Tuesday, November 30, 2010

Cannot Enable or Modify a User in Lync 2010 Control Panel

"Insufficient access rights to perform the operation." WHAT?! SERIOUSLY?!

I was working on enabling/modifying a Lync user today in one client, using Lync Server Control Panel, when I encountered what seems to be like a account permission error. At first, my reaction was a little confused and charged it to being a product bug because the user account I'm using is already of Enterprise and Domains Admins group in AD.

Good thing about the error, it's detailed enough to give me the right idea how to solve it. :)

So, that is exactly what I did. First, I tried to use Lync Server Management Shell to enable the user. Second, I check the AD permission of the user for possible security issues in AD regarding users that are members of a protected group (the user I'm enabling is a member of the Domain Admins group). Here's a simple step-by-step procedure on how to enable users using Lync Server Management Shell and checking AD permission:

1. Start Lync Server Management Shell

  • Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell

2. Search or locate the user account in Active Directory

  • You can use identifiers such as Display Name (ex. Vince Quinto), UserPrincipalName (ex. vince.quinto@domain.com), SamAccountName (ex. DOMAIN\vince.quinto), or EmailAddress (vince.quinto@domain.com) to represent a user's identity

  • To locate the account, type Get-CsAdUser. To return specific users, type Get-CsAdUser -Identity "Vince Quinto", or use wildcard characters, Get-CsAdUser -Identity "* Quinto"

3. Enable the user in Lync Server

  • Type Enable-CsUser -Identity "Vince Quinto" -RegistrarPool LSpool01.domain.com -SipAddressType EmailAddress

If the Lync Management Shell did not worked, which in my case it did not, I tried checking the user's Active Directory permission to check if inheritable permissions are enabled. Here is how I did it...

1. Open Active Directory Users and Computers.
2. On the menu at the top of the console, click View > Advanced Features.
3. Locate and right-click the user account in the console, and then click Properties.
4. Click the Security tab.
5. Click Advanced.
6. Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.

If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked. Windows automatically remove security inheritance on those user. Oh! And yeah, it worked! By the way, this procedure is not needed for accounts that are not members of a protected security group in AD.


Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)