Lync enabling or making Lync changes to a user who is or was a member of the Domain Admins security group

There are already a number of forums posts floating around on this, but it’s something I found out about the hard way, so i’ll blog it in the hope it helps someone else out.

While attempting to make a change to my own Lync user (on a sandpit development environment I’d like to add!) I was presented with the following operation failed error...

Active Directory operation failed on . You cannot retry this operation: “Insufficient access rights to perform the operation 00002098: SccErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS RIGHTS), data O”.
You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause Is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users In the Domain Admins group, use the Lyric Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.

I also found the following errors in the application event log...

Login failed for user 'OS\Dave.Simm'. Reason: Failed to open the explicitly specified database. [CLIENT:]

At this point it’s convenient to mention that I was going against all best practise and Microsoft security models known to man. This is a sandpit/development Lync environment with no other products installed and with only a handful of IT users on it. What had I done that was against best practise? I had added my own everyday Lync sip enabled user into the Domain Admins and CSAdministrators group. Any active directory administrator worth their salt will frown heavily upon this. Admins/Engineers should always have 2 accounts, a normal everyday user account, for Lync, Exchange, Sharepoint, and an admin account with escalated privileges to run admin procedures with.

So, realising the error of my ways, and being pointed in the right direction by the fairly helpful error messages. I took my account out of the Domain Admins group, logged out, and back in using my LyncAdmin user. This user isn’t Lync enabled and is purely an admin account. Only to hit exactly the same issue.
Adding a user account into the Domain Admins group makes changes to the way advanced security permissions are propagated and inherited by a user account. In order to reverse these changes you have to re-inherit these permissions. From dsa.msc (Active Directory Users & Computers) make sure that you are viewing advanced features; from the view menu select Advanced Features.

Find the user in question, edit the users properties, click the security tab, then click advanced. You need to tick the “Include inheritable permissions from this object’s parent” tick box to re propagate the required permissions.

Retry any Lync user changes and this time they should be successful.