none
Lync Server 2010 Control Panel "Insufficient access rights to perform the operation"

    Question

  • I've implemented a Lync Server with a few hiccups along the way, but all services are running now.  When I login to the control panel to add users, for anyone in the Administrators group, I'm getting the following eerror when I try to enable them.

    Active Directory operations failed on "my.server.com".  You cannot retry this operation: "Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0"

    I've tried giving Administrator rights to the user CSAdministrator and RTCUniversalSystemAdmins, but still get the same result.

    Tuesday, September 14, 2010 3:09 PM

Answers

  • The problem is a known and common issue with Domain Administrators or Enterprise Administrators.  It is the recommendation that a user have a elevated priviledge account that they use only when necessary and an everyday use account.  But you can still get this to work with an account that is a domain admin:

    If you turn Advanced Features on in AD Users and Computers, locate the user that is a domain admin, select the security tab, click advanced and select "Include Inheritable Permissions from this object's parent" on the user object you then be able to add them for Lync.

    Check this out for an explaination of the issue: http://msexchangeteam.com/archive/2009/09/23/452595.aspx

    While the link I have provided you is for ActiveSync and Exchange Server 2010, the same resolution applies

    Mark


    Mark King | MCTS:UC Voice | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com
    • Marked as answer by hodd Tuesday, September 14, 2010 4:03 PM
    Tuesday, September 14, 2010 3:20 PM

All replies

  • The problem is a known and common issue with Domain Administrators or Enterprise Administrators.  It is the recommendation that a user have a elevated priviledge account that they use only when necessary and an everyday use account.  But you can still get this to work with an account that is a domain admin:

    If you turn Advanced Features on in AD Users and Computers, locate the user that is a domain admin, select the security tab, click advanced and select "Include Inheritable Permissions from this object's parent" on the user object you then be able to add them for Lync.

    Check this out for an explaination of the issue: http://msexchangeteam.com/archive/2009/09/23/452595.aspx

    While the link I have provided you is for ActiveSync and Exchange Server 2010, the same resolution applies

    Mark


    Mark King | MCTS:UC Voice | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com
    • Marked as answer by hodd Tuesday, September 14, 2010 4:03 PM
    Tuesday, September 14, 2010 3:20 PM
  • Also, I just posted a new blog about this issue here:

    http://www.unplugthepbx.com/Lists/Posts/Post.aspx?ID=31

    Mark


    Mark King | MCTS:UC Voice | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com
    Tuesday, September 14, 2010 3:44 PM
  • That did it.  Thanks for your help and also for the blog.  I'm sure a few people will ask this again :)
    • Proposed as answer by AndyK47 Sunday, August 18, 2013 6:22 PM
    Tuesday, September 14, 2010 4:03 PM
  • The problem is a known and common issue with Domain Administrators or Enterprise Administrators.  It is the recommendation that a user have a elevated priviledge account that they use only when necessary and an everyday use account.  But you can still get this to work with an account that is a domain admin:

    If you turn Advanced Features on in AD Users and Computers, locate the user that is a domain admin, select the security tab, click advanced and select "Include Inheritable Permissions from this object's parent" on the user object you then be able to add them for Lync.

    Check this out for an explaination of the issue: http://msexchangeteam.com/archive/2009/09/23/452595.aspx

    While the link I have provided you is for ActiveSync and Exchange Server 2010, the same resolution applies

    Mark


    Mark King | MCTS:UC Voice | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com


    Although this does the work, it is still not recommended to enable super admins for Exchange/Lync in production environment.

    Also valuable to note that by default Windows Server clears the "Include-Inheritable-Permissions" checkbox every one hour for super admins (see more information section of http://support.microsoft.com/kb/817433), so it is expected that you do this trick and it works for a while, but later on you need to repeat the trick again and again.

    In a word, do not enable super admins for Exchange/Lync.

    Monday, September 20, 2010 1:42 PM
  • OK this didnt work for me is there anything else that it could be?
    Tuesday, September 21, 2010 5:08 PM
  • Hi ... i have the same problem above suggestion did not work for me either
    Thursday, October 21, 2010 2:04 AM
  • We figured out our situation and it was indeed the dreaded AdminSDHolder value.  Accounts that did not have elevated rights had this value because at some point in time (before people got smart and started creating separate accounts) those accounts had elevated rights for some reason.  Until that is fixed they will be more difficult to administer.

