none
Error accessing Lync File Share - Attempted to perform an unauthorized operation RRS feed

  • Question

  • Hi Everybody,

     

    I am currently installing a second Lync Pool at our customers environment and am encountering a problem concerning File Shares:

     

    When enabling the new Topology the Error “Error accessing share \\<server\share - Attempted to perform an unauthorized operation” is occurring. The error is occuring for the “new” file share of the “new” pool as well as for the file share of the ”old” pool which has been installed half a year ago without any issues.

     

    However all folders are in the share are created  and are assigned with NTFS permissions successfully. The Installation account has Full Control on the file shares.

    On TechNet I found an article saying that one “should” grant the Installation Account local Admin rights on the file share for the time of the installation. As a Unix based machine without complete AD-Integration is used to host the file shares this cannot be accomplished.

     

    In a Wireshark trace the errors „WERR_ACCESS_DENIED“ and  „Unknown Result (3), reason: Reason not specified“  can be found when filtering for traffic to the file share (ip.addr==172.18.107.132). Unfortunately the File Share Admin could not help me in this case.

     

    Attached you can find the deployment log and Wireshark Trace.

     

    Maybe someone has encountered a similar problem or has an idea how to track down the problem?

     

    Many thanks and best regards

     

    Stefan

    Wednesday, July 13, 2011 11:19 AM

Answers

  • Hi,Stefan,

    So you mean your new share folder for Lync locating on a Unix-based system,and the Lync installation account hasn't local administrator previlege, right?

    For publishing topology,you should ensure that the person running Topology Builder has the following permissions and group memberships:members of Local Administrator,member of Domain Users,full control on share and folder of file store.

    In your case,I suggest you create a new share folder on a Windows-based system for more convenient since UNIX- and Windows-based operating systems use different directories and access control mechanisms.The other option is using Microsoft Windows Services for UNIX(SFU) to do a user name mapping,but it requires lot of works.More details about SFU introduction please look at the TechNet document http://technet.microsoft.com/en-us/library/bb463212.aspx#ECAA.

    Regards,

    Sharon

    Friday, July 15, 2011 6:20 AM
    Moderator
  • Stefan.

    I will probably have a pretty unpleasant answer for you which would be to not use a Unix based file store.  I have a feeling they aren't giving adequate access to the share/security which would be required for the installer account.  The topology builder will access the file share, create folders and set appropriate security which is most likely where it is failing.

    Mark


    Mark King | MVP: Lync Server | MCTS:UC Voice | MCITP x3 :Lync, Enterprise Messaging 2010, EA | MCSE: Messaging | blog.unplugthepbx.com
    Wednesday, July 13, 2011 11:59 AM

All replies

  • Stefan.

    I will probably have a pretty unpleasant answer for you which would be to not use a Unix based file store.  I have a feeling they aren't giving adequate access to the share/security which would be required for the installer account.  The topology builder will access the file share, create folders and set appropriate security which is most likely where it is failing.

    Mark


    Mark King | MVP: Lync Server | MCTS:UC Voice | MCITP x3 :Lync, Enterprise Messaging 2010, EA | MCSE: Messaging | blog.unplugthepbx.com
    Wednesday, July 13, 2011 11:59 AM
  • Hi,Stefan,

    So you mean your new share folder for Lync locating on a Unix-based system,and the Lync installation account hasn't local administrator previlege, right?

    For publishing topology,you should ensure that the person running Topology Builder has the following permissions and group memberships:members of Local Administrator,member of Domain Users,full control on share and folder of file store.

    In your case,I suggest you create a new share folder on a Windows-based system for more convenient since UNIX- and Windows-based operating systems use different directories and access control mechanisms.The other option is using Microsoft Windows Services for UNIX(SFU) to do a user name mapping,but it requires lot of works.More details about SFU introduction please look at the TechNet document http://technet.microsoft.com/en-us/library/bb463212.aspx#ECAA.

    Regards,

    Sharon

    Friday, July 15, 2011 6:20 AM
    Moderator
  • Hi Mark,

    I am also experiencing this same error. We are using an CIFS/SAMBA appliance that has full AD integration. We've set the permissions on the windows share and the share on the appliance to the same configuration but the windows share works and the appliance does not. We even gave all accounts and computer objects full control to the share and the file structure under the share and added them to the local administrators group for the computer object in AD. Please provide a more technical explanation on what you think the issue may be.

    Regards,

    Antwan


    Friday, July 15, 2011 7:22 PM
  • All,

    Connect to AD and browse to the computer object associated with the share. Give full control to the share via the computer object. Grant full control to the security tab and add all accounts to the local administrator group of the computer object. This will get you working for a Linux server providing the share.

    Regards,

    Antwan

     

    • Proposed as answer by efhutn Friday, July 15, 2011 8:17 PM
    Friday, July 15, 2011 8:17 PM
  • I ran into the same issue with the share being on a NAS running CIFS/SAMBA as well. I moved it to a Windows share thinking that might be the reason but it didn't make any difference. The only way to successfully deploy the topology was if I am a member of the domain admin group despite the fact that I delegated the necessary permissions using the following commands:

    Grant-CsSetupPermission -ComputerOU “OU=Lync Servers,OU=Servers,DC=US,DC=companyabc,DC=local”

    Grant-CsOUPermission -OU “OU=Lync Servers,OU=Servers,DC=US,DC=companyabc,DC=local” -ObjectType "user"

    Without Domain Admin, I am able to access the share and create folder. Despite the failure publishing the topology, all folders are created successfully on the share and I can see the permissions were changed as well which tells me it was successful for the most part. I just don't understand the error or what to make out of it. I would like to see a successful completion.

    Friday, September 2, 2011 5:07 AM
  • Hi Tarreq,

    I added my User also to the local admin Goup of the server with the share. That solved this error for me. So the user is meber of the RTCUniversalServerAdmin, local Admin of the Lync FE, Domain user and full acces to the share and full ntfs permission to all folders.


    regards Holger Technical Specialist UC
    Sunday, October 30, 2011 5:13 PM
  • We are using a Windows Share on a Windows 2008 server. I set read/change permissions to group RTCUniversalConfigReplicator directly on Windows Share and re-published the topology, with no errors. Replication is running correctly now.
    Andre R. Seitz
    Wednesday, December 21, 2011 1:17 PM
  • "For publishing topology,you should ensure that the person running Topology Builder has the following permissions and group memberships:members of Local Administrator,member of Domain Users,full control on share and folder of file store."

    Thanks so much!  This worked for me!  :)


    John K. Boslooper Windows Server Administrator UT Dallas

    Monday, June 4, 2012 10:10 PM
  • Run the topology builder as a Administrator"

    So right click and "Run as Administrator"

    • Proposed as answer by UCC Consultant Thursday, November 15, 2012 2:19 PM
    Wednesday, October 31, 2012 9:00 AM
  • Hi

    i had an issue while publishing topology it throws error as

    "Failed adding "AccessRead" permissions for "RTCComponentUniversalServices" on "\\Lync-new.domainname\share". Access control list (ACL) might fail on UNIX file shares. Refer to the deployment guide to manually set the ACLs in the file share."

    Could you help me out on this ...

    Regards

    Rajesh

    Thursday, November 8, 2012 6:25 AM
  • Awesome this is the fix nice one!
    Friday, April 26, 2013 9:15 AM