Lync enabling or making Lync changes to a user who is or was a member of the Domain Admins security group

There are already a number of forums posts floating around on this, but it’s something I found out about the hard way, so i’ll blog it in the hope it helps someone else out.

While attempting to make a change to my own Lync user (on a sandpit development environment I’d like to add!) I was presented with the following operation failed error...


Active Directory operation failed on . You cannot retry this operation: “Insufficient access rights to perform the operation 00002098: SccErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS RIGHTS), data O”.
You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause Is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users In the Domain Admins group, use the Lyric Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.

I also found the following errors in the application event log...

Login failed for user 'OS\Dave.Simm'. Reason: Failed to open the explicitly specified database. [CLIENT: 89.31.238.2]

At this point it’s convenient to mention that I was going against all best practise and Microsoft security models known to man. This is a sandpit/development Lync environment with no other products installed and with only a handful of IT users on it. What had I done that was against best practise? I had added my own everyday Lync sip enabled user into the Domain Admins and CSAdministrators group. Any active directory administrator worth their salt will frown heavily upon this. Admins/Engineers should always have 2 accounts, a normal everyday user account, for Lync, Exchange, Sharepoint, and an admin account with escalated privileges to run admin procedures with.


So, realising the error of my ways, and being pointed in the right direction by the fairly helpful error messages. I took my account out of the Domain Admins group, logged out, and back in using my LyncAdmin user. This user isn’t Lync enabled and is purely an admin account. Only to hit exactly the same issue.
Adding a user account into the Domain Admins group makes changes to the way advanced security permissions are propagated and inherited by a user account. In order to reverse these changes you have to re-inherit these permissions. From dsa.msc (Active Directory Users & Computers) make sure that you are viewing advanced features; from the view menu select Advanced Features.


Find the user in question, edit the users properties, click the security tab, then click advanced. You need to tick the “Include inheritable permissions from this object’s parent” tick box to re propagate the required permissions.




Retry any Lync user changes and this time they should be successful.

7 comments:

  1. Thanks, that was giving me some grief!

    ReplyDelete
  2. Cheers Dave that was bugging the hell out of me, I ended up doing it using Management Shell cmdlets!

    ReplyDelete
  3. Hello,

    Also keep in mind that AD itself will reset the user object to "disable inheritance" after "a while" due to admincount property exists on the user object (approx 40 minutes).

    See the following links for more information:
    http://support.microsoft.com/kb/817433
    http://enterpriseadminanon.blogspot.com/2009/05/that-admincount-adminsdholder-and.html


    Regards,

    Rikard Strand

    ReplyDelete
    Replies
    1. Hi Rikard,

      Thanks for that info!

      Using the Quest AD cmdlets, here's how you find the problem users, then change their adminCount to 0 to keep the inheritance set:

      Get-QADUser -IncludedProperties adminCount | select userPrincipalName, adminCount

      <>

      Set-QADUser username@domain.com -ObjectAttributes @{adminCount=0}

      Thanks,

      Amanda Debler

      Delete
  4. Hi ,

    This is Denny, the creator of this free automated employee
    provisioning/termination app-- Z-hire. I wrote this app for the TechNet community a year ago.

    Since you run a very informative blog, I would like your help
    spread the word. Since my application is free, i need supporters from the
    community. It would means a lot if you can help.

    Here is a link to my app
    http://gallery.technet.microsoft.com/Z-Hire-Employee-Provisionin-e4854d6b


    Thanks
    Denny

    ReplyDelete
  5. Thanks - worked perfectly straight away!

    ReplyDelete