Lync 2010 Server Control Panel returns that error "Insufficient access rights to perform the operation" when attempting a move user or enable user command

When using the Lync 2010 Server Control Panel to enable or move an Active Directory, directory service domain user for use with Lync Server 2010 the following errors are returned:

Active Directory operation failed on "DC1.contoso.com". You cannot retry this operation: "Insufficient access rights to perform the operation"

The error that is described in the SYMPTOMS section of this article is caused by the combination of the following two reasons:

• The user account that is part of the Lync 2010 Server move or enable operation is a member of an Active Directory, directory service protected domain security group. Since the user account belongs to a protected domain security group it is unable to keep the RTCUniversalUserAdmins and RTCuniversalUserReadOnlyGroup Universal Security groups and their permissions as Access Control Entries (ACEs) to the protected domain security group's default Access Control List (ACL).
• The Lync 2010 Server Control Panel is not designed to delegate the permissions that are needed to complete the user account move or enable operation

Note: For detailed information on the Windows Server 2003 and Windows Server 2008 protected security groups and the Active Directory, directory service processes that maintain their default Access Control list entries see the MORE INFORMATION section of this article.

Use the Lync Server Management shell to administer the following Lync 2010 Server PowerShell cmdlets to perform the user account enable of move operations:

1. Enable-CsUser -Identity "Bill Anderson" -RegistrarPool "pool01.contoso.com" -SipAddressType EmailAddress  -SipDomain contoso.com
   
   
   • To view a list of examples for the usage of the Enable-CsUser Lync Server 2010 PowerShell cmdlet use the Lync Management Shell and enter the following PowerShell cmdlet: Get-Help Enable-CsUser -Examples
2. Move-CsUser -Identity "Bill Anderson" -Target "pool01.contoso.com"
   
   
   • To view a list of examples for the usage of the Move-CsUser Lync Server 2010 PowerShell cmdlet use the Lync Management Shell and enter the following PowerShell cmdlet: Get-Help Move-CsUser -Example
3. Move-CsLegacyUser -Identity "Bill Anderson" -Target "pool01.contoso.com"
   
   
   • To view a list of examples for the usage of the Move-CsLegacyUser Lync Server 2010 PowerShell cmdlet use the Lync Management Shell and enter the following PowerShell cmdlet: Get-Help Move-LegacyCsUser -Examples

For more detailed information on the permissions needed to use the Lync 2010 Server Control Panel and how to use the Lync 2010 Server Control Panel to add Active Directory, directory service users to the Lync 2010 Server pool please review the following information:

Enable or Disable Users for Lync Server 2010 (http://technet.microsoft.com/en-us/library/gg429696.aspx)


Windows Server 2003 and Windows Server 2008 Active Directory, directory service security groups that are designated protected groups will block the inheritance of non-default Access Control Entries (ACEs) to their default Access Control List (ACL) as a security measure. Windows Server 2003 and Windows Server 2008 protected groups consist of the list of default administrative groups that are used to manage the Windows Server enterprise.

 The link listed below provides the details of the processes that are used to manage the default level of security for the Windows Server 2003 and Windows server 2008 protected security groups:

AdminSDHolder, Protected Groups and SDPROP for Windows Server (http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx)

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.