Unable to enable user in Lync Server

Error message
 
Active Directory operation failed on <servername>. You cannot rety this operation: "Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150BC1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for examle, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.
 
Understanding AdminSDHolder and Protected Groups
http://policelli.com/blog/archive/2009/11/06/understanding-adminsdholder-and-protected-groups/
 
How to Determine if a User or Group is Protected by AdminSDHolder
 
To find all user objects in a domain that are protected by AdminSDHolder, type:
 

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

 

or for a more user friendly output:

 

Get-ADUser -LDAPFilter "(admincount=1)" | select name

 

To find all groups in a domain that are protected by AdminSDHolder, type:

 

Get-ADGroup -LDAPFilter "(objectcategory=group)(admincount=1)"

 

or for a more user friendly output:

 

Get-ADGroup -LDAPFilter "(admincount=1)" | select name

 

Removing the admincount setting

If the user is not supposed to be in a Protected Group, remove the groups that are nested members of the Protected Groups.

 

Link: http://community.spiceworks.com/how_to/show/2555-user-is-was-member-of-a-protective-group-in-aduc-and-how-to-reverse-that

 

Then change the admincount to 0 on the user account, either vi ADUC and the Attribute Editor tab, or via the script available here:

 

http://support2.microsoft.com/?id=817433

 

Last thing to do is to activate security inheritance on the user account.

 

The procedure is almost the same when fixing a group, though you need to use ADSIEdit to remove the admincount setting instead of ADUC.

 

 
2014-12-08 @ 10:43:00 Permalink Active Directory Kommentarer (0) Trackbacks ()

Time Configuration in a Windows domain

To configure the Domain Controller with the PDC Emulator FSMO to another time source, run:

w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update

Please set for PEERS the time source as listed above, either with it’s ip address or DNS name. If more then one is needed separate them with a space in between and don't forget the quotes: "time.domain.com time1.domain.com"

Internet Time servers you can find here: http://www.pool.ntp.org/

 

Tto configure a domain computer for automatic domain time synchronization, run:

w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time

 

To reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run:

w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time
net start w32time

 

If you have to reconfigure a Windows 2000 Server Domain Controller, the steps are different after transferring/seizing the PDC Emulator role to another Domain Controller:

- you have to modify the "Type" value to "Nt5Ds" without the quotes under this registry key:

HKLM\ SYSTEM\ CurrentControlSet\ Services\ W32Time\ Parameters\

 

If you have problems with the time service configuration, because too many changes where done in the registry or you like start fresh on a computer, then you can reset the time service to a default state the following way. Make sure to use an elevated command prompt, to have full administrative permissions. Then type in the following commands:

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

 

To check Domain Controller synchronization, run:

w32tm /monitor

 

To check a domain computers configuration, run:

w32tm /query /status

2013-03-04 @ 14:25:00 Permalink Active Directory Kommentarer (0) Trackbacks ()

Sök i bloggen
Senaste inläggen
Kategorier
Arkiv
RSS 2.0