Error message
Active Directory operation failed on <servername>. You cannot rety this operation: "Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150BC1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for examle, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.
Understanding AdminSDHolder and Protected Groups
How to Determine if a User or Group is Protected by AdminSDHolder
To find all user objects in a domain that are protected by AdminSDHolder, type:
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
or for a more user friendly output:
Get-ADUser -LDAPFilter "(admincount=1)" | select name
To find all groups in a domain that are protected by AdminSDHolder, type:
Get-ADGroup -LDAPFilter "(objectcategory=group)(admincount=1)"
or for a more user friendly output:
Get-ADGroup -LDAPFilter "(admincount=1)" | select name
Removing the admincount setting
If the user is not supposed to be in a Protected Group, remove the groups that are nested members of the Protected Groups.
Link: http://community.spiceworks.com/how_to/show/2555-user-is-was-member-of-a-protective-group-in-aduc-and-how-to-reverse-that
Then change the admincount to 0 on the user account, either vi ADUC and the Attribute Editor tab, or via the script available here:
http://support2.microsoft.com/?id=817433
Last thing to do is to activate security inheritance on the user account.
The procedure is almost the same when fixing a group, though you need to use ADSIEdit to remove the admincount setting instead of ADUC.
