none
Constant Error when enabling Lync Clients who are domain users only.

    Question

  • Hi All,

    This is a brand new lync environment I know I had an issue with a few lync users that were domain admins however i am getting the same errors for non-domain admins

    "Error(s) – Active Directory operation failed on “domaincontroller.domain.com”.  You cannot retry this operation: “Insufficient access rights to perform the operation"

    I already know what the fix is on a per user basis by selecting inheritable permissions.  The client have quite a few users, I am hoping to resolve this w/o going to each user's security tab and selecting inheritable perm

    Ideas anyone?

    Thanks!

    Friday, March 02, 2012 5:49 PM

Answers

  • Hi,

    I have faced this issue with few users who were not part of Domain admins group. As per microsoft

    • The user account that is part of the Lync 2010 Server move or enable operation is a member of an Active Directory, directory service protected domain security group. Since the user account belongs to a protected domain security group it is unable to keep the RTCUniversalUserAdmins and RTCuniversalUserReadOnlyGroup Universal Security groups and their permissions as Access Control Entries (ACEs) to the protected domain security group's default Access Control List (ACL).
    • The Lync 2010 Server Control Panel is not designed to delegate the permissions that are needed to complete the user account move or enable operation

    you can enable those users through Lync power shell by running the following command

    Enable-CsUser -Identity "Bill Anderson" -RegistrarPool "pool01.contoso.com" -SipAddressType EmailAddress  -SipDomain contoso.com

    • To view a list of examples for the usage of the Enable-CsUser Lync Server 2010 PowerShell cmdlet use the Lync Management Shell and enter the following PowerShell cmdlet: Get-Help Enable-CsUser -Examples

    For more information http://support.microsoft.com/kb/2466000 and http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/c90a7df8-ac4c-4297-a5a8-aa589e1d163d/ 

    Hope above helps


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Friday, March 02, 2012 8:54 PM

All replies

  • Hi,

    I have faced this issue with few users who were not part of Domain admins group. As per microsoft

    • The user account that is part of the Lync 2010 Server move or enable operation is a member of an Active Directory, directory service protected domain security group. Since the user account belongs to a protected domain security group it is unable to keep the RTCUniversalUserAdmins and RTCuniversalUserReadOnlyGroup Universal Security groups and their permissions as Access Control Entries (ACEs) to the protected domain security group's default Access Control List (ACL).
    • The Lync 2010 Server Control Panel is not designed to delegate the permissions that are needed to complete the user account move or enable operation

    you can enable those users through Lync power shell by running the following command

    Enable-CsUser -Identity "Bill Anderson" -RegistrarPool "pool01.contoso.com" -SipAddressType EmailAddress  -SipDomain contoso.com

    • To view a list of examples for the usage of the Enable-CsUser Lync Server 2010 PowerShell cmdlet use the Lync Management Shell and enter the following PowerShell cmdlet: Get-Help Enable-CsUser -Examples

    For more information http://support.microsoft.com/kb/2466000 and http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/c90a7df8-ac4c-4297-a5a8-aa589e1d163d/ 

    Hope above helps


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Friday, March 02, 2012 8:54 PM
  • Thank you very much SKHATRI!!
    Saturday, March 03, 2012 1:14 AM