locked
Move-CsUser Cmdlet RRS feed

  • Question

  • Hi,

    I gone through most of the forum discussion about issue "Move-CsUser does not work in shell but its works with Control Panel".

    I am also facing same issue although user to whom I am moving does not a member of any special AD group and also inheritence is also enabled.I also checked with Paramater Domain Controller but no luck.

    Is it mandatory to be a member of "RTCUniversalUserAdmin" group to run this command even though I am a member of "RTCUniversalServerAdmin" and "CsAdministrator" Group. I am running this command from SFB Front End Server.

    Please share if there is any MS Article about this.

    -DJ

    Tuesday, June 21, 2016 8:02 PM

Answers

  • Hi All,

    I was able to move user via powershell after getting <"RTCUniversalUserAdmin" permission.

    In all research I come to know RBAC permission, comes in Picture when Powershell is being run remotelly but we run it locally on server then only RTC permission have to be there.

    -DJ

    • Marked as answer by JinDeep Monday, June 27, 2016 8:40 AM
    Monday, June 27, 2016 8:40 AM

All replies

  • Hi,

    Which error message you received when run "move-csuser"?

    Please try the solution in the link below and then test again:

    https://support.microsoft.com/en-ph/kb/2441696

    Best Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    Wednesday, June 22, 2016 3:09 AM
  • Hi Jindeep, 

    could you paste the error which you get while using the PS to move the user.


    Linus || Please mark posts as answers/helpful if it answers your question.

    Wednesday, June 22, 2016 4:11 AM
  • JinDeep,

    does this happening for every user ? or few users ?

    I believe you should need  "RTCUniversalUserAdmin" permissions.  When you run the command did you get any error

    Get-CsUser -OU "ou=Finance,dc=litwareinc,dc=com" | Move-CsUser -Target "atl-cs-001.litwareinc.com"

    if you have seen any content move failure error please check if you have any issues with moving conference related data?

    Then try this command and see if it makes any difference,

    move-csuser -identity UserA -target L2013Pool.intenal.com -MoveConferenceData


    Regards, Raju

    Wednesday, June 22, 2016 5:15 AM
  • I am getting below error for each and every user :

    Move-CsUser : Failed while updating destination pool.

    Command : Move-CsUser -Identity User1 -Target Pool02.domain.com

    -DJ

    Wednesday, June 22, 2016 8:05 AM
  • Hi,

    Please open up adsiedit.msc, navigate to the user’s account, open up the properties and review the Advanced Security Settings of the object. Uncheck “Include inheritable permissions from this object” s parent setting for the user account.

    Then test again.

    Best Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Proposed as answer by Liinus Wednesday, June 22, 2016 10:22 AM
    Wednesday, June 22, 2016 10:19 AM
  • Hi,

    I am getting this error for all users.AD team will not allow us to do this modification for all users as it will impact other services also.

    I am able to move same user from Control panel then how this inheritance permission will block to move user through Powershell.

    -DJ

    Thursday, June 23, 2016 9:09 AM
  • Please see this link

    http://www.lyncinsider.com/ocs-2007/ocs-2007-r2/upgrading-users-from-ocs-to-lync-how-to-correct-the-failed-while-updating-error/

    Lync admis would not much control over AD permission issues however you can refer following link for more information.

    https://technet.microsoft.com/en-us/library/cc961979.aspx

    I would prefer to contact MS for AD Team help if its large user impact.



    Thursday, June 23, 2016 10:39 AM
  • Hi,

    User which I am trying to move in not a member of any protected Active Directory Group.He is simple Domain User.Well if the issue is because of his membership, how the same user is getting moved thorugh Control panel ?

    Thursday, June 23, 2016 10:50 AM
  • Any suggestion please ?

    -DJ

    Saturday, June 25, 2016 11:01 AM
  • Did you try using the -force parameter along with move-csuser to check if the move is happening. make sure you take the back up of contacts. ( To check if we still find any permission issues for the user or its just the lync related contents or components which is stopping the move) 

    Also would suggest to create a test user in the old pool and try to move the user to the new pool using the PS. I am sure you are   making the PS run as administrator, even when you having full permission on servers make sure we open them as run as administrator. 


    Linus || Please mark posts as answers/helpful if it answers your question.

    Saturday, June 25, 2016 4:46 PM
  • Please dont use -force switch unless you dont want user data.

    -force switch 100% works as simple it just changes pool name in AD Attributes as in the user moves. where are normal command will verify permissions on user account and your data in SQL tables and make sure all user related data along with conference directories will be moved.

