There are various issues which I have seen SQL installation and most of the time they are intuitive. The error message is mostly helpful and provides the right direction. In this blog we would discuss error Updating permission setting for folder failed:
Here is the exact error which we could see in setup logs under the BootStrap folder.
Updating permission setting for folder ‘C:\ClusterStorage\FIN_Data\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\DATA’ failed. The folder permission setting were supposed to be set to ‘D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266783-3050454056-335720097-2195381415)’.
Permission error occurs when you use a volume mount point in SQL Server Setup
My client was not installing it on “root” of the mountpoint. The complete message from the Detail.txt is shown below. (I have added line number and remove DateTime for better visibility)
- SQLEngine: : Checking Engine checkpoint ‘SetSecurityDataDir’
- SQLEngine: –SqlEngineSetupPrivate: Setting Security Descriptor D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926) on Directory C:\ClusterStorage\FIN_Data\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\DATA
- Slp: Sco: Attempting to set security descriptor for directory C:\ClusterStorage\FIN_Data\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\DATA, security descriptor D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)
- Slp: Sco: Attempting to normalize security descriptor D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)
- Slp: Sco: Attempting to replace account with sid in security descriptor D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)
- Slp: ReplaceAccountWithSidInSddl — SDDL to be processed: D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)
- Slp: ReplaceAccountWithSidInSddl — SDDL to be returned: D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)
- Slp: Prompting user if they want to retry this action due to the following failure:
- Slp: The following is an exception stack listing the exceptions in outermost to innermost order
- Slp: Inner exceptions are being indented
- Slp:
- Slp: Exception type: Microsoft.SqlServer.Configuration.Sco.SqlDirectoryException
- Slp: Message:
- Slp: Updating permission setting for folder ‘C:\ClusterStorage\FIN_Data\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\DATA’ failed. The folder permission setting were supposed to be set to ‘D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)’.
- Slp: HResult : 0x84cf0003
- Slp: FacilityCode : 1231 (4cf)
- Slp: ErrorCode : 3 (0003)
WORKAROUND/SOLUTION
We checked and made sure that service account was having below permission in security policy:
- Act as Part of the Operating System
- Bypass Traverse Checking
- Lock Pages In Memory
- Log on as a Batch Job
- Log on as a Service
- Replace a Process Level Token
- Backup files and directories
- Debug Programs
- Manage auditing and security log
I gave all the possible permissions to the various account on the folders including “Full Control” to “Everyone”.
At last, we found that this was due to “Audit Object Access” policy, which was enabled from domain controller via GPO. Once we disabled it, the installation went fine.
Reference: Pinal Dave (https://blog.sqlauthority.com)
First appeared on SQL SERVER – Cluster Install Failure – Code 0x84cf0003 – Updating Permission Setting for Folder Failed