locked
Active Directory operation failed on " ". You cannot retry this operation: "Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 RRS feed

  • Question

  • hi 

    i install skype2019 when enable any user  show this fault

    Active Directory operation failed on "my domain". You cannot retry this operation: "Insufficient access rights to perform the operation
    00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    ".You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Skype for Business Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users in the Domain Admins group, use the Skype for Business Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Skype for Business Server 2019 Help.

    i see this solution   solution   but i think the solution is not good for any user do this.i think anywhere have wrong work

    Monday, December 31, 2018 11:23 AM

Answers

  • Hi hamed_forum,

    According to the error you provided, it seems the account which you used to open the SFB Control Panel does not have the permissions, please check whether the account is a member of CSAdministrator group or CSUserAdministrator group at first. 

    If the permission settings are true, please check the individual OU and all OUs to determine if security inheritance has been disabled at OU level, you could use the command Grant-CsOUPermission to check about this. You could refer to the following blog to find more details: QuickTip: Insufficient Access Rights Enabling Any Lync User. It is similar to the SFB Server 2019.

    Note: This response contains a reference to a third party World Wide Web site. Microsoft can make no representation concerning the content of these sites. Microsoft is providing this information only as a convenience to you: this is to inform you that Microsoft has not tested any software or information found on these sites and therefore cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software on the Internet.

    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by hamed_forum Tuesday, January 1, 2019 4:17 AM
    Tuesday, January 1, 2019 2:40 AM

All replies

  • Hi hamed_forum,

    According to the error you provided, it seems the account which you used to open the SFB Control Panel does not have the permissions, please check whether the account is a member of CSAdministrator group or CSUserAdministrator group at first. 

    If the permission settings are true, please check the individual OU and all OUs to determine if security inheritance has been disabled at OU level, you could use the command Grant-CsOUPermission to check about this. You could refer to the following blog to find more details: QuickTip: Insufficient Access Rights Enabling Any Lync User. It is similar to the SFB Server 2019.

    Note: This response contains a reference to a third party World Wide Web site. Microsoft can make no representation concerning the content of these sites. Microsoft is providing this information only as a convenience to you: this is to inform you that Microsoft has not tested any software or information found on these sites and therefore cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software on the Internet.

    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by hamed_forum Tuesday, January 1, 2019 4:17 AM
    Tuesday, January 1, 2019 2:40 AM
  • Agree with Evan but bear in mind also that as per message you got.

    You cannot use the Control Panel to change\add users who are members of the Domain Admins AD group.

    If that's the case, you need to use the SfB Management Shell to enable the user or make changes. (Using the Enable-CsUser cmdlet) Run SfB Management Shell as Administrator also.

    Regards

    Wednesday, January 2, 2019 10:03 AM