The official blog for Windows Server Essentials and Small Business Server support and product group communications.
EPS Team Blogs
[Today's post comes to us courtesy of Rituraj Choudhary from Commercial Technical Support]
After Small Business Server 2011 Standard has been updated with Update Rollup 2, some users may not be able to log on to the Remote Web Access with the following error:
“Remote Web Access is not allowed for your user account. Contact the person who manages your server.”
In the "C:\Program Files\Windows Small Business Server\Logs\WebApp\RemoteAccess.log" file, you will see the following:
 120419.103511.7516: RemoteAccess: [Identity] CheckUserInGroup hit exceptions: System.Runtime.InteropServices.COMException (0x80005000): Unknown error (0x80005000) at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at Microsoft.WindowsServerSolutions.Web.Security.SBSRoleProvider.IsGroup(String distinguishedName) at Microsoft.WindowsServerSolutions.Web.Security.SBSRoleProvider.CheckUserInGroup(String userDn, String groupDn, List`1 processedGroups)  120508.103511.7526: RemoteAccess: [Identity] CheckUserInGroup user:CN=April Reagan,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Contoso,DC=local. group:CN=Windows SBS Admin Tools Group,OU=Security Groups,OU=MyBusiness,DC=Contoso,DC=local  120419.103511.8186:: RemoteAccess: [Identity] GetRolesForUser 'CONTOSO\AprilReagan': hasAccess=False, isAdmin=False, inLink=False, inAdminTools=False, allComputers=False
This happens due to the fact that some Active Directory User or Organizational Unit name contains a forward slash (‘/’) character. The current resolution is to remove the offending character (‘/’) from the name(s).
To find the offending User or OU, you may simply browse through the Active Directory Users and Computers console. If you are assisting someone, you may ask for a LDIFDE dump of the users and the Organizational Units as: ldifde -f users.txt -d "dc=contoso,dc=local" -p subtree -r "(objectCategory=User)" -l "cn" ldifde -f org.txt -d "dc=contoso,dc=local" -p subtree -r "(objectCategory=organizationalUnit)" -l "ou" (In the above examples, “dc=contoso,dc=local” is the distinguished name of the domain; change it as per your environment) Once you get the output, look for the user or organizational unit names with character ‘/’ in their name. Remove the character and modify it conventionally. That should take care of this issue.
In the following example, getting rid of the ‘/’ from the name of “Test o/u” will fix the issue:
dn: OU=Domain Controllers,DC=Contoso,DC=local changetype: add ou: Domain Controllers
dn: OU=MyBusiness,DC=Contoso,DC=local changetype: add ou: MyBusiness … … … dn: OU=Test o/u,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Contoso,DC=local changetype: add ou: Test o/u … … …
Open Active Directory Users and Computers to rename the object and remove the ‘/’ character.
<p>I have the same error but the solution you propose does not apply, there are no "/" in the OU hierarchy of this user (whic is the default domain.local/MyBusiness/Users/SBSUsers).</p>
<p>Are there any other alternative solutions?</p>
<p>Oh, and I forgot to mention that when I add those users who cannot access RWW to the Domain Admins group, they can access the RWW again! Seems like a permission-related issue doesn't it?</p>
<p>Worked for me, thanks for sharing ...</p>
<p>You might want to check for a forward slash "/" in user's name. Example - "Sales/Mktg Manager"</p>
<p>I have the same problem as Ambroise.</p>
<p>It works if I add the user to the Domain Admins group.</p>
<p>I have two users in the default domain.local/MyBusiness/Users/SBSUsers group, one works, the other not.</p>
<p>There's no forward slashes or any other special characters in the name of any of the two.</p>
<p>Ambroise: Can you check if the NEXT user alphabetically has a forward slash in its name?</p>
<p>Here I had a user with a forward slash in it but in the user NEXT to the one having the problem. When I rename that user, the original user with the problem can access RWW again.</p>
<p>Sorted by display name, not username as it seems...</p>