Home > Lync > Adding Domain or Enterprise Admins to Lync Server 2010

Adding Domain or Enterprise Admins to Lync Server 2010

If you are like me, you already have your Lync Server 2010 RC environment up and built! While I had the Beta and Beta refresh environments already I just needed to see that Lync Logo!! Anyways, if you are also like me, your accounts in your lab environment are all Domain admins! Well, when you try to enable a Domain or Enterprise Admin for Lync you get the error below:

Now, you probably have already added your account to the CSAdministrator group like the install told you to, and you obviously have access to the CSCP and can enable other users, so why not users in the Domain Admins group? I had that same question when I was deploying Exchange Server 2010 in beta a while ago and this seemed far too familiar.

First, here is a small security related disclaimer… It is recommended and best practice to give your administrators at least two accounts, one of them should be their everyday account which they log into their PC with, is associated with Exchange and Lync and another account that they use for tasks that require elevated access such as AD related tasks, Server maintenance etc.

With that being said, this issue can be resolved for both Exchange and Lync by performing the following:

 

First, Open AD Users and Computers; you will need to turn on Advanced Features by navigating to View – Advanced Features. Now locate the user account that is a Domain or Enterprise Admin. Select Properties on the user and navigate to the Security Tab as shown below.

Now select “Advanced”

You will notice that unlike every other user in your environment that is not a Domain Admin, these users will not have “Include inheritable permissions from this object’s parent” checked. In order to propagate the necessary permissions for Lync you should select this checkbox as shown below:

Next, you can retry enabling that user for Lync and it works!

 

For a very detailed explanation of the issue and the resolution, the Microsoft Exchange Team has posted this blog. While it is directed at issues with ActiveSync and Exchange Server 2010, the issue is the same.

http://msexchangeteam.com/archive/2009/09/23/452595.aspx

Advertisements
Categories: Lync
  1. soder
    October 27, 2011 at 3:07 pm

    do you have to be a domain admin to enable another domain admin for Lync using the Lync powershell, or it is enough to be only a CSUseradministrator?

    • October 27, 2011 at 3:18 pm

      You do not have to be a domain admins, CSAdministrator is more than enough (anyone that can enable another user for Lync can enable domain admins for Lync) as long as inheritance is turned on during the time period.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: