It’s been awhile – I’ve been transitioning into Lync administration these past few months, but ARS is still a part of that…
Today, I tried changing some of my Lync user policies, and got this:
Active Directory operation failed on “DC01234.awesomedomain.com”. You cannot retry this operation: “Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0”.You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.
But… my account isn’t in Domain Admins! It was once, for about five minutes while I attempted to prove a point, but that was several months ago.
However, that is enough to mark the account to Active Directory FOREVER AND EVER as being “special”.
Dave Simm has a post that explains what happens and how to fix it: Lync enabling or making Lync changes to a user who is or was a member of the Domain Admins security group
However, one of the commenters, Rikard Strand, points out that the inheritance fix might be automatically reverted due to the fact that adminCount is still 1.
So, here’s how you fix this with the standard AD cmdlets or ARS:
1) Find the Lync-enabled users who also have adminCount=1 – this doesn’t mean that they definitely have the inheritance issue, but that they might:
ARS: Get-QADUser -SearchAttributes @{adminCount=1;'msrtcsip-PrimaryUserAddress'="*"}
AD: Get-ADUser -LDAPFilter '(adminCount=1)(msrtcsip-PrimaryUserAddress=*)'
2) Go remove them from Domain Admins or disable them for Lync if they should stay in Domain Admins – you shouldn’t be using a Domain Admin account to run your desktop applications!
3) If they’re going to remain Lync users, fix the AD object security permissions inheritance as described in Dave’s post (dsa.msc – advanced view – Security – Advanced – check the “inherit” box)
4) Finally, set the adminCount for the users you just fixed inheritance for:
ARS: Set-QADUser -Identity AWESOME\username -ObjectAttributes @{adminCount=0}
AD: Set-ADUser -Identity "cn=username,ou=SomeCity,ou=Country,dc=awesomedomain,dc=com" -Replace @{adminCount=0}
2 thoughts on “Manage Lync Users who used to be in Domain Admins”
Write your own memo:
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Mandie's Memos 
Somebody may need to enroll in the “Guido School of Admin Training” – http://enterpriseadminanon.blogspot.co.uk/2009/05/that-admincount-adminsdholder-and.html
I’m not entirely sure why MS block admins in this way – most of the admins at my place have email addresses as they tell me some exchange management requires that they have a mail box attached to their admin account. Hopefully I’m not being gullible here 🙂 . Because MS block this someone has messed with the adminsdholder so that it doesn’t block the admins – no tme honest :-). No seriously not me as personally I would not recommend this approach but as it’s already been messed with so I’ve left it alone.
Sometimes when you fix one thing you break something else, I’m sure we have all been there and it’s not a nice place to visit!
LikeLike