Forum Discussion
Craig Power
May 13, 2018Copper Contributor
Unable to Uninstall Exchange Server 2016 Due to MpsSvc Access Denied Error
I am unable to uninstall Exchange Server 2016 on a Windows 10 v1709 computer. Running setup.exe /mode:uninstall, I receive the following error during the prerequisites check: ----- The follow...
TAE_YOUN_ANN
May 15, 2018MVP
Hi. Craig
Run the following in the PowerShell and proceed
Set-ExecutionPolicy Unrestricted
Craig Power
May 15, 2018Copper Contributor
Just to close the loop with this, I contacted Microsoft Support (via Volume Licensing email support for Exchange Server.) They recommended creating a brand-new Exchange user mailbox, with the user being a member of Domain Admins, Enterprise Admins, Schema Admins, Organization Management, and the affected workstation's local Administrators group, then logging into the workstation under that account and attempting to uninstall Exchange from an elevated Exchange Management Shell session. This failed with the same error as previously described.
Their next recommended action was to delete the workstation-based Exchange server from the Exchange configuration via ADSI Edit, under the following location:
Configuration Container
CN=Configuration, DC=Domain_Name,DC=com
CN=Services
CN=Microsoft Exchange
CN=Your_Organization_Name
CN=Administrative Groups
CN=Your_Administrative_Group_Name
CN=Servers
I was aware of how to do this, but was reluctant to take that step out of concern of leaving "debris" in the Exchange configuration. But since other steps were not working, this is what I ended up doing. Hopefully there will not be any repercussions from such a "brute force" method of removing the errant workstation-based Exchange server from the organization.
Microsoft also recommended using the SysInternals AccessChk utility, with the command
AccessChk -c MpsSvc -v >c:\mps.txt
and the sc command
sc sdshow MpsSvc >c:\mps2.txt
to get information regarding the permissions of the MpsSvc if I wanted them to perform more troubleshooting. I didn't pursue this, though, because I opted for the brute force removal method, making collecting this data moot.
Thanks for all who contributed trying to help.
- proninAVJul 20, 2021Copper Contributor
Craig Power
Не хватает прав на управление службойAccessChk -c MpsSvc -v >c:\mps.txt
MpsSvc
Medium Mandatory Level (Default) [No-Write-Up]
R NT AUTHORITY\Authenticated Users
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
READ_CONTROL
RW NT AUTHORITY\SYSTEM
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_CHANGE_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
READ_CONTROL
WRITE_DAC
WRITE_OWNER
RW BUILTIN\Administrators
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
READ_CONTROL
WRITE_DAC
WRITE_OWNER
R BUILTIN\Users
SERVICE_QUERY_STATUS
Получение текуших разрешений на службу:
C:\WINDOWS\system32>sc sdshow MpsSvc
D:(A;;CCLCLORC;;;AU)(A;;CCDCLCSWRPLORCWDWO;;;SY)(A;;CCLCSWRPLORCWDWO;;;BA)(A;;CCLCLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
https://habr.com/ru/post/75090/
Последние 2 буквы обозначают кому мы разрешаем или запрещаем:
EA Enterprise administrators
BA Built-in administrators
SY Local system
Добавление прав для EA как у SY:
sc sdset MpsSvc D:(A;;CCLCLORC;;;AU)(A;;CCDCLCSWRPLORCWDWO;;;SY)(A;;CCLCSWRPLORCWDWO;;;BA)(A;;CCLCLO;;;BU)(A;;CCDCLCSWRPLORCWDWO;;;EA)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)