locked
give CSUserAdministrator to users in another domain RRS feed

  • Question

  • I was trying to give the helpdesk individuals access to the CSUserAdministrator group. I created a domain local group and pulled in the users but now I cant add the new domain local group.

    any other options?

    thank you

    Tuesday, December 23, 2014 5:55 PM

Answers

  • Ah ok... if the users are in a different forest then I'm afraid there is no way to manage / administer the Lync environment (which is in a different forest) with their native AD credentials.

    You will need to provision an administrative account for them to use in the Lync forest, place that account in the required groups (CsUserAdministrator in your case), and have them use those credentials to conduct their administrative tasks.

    This is due to the Active Directory group limitations that I mentioned in my first post. You cannot convert the Lync universal CS groups to domain local groups in order to accomplish this either. This would break your Lync environment, as the expected group type is 'universal'.

    Kind regards
    Ben


    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.

    For Fun: Gecko-Studio | For Work: Nexus Open Systems

    • Edited by Ben Donaldson Tuesday, December 30, 2014 11:54 AM
    • Marked as answer by Eason Huang Monday, January 5, 2015 7:49 AM
    Tuesday, December 30, 2014 11:54 AM

All replies

  • Hi,

    The CsUserAdministrator group is a universal AD group. You cannot add domain local groups as members of universal groups. Accepted members of universal groups include;

    - Accounts from any domain within the same forest as the universal group

    - Global groups from any domain in the same forest

    - Other universal group from any domain in the same forest

    You will need to use one of the above (such as using a global group instead of domain local), and nest that in the CsAdministrator group in order to achieve what you want.

    Kind regards
    Ben


    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.

    For Fun: Gecko-Studio | For Work: Nexus Open Systems

    • Edited by Ben Donaldson Tuesday, December 23, 2014 7:05 PM
    • Proposed as answer by Eason Huang Wednesday, December 24, 2014 6:48 AM
    Tuesday, December 23, 2014 7:05 PM
  • the users are in a different forest with a trust.
    Wednesday, December 24, 2014 4:09 PM
  • Hi,

    It is impossible to add Domain local group to be a member of Universal Group.

    You can try to change the Domain local group scope to Universal Group scope and test again.

    More details:

    http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx

    Best Regards,
    Eason Huang


    Eason Huang
    TechNet Community Support


    • Edited by Eason Huang Monday, January 5, 2015 7:49 AM
    Thursday, December 25, 2014 8:19 AM
  • Ah ok... if the users are in a different forest then I'm afraid there is no way to manage / administer the Lync environment (which is in a different forest) with their native AD credentials.

    You will need to provision an administrative account for them to use in the Lync forest, place that account in the required groups (CsUserAdministrator in your case), and have them use those credentials to conduct their administrative tasks.

    This is due to the Active Directory group limitations that I mentioned in my first post. You cannot convert the Lync universal CS groups to domain local groups in order to accomplish this either. This would break your Lync environment, as the expected group type is 'universal'.

    Kind regards
    Ben


    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.

    For Fun: Gecko-Studio | For Work: Nexus Open Systems

    • Edited by Ben Donaldson Tuesday, December 30, 2014 11:54 AM
    • Marked as answer by Eason Huang Monday, January 5, 2015 7:49 AM
    Tuesday, December 30, 2014 11:54 AM