    As said Akampa, please create a new test user in working Pool and try to move to target pool and see if you can move without any issues. i believe it should work 100% as its a new user and it will not face any challenges either.

    as you said, you were able to move few users using Control panel without any  issues right ? so try to move a user to SFB server once it moved successfully then move it back to old pool using Power shell with Admin rights 

    if that works , try again move that user using Powershell with Admin rights to SFB Server 

    this exercise will left us to understand root cause 

    1. if the new user moves without any issues without -force switch that mean no issues with powershell module

    2. if the user who moved to SFB server and moved back to old pool, then if we are able to move the user to SFB with powershell - we can determine the issue is not with powershell module permissions.



    Regards, Raju

    Saturday, June 25, 2016 6:57 PM
  • Hi,

    At present I am trying to move test users only, I have 4 test users and I am able to move all 4 test users to different pool and visa-versa via Control Panel but when trying to move any user to different pool via power shell it gives me error.

    I am waiting to get permission on RTCUniversalUserAdmin permission and will try again.

    -DJ 

    Saturday, June 25, 2016 7:54 PM

  • Please get the RTCUniversalUserAdmin  permission over your Admin account from the beginning I am suspecting primarily on this - let’s hope the issue fixed with this.

    Meanwhile, can you get the logs for following components from the Lync FE servers where you are executing command while you are executing the command?

    ADConnect,Powershell,Userservices – select these components using OCSLogger.

    Read those logs as messages and see if you can spot any error’s regarding authentication failures.


    Following Technet blog has a article which has covered information nicely that what all can be done by user administrator. 

    https://blogs.technet.microsoft.com/csps/2010/06/06/a-brief-introduction-to-role-based-access-control-part-1/

    --------------- 

    Excerpt from the article.

    Get-CsAdminRole -Identity CsUserAdministrator | Select-Object –ExpandProperty Cmdlets
     

    What we’ve done here is grab all the property values for the CsUserAdministrator role and then pipe that information to theSelect-Object cmdlet. From there we use the –ExpandProperty parameter to “expand” the value of the Cmdlets property. What does it mean to expand a property value? That’s an easy one: it just means that PowerShell is going to display all the values contained in that property, and in a nice, easy-to-read format. In other words, we’re going to get back a list of cmdlets that looks like this:
     

    Disable-CsUser
    Enable-CsUser
    Get-CsAdUser
    Get-CsUser
    Get-CsUserClusterInfo

    Move-CsUser

    Move-CsLegacyUser
    Set-CsUser
    Grant-CsClientPolicy
    Grant-CsClientVersionPolicy
    Grant-CsConferencingPolicy
    Grant-CsDialPlan
    Grant-CsExternalAccessPolicy
    Grant-CsHostedVoicemailPolicy
    Grant-CsLocationPolicy
    Grant-CsPinPolicy
    Grant-CsVoicePolicy
    Get-CsArchivingPolicy
    Get-CsClientPolicy
    Get-CsClientVersionPolicy
    Get-CsConferencingPolicy
    Get-CsExternalAccessPolicy
    Get-CsHostedVoicemailPolicy
    Get-CsLocationPolicy
    Get-CsPinPolicy
    Get-CsVoicePolicy
    Get-CsClientPinInfo
    Unlock-CsClientPin
    Lock-CsClientPin
    Set-CsClientPin
    Get-CsClientVersionConfiguration
    Get-CsDialPlan
    Get-CsSite
    Get-CsComputer
    Get-CsNetworkInterface
    Get-CsPool
    Get-CsService
    Get-CsSipDomain
     Revoke-CsClientCertificate

    Like we said: there isn’t an ellipsis made that we can’t outwit.
     

    Well, OK: there isn’t an ellipsis made that Select-Object and the –ExpandProperty parameter can’t outwit.
     ------------------ 

    Hope this helps.


    Regards, Raju



    Saturday, June 25, 2016 8:18 PM
  • Hi All,

    I was able to move user via powershell after getting <"RTCUniversalUserAdmin" permission.

    In all research I come to know RBAC permission, comes in Picture when Powershell is being run remotelly but we run it locally on server then only RTC permission have to be there.

    -DJ

    • Marked as answer by JinDeep Monday, June 27, 2016 8:40 AM
    Monday, June 27, 2016 8:40 AM
  • Good Jin Deep, this is what i was suspecting from the beginning happy that your issue fixed after adding RTCUniversalUserAdmins on your admin account.

     

    Regards, Rajukb This posting is providedwith no warranties and confers no rights. If my reply answers your question please mark as answer/helpful if its helpful.

    Monday, June 27, 2016 8:54 AM
  • Good to know Jindeep , Yes RTCUniversalUserAdmin does made the difference


    Linus || Please mark posts as answers/helpful if it answers your question.

    Monday, June 27, 2016 9:20 AM