Lync enabling or making Lync changes to a user who is or was a member of the Domain Admins security group

There are already a number of forums posts floating around on this, but it’s something I found out about the hard way, so i’ll blog it in the hope it helps someone else out.

While attempting to make a change to my own Lync user (on a sandpit development environment I’d like to add!) I was presented with the following operation failed error...


Active Directory operation failed on . You cannot retry this operation: “Insufficient access rights to perform the operation 00002098: SccErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS RIGHTS), data O”.
You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause Is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users In the Domain Admins group, use the Lyric Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.

I also found the following errors in the application event log...

Login failed for user 'OS\Dave.Simm'. Reason: Failed to open the explicitly specified database. [CLIENT: 89.31.238.2]

At this point it’s convenient to mention that I was going against all best practise and Microsoft security models known to man. This is a sandpit/development Lync environment with no other products installed and with only a handful of IT users on it. What had I done that was against best practise? I had added my own everyday Lync sip enabled user into the Domain Admins and CSAdministrators group. Any active directory administrator worth their salt will frown heavily upon this. Admins/Engineers should always have 2 accounts, a normal everyday user account, for Lync, Exchange, Sharepoint, and an admin account with escalated privileges to run admin procedures with.


So, realising the error of my ways, and being pointed in the right direction by the fairly helpful error messages. I took my account out of the Domain Admins group, logged out, and back in using my LyncAdmin user. This user isn’t Lync enabled and is purely an admin account. Only to hit exactly the same issue.
Adding a user account into the Domain Admins group makes changes to the way advanced security permissions are propagated and inherited by a user account. In order to reverse these changes you have to re-inherit these permissions. From dsa.msc (Active Directory Users & Computers) make sure that you are viewing advanced features; from the view menu select Advanced Features.


Find the user in question, edit the users properties, click the security tab, then click advanced. You need to tick the “Include inheritable permissions from this object’s parent” tick box to re propagate the required permissions.




Retry any Lync user changes and this time they should be successful.

10 comments:

  1. Thanks, that was giving me some grief!

    ReplyDelete
  2. Cheers Dave that was bugging the hell out of me, I ended up doing it using Management Shell cmdlets!

    ReplyDelete
  3. Hello,

    Also keep in mind that AD itself will reset the user object to "disable inheritance" after "a while" due to admincount property exists on the user object (approx 40 minutes).

    See the following links for more information:
    http://support.microsoft.com/kb/817433
    http://enterpriseadminanon.blogspot.com/2009/05/that-admincount-adminsdholder-and.html


    Regards,

    Rikard Strand

    ReplyDelete
    Replies
    1. Hi Rikard,

      Thanks for that info!

      Using the Quest AD cmdlets, here's how you find the problem users, then change their adminCount to 0 to keep the inheritance set:

      Get-QADUser -IncludedProperties adminCount | select userPrincipalName, adminCount

      <>

      Set-QADUser username@domain.com -ObjectAttributes @{adminCount=0}

      Thanks,

      Amanda Debler

      Delete
  4. Thanks - worked perfectly straight away!

    ReplyDelete
  5. tiffany london sale Little tiffany london sale brother, you compared him to come even close. Well, you quickly go home, I want to beat it. tiffany london sale Cheap tasks in the body do not want to continue with the cheap tiffany uk sale crap. How such a hurry and walked, beauty police sister, talk to you for a while chanting, I own one here afraid. cheap tiffany london sale installed pitiful said. Bah, you http://www.intra-mark.co.uk talk to the ghost of it, goodbye myself.

    ReplyDelete
  6. The company is also planning additional global expansion into cheap asics australia Eastern Europe and Asia Pacific. “At Demandware, our business model is driven by customer success, and our expanded partnership with the adidas Group is a testament that everyone in our asics australia sale company is truly guided by this philosophy,” said Ebling, CEO.“We are delighted and honored that the adidas Group has selected Demandware as the digital backbone of its commerce operations around cheap asics running shoes the globe and we are committed to their long-term success.”

    ReplyDelete
  7. the rising sun, cheap ray ban wayfarer sunglasses in the disco door commanded completed, dozens of younger brother began their search for the dissolution ray ban sunglasses outlet australia Two ray ban aviator sunglasses sale of them as one, look swing intended to embark on the ray ban sunglasses outlet australia second floor. The next morning, of ray ban sunglasses outlet australia ray ban sunglasses sale australia cheating devices, at night, the device is already complete, mostly younger brother who extort come.

    ReplyDelete
  8. Hello,

    i solved with your tutorial, now i have to disable inheritance or i can leave it enable?

    REgards

    ReplyDelete