Unable to enable user in Lync Server

Error message
 
Active Directory operation failed on <servername>. You cannot rety this operation: "Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150BC1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for examle, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.
 
Understanding AdminSDHolder and Protected Groups
http://policelli.com/blog/archive/2009/11/06/understanding-adminsdholder-and-protected-groups/
 
How to Determine if a User or Group is Protected by AdminSDHolder
 
To find all user objects in a domain that are protected by AdminSDHolder, type:
 

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

 

or for a more user friendly output:

 

Get-ADUser -LDAPFilter "(admincount=1)" | select name

 

To find all groups in a domain that are protected by AdminSDHolder, type:

 

Get-ADGroup -LDAPFilter "(objectcategory=group)(admincount=1)"

 

or for a more user friendly output:

 

Get-ADGroup -LDAPFilter "(admincount=1)" | select name

 

Removing the admincount setting

If the user is not supposed to be in a Protected Group, remove the groups that are nested members of the Protected Groups.

 

Link: http://community.spiceworks.com/how_to/show/2555-user-is-was-member-of-a-protective-group-in-aduc-and-how-to-reverse-that

 

Then change the admincount to 0 on the user account, either vi ADUC and the Attribute Editor tab, or via the script available here:

 

http://support2.microsoft.com/?id=817433

 

Last thing to do is to activate security inheritance on the user account.

 

The procedure is almost the same when fixing a group, though you need to use ADSIEdit to remove the admincount setting instead of ADUC.

 

 

Kommentarer

Kommentera inlägget här:

Namn:
Kom ihåg mig?

E-postadress: (publiceras ej)

URL/Bloggadress:

Kommentar:

Trackback
RSS 2.0