Troubleshooting CLM: The directory property cannot be found in the cache

After installing CLM 2007 in your domain, you may see the following error within the CLM enrollment web pages:

The directory property cannot be found in the cache.
CLM error

If CLM debug logging is enabled through web.config you see the following in the CLM trace log file:

CLM log Exception Information*********************************************
Exception Type: System.Runtime.InteropServices.COMException
ErrorCode: -2147463155
Message: The directory property cannot be found in the cache.

During the setup of CLM 2007, the clmAuthAgent account is added to the Pre-Windows 2000 Compatible Access security group. The purpose of this is to allow the CLM account to determine Global and Universal groups the admin and target account is a member of (CLM only uses Global and Universal groups for access control).

IF the domain was however created with the ‘Permissions compatible with pre-Windows 2000 servers’ option turned off, the Pre-Windows 2000 Compatible Access group doesn’t have read permission on the tokenGroupsGlobalAndUniversal attribute.

If this is the case, the clmAuthAgent account needs to be added to the Windows Authorization Access Group which by default has read permissions on thetokenGroupsGlobalAndUniversal attribute.

To activate the change on the CLM server, an IISReset command must be run on the server hosting the CLM web pages.

Table 18 Required access control settings for CLM agent user accounts

Authorization Agent

Determines user rights and permissions for users and groups.

This user has the following access control settings:

· Added to the Pre-Windows 2000 Compatible Access domain group.

· Granted the Generate security audits user right.

Further details:

Troubleshooting CLM 2007

When you try to install Microsoft System Center Operations Manager 2007 Reporting, the installation is unsuccessful