    • Proposed as answer by sham4n Monday, May 21, 2012 6:30 AM
    Tuesday, December 14, 2010 3:30 PM
  • simple cmdlet is your solution
    Enable-CsUser -Identity “Administrator” -RegistrarPool your.domain.name -SipAddressType EmailAddress
    • Proposed as answer by Raul12 Sunday, January 8, 2012 7:08 PM
    Tuesday, January 18, 2011 4:58 PM
  • http://www.unplugthepbx.com/Lists/Posts/Post.aspx?ID=31

     

    do i need to do it for each and every user? can i crerate a group and add the users in that group and allow them with inheting the permission. By doing it , would it impact any permission changes on the AD file level permissions etc.

     

    thanks in advance.

    Monday, January 24, 2011 5:26 PM
  • I also have described error. I can move(edit users via power shell, but that is not ok, because our administrators want to configure users via gui. That's why I  have to fix this error. I am getting error on all users (all users are members of different groups, but not domain or enterprise admins). For example, they are members of DOmain users or print operators-builtin groups.

    I created dummy user, which is not member of any group. In that case, editing is working. But that is not a solution, because our users have to be in groups.

    Attached is error I am getting when I try to edit user (which is not member os domain or enterprise admin).

    Any idea how to solve problem will be appreciated.

    Regards

    Shrani.si

     



    Friday, March 11, 2011 8:15 AM
  • Hello,

     

    I have tried all that is suggested previously but nothing works for me. Is there another solution to this? I'm running my Lync Server on a Hyper-V guest and have install and uninstalled several times but still no luck. Can someone assist me? I am in dire need of help and is just banging my head in the wall with no solution.

     

    Thank You

    Friday, April 8, 2011 2:57 AM
  • Same issue here.  It happens to me with users that are not domain admins

    '

     

    Thursday, May 5, 2011 3:08 PM
  • The problem is a known and common issue with Domain Administrators or Enterprise Administrators.  It is the recommendation that a user have a elevated priviledge account that they use only when necessary and an everyday use account.  But you can still get this to work with an account that is a domain admin:

    If you turn Advanced Features on in AD Users and Computers, locate the user that is a domain admin, select the security tab, click advanced and select "Include Inheritable Permissions from this object's parent" on the user object you then be able to add them for Lync.

    Check this out for an explaination of the issue: http://msexchangeteam.com/archive/2009/09/23/452595.aspx

    While the link I have provided you is for ActiveSync and Exchange Server 2010, the same resolution applies

    Mark


    Mark King | MCTS:UC Voice | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com

    Thanks, i've got that issue, now i have just fix.
    Saturday, May 28, 2011 6:25 AM
  • Hi,

    i also have this problem but a bit different like when i apply the settings and try it works only one time; and if i try to add another(2nd/3rd etc) user then it doesn't works. Any help will be grateful.

     

    Thanks


    Ashraf www.MrOffice365.com
    Monday, June 20, 2011 7:26 PM
  • Ashraf,

    For Domain admins & enterprise admins "Include Inheritable Permissions" permissions reverts back to the original setting after some time..So you need to again enable "Include Inheritable Permissions" tab for Domain Administrators or Enterprise Administrators for lync.

    http://www.mytricks.in/2011/08/microsoft-lync-2010-insufficient-access.html


    www.mytricks.in www.geeklogs.com
    Wednesday, August 3, 2011 5:00 AM
  • I'm having the same problem for FIM syncronized Lync contacts. any idea?
    Tuesday, February 21, 2012 1:41 PM
  • The problem is a known and common issue with Domain Administrators or Enterprise Administrators.  It is the recommendation that a user have a elevated priviledge account that they use only when necessary and an everyday use account.  But you can still get this to work with an account that is a domain admin:

    If you turn Advanced Features on in AD Users and Computers, locate the user that is a domain admin, select the security tab, click advanced and select "Include Inheritable Permissions from this object's parent" on the user object you then be able to add them for Lync.

    Check this out for an explaination of the issue: http://msexchangeteam.com/archive/2009/09/23/452595.aspx

    While the link I have provided you is for ActiveSync and Exchange Server 2010, the same resolution applies

    Mark


    Mark King | MCTS:UC Voice | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com

    Working....tnx
    Tuesday, February 26, 2013 9:44 AM
  • Thank you! it work for me!

    Regards!

    Thursday, October 24, 2013 3:43 PM
  • This is pretty annoying, it seems to do it for the "print operators" group too, i suspect it might do it for any built in group that has more perms than "users"
    Thursday, January 8, 2015 7:51 PM
  • Ta - fixed it pronto :)
    Friday, February 20, 2015 4:53 AM