (<computer name or domain name>\Administrators). Under Permissions for Administrators, select Allow for the Full Control permission and select Allow for the Read permission.

  7. Under Group or user names, select LOCAL SERVICE. Under Permissions for LOCAL SERVICE, select Allow for the Read permission.

  8. Click Apply.

  9. To set the special permissions, click Advanced and complete the following:

    1. On the Advanced Security Settings for winreg page, on the Permissions tab, under Permission entries, select the entry where Name is Administrators (<computer name or domain name>\Administrators), and then click Edit.

    2. On the Permission Entry for winreg page, confirm that Apply onto is set to This key only. Confirm that Allow is selected for all of the permissions.

    3. Click OK.

    4. On the Advanced Security Settings for winreg, on the Permissions tab, under Permission entries, select the entry where Name is LOCAL SERVICE, and then click Edit.

    5. On the Permission Entry for winreg page, confirm that Apply onto is set to This key and subkeys. Confirm that Allow is selected for only the following permissions: Query Value, Enumerate Subkeys, Notify, and Read Control.

    6. Click OK.