Thursday, July 14, 2011

Enabling Protected Security Groups (domain admins) in Lync 2010

After installing and getting my Lync 2010 server up and running I was ready to enable and add myself to the Lync server. I logged into the Admin Console for Lync and added myself with all the correct options. Then I clicked "Enable" and found this error:

"Active Directory operation failed on "domain controller". You cannot retry this operation: "Insufficient access rights to perform the operation"

What do you mean I don't have rights, I'm a Domain Admin for crying out loud!!!! So onto the troubleshooting my rights. I have rights in AD. Lync server can contact the domain no problem. Everything looked to be fine. Then I found that my user account was in a "Protected Security Group" by being a domain admin.

Due to some security features in Active Directory (explained here), when you add or make a change to a user that is in a "Protected Security Group" (i.e. Enterprise or Domain Admins) in Lync 2010, you have to change their security to:

"Include inheritable permissions from this object's parent"

Steps to change this setting:

1. Open Active Directory Users and Computers (ADUC)
2. Change to the domain controller that is close to the Lync server
3. Follow the steps in this article to enable advanced features
4. Open the properties of the user account that you are enabling
5. Click on the "Security" tab
6. Click on "Advanced"
7. Check the box highlighted above
8. "OK" all the way back to ADUC
9. Enable the user in Lync admin console

This will allow you to enable them in the Lync server. This also applies to Exchange and here is a technet article that explains this in more depth.

No comments:

Post a Comment