none
lync 2010 not able to enable users RRS feed

  • Question

  • this is my first lync installment so forgive my ignorance.

    we installed lync server 2010 enterprise, with one front end. (prolly should have just done standard)  we have 1 forest with 3 domains

    AS which is the top, DES where most the servers are and HC which is where all the users are.

    our single front end is in the DES domain and the users i'm trying to enable are in the HC domain. the error message is get is access denied on the HC domain controller. (i'm doing this logged in as a DES domain admin.)

    so is it my account that is trying to change AD, or is it the application pool account or the service account? and what changes happen to that AD account.

    question 2

    what domain should my front end be in? I was under the assumption it didn't matter

    Wednesday, March 16, 2016 5:22 PM

Answers

  • ok so I discovered that the reason I couldn't enable users was because the server that I installed lync on didn;t have permissions over my account in AD.

    as soowell n as I went into AD and added the maichen to my AD account and gave it full rights to my AD account I was able to enable myself in LYNC and everything works great.

    so if I give my LYNC server full control over the OU that has all our users in it I'm fine HOWEVER I don't want to give it full control, I only want to give it what it needs.

    so here is were I am stuck. if I right click the OU go to properties>security>advanced>click add>browse to the machine name and click ok, I have a big list of permissions I can grant this machine over our users OU. a lot of the are msRTCSIP- stuff.

    can anyone tell me which permissions I need to check mark.

    can't seem to find a list of permissions that the Front End needs over the Users OU so i'm just leaveing it for now. i'll remove the permissions after i enable everyone

    • Marked as answer by philipzempel Thursday, April 7, 2016 2:54 PM
    Thursday, April 7, 2016 2:54 PM

All replies

  • Follow the below TechNet article to run Lync2010 in multi Forest environment:

    https://technet.microsoft.com/en-us/library/gg670909(v=ocs.14).aspx


    Tek-Nerd

    Wednesday, March 16, 2016 6:48 PM
  • Hi,

    It is the supported topology for your case.

    Here is the supported topology:

    https://technet.microsoft.com/en-us/library/gg398173(v=ocs.14).aspx

    Please make sure that domain have prepared on all domain which hosted Lync Server and users who will use Lync.

    When enable Lync account, try to use the account which to be a member of Csadministrator.

    Best Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    Thursday, March 17, 2016 7:02 AM
    Moderator
  • ok so I discovered that the reason I couldn't enable users was because the server that I installed lync on didn;t have permissions over my account in AD.

    as soon as I went into AD and added the maichen to my AD account and gave it full rights to my AD account I was able to enable myself in LYNC and everything works great.

    so if I give my LYNC server full control over the OU that has all our users in it I'm fine HOWEVER I don't want to give it full control, I only want to give it what it needs.

    so here is were I am stuck. if I right click the OU go to properties>security>advanced>click add>browse to the machine name and click ok, I have a big list of permissions I can grant this machine over our users OU. a lot of the are msRTCSIP- stuff.

    can anyone tell me which permissions I need to check mark.

    Thursday, March 17, 2016 5:11 PM
  • Hi,

    when you prepared all domains successfully (as described in the link posted by Eason) there should be a group names "RTCUniversalUserAdmins" which should already have all needed permissions for the user objects. So you only need to add the Lync server computer account to that group. It also should be part of "RTCUniversalServerAdmins".

    Normally these permissions are automatically set when you prepare the AD environment via the Deployment Wizard or via the PowerShell commands.

    Regards
    Dirk


    Friday, March 18, 2016 8:45 AM
  • Hi,

    when you prepared all domains successfully (as described in the link posted by Eason) there should be a group names "RTCUniversalUserAdmins" which should already have all needed permissions for the user objects. So you only need to add the Lync server computer account to that group. It also should be part of "RTCUniversalServerAdmins".

    Normally these permissions are automatically set when you prepare the AD environment via the Deployment Wizard or via the PowerShell commands.

    Regards
    Dirk


    yes my lync server is part of both those groups but it doesn't work. when i check the OU those groups have special permissions. so something in  our world must be deniing those groups write ability. "well i think" because if i add the server to the OU and give it write abilities we are all good. but the higher powers say giving it write capabilities over that ou is not secure so we need to exactly which write permissions that server needs. or how i should edit the special permissions on those groups.
    Friday, March 18, 2016 4:10 PM
  • First you should check, that you have run enable-CSADDomain or test- for this domain.

    Then you can ran grant-CSOUPermission to set the correct Permission for your OU domain


    regards Holger Technical Specialist UC

    • Marked as answer by Eason HuangModerator Thursday, April 7, 2016 12:02 PM
    • Unmarked as answer by philipzempel Thursday, April 7, 2016 2:45 PM
    • Proposed as answer by Akampa Friday, April 8, 2016 1:33 AM
    Wednesday, March 23, 2016 7:35 AM
  • ok so I discovered that the reason I couldn't enable users was because the server that I installed lync on didn;t have permissions over my account in AD.

    as soowell n as I went into AD and added the maichen to my AD account and gave it full rights to my AD account I was able to enable myself in LYNC and everything works great.

    so if I give my LYNC server full control over the OU that has all our users in it I'm fine HOWEVER I don't want to give it full control, I only want to give it what it needs.

    so here is were I am stuck. if I right click the OU go to properties>security>advanced>click add>browse to the machine name and click ok, I have a big list of permissions I can grant this machine over our users OU. a lot of the are msRTCSIP- stuff.

    can anyone tell me which permissions I need to check mark.

    can't seem to find a list of permissions that the Front End needs over the Users OU so i'm just leaveing it for now. i'll remove the permissions after i enable everyone

    • Marked as answer by philipzempel Thursday, April 7, 2016 2:54 PM
    Thursday, April 7, 2016 2:54 PM