I recently deployed OCS 2007 R2 for a client that involved a front end server and a edge sync server. A few days after deploying OCS we noticed that MOC had an error “Cannot synchronize with the corporate address book. This may be because the proxy server settings in your web browser does not allow access to the address book. If the problem persists, contact your system administration” Upon doing some investigation I noticed an error in the event logs, Event ID: 5021 Source WAS. The error was “The identity of application pool LSGroupExpAppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.” Upon checking the batch logon rights under Security Settings> Local Policies>User Right Assignment I noticed that the service account was not permitted. This was a result of Group Policy over-writing the local security policy and in essence disabling the application pool.

The fix? We had to add the service account to the GPO, did a gpupdate /force and then restarted MOC. All is well again!