Article ID: 2466000 - View products that this article applies to.
When using the Lync Server Control Panel to enable or move an Active Directory, directory service domain user for use with Lync Server the following error is returned:
Active Directory operation failed on "DC1.contoso.com". You cannot retry this operation: "Insufficient access rights to perform the operation"
The error that is described in the SYMPTOMS section of this article is caused by the combination of the following two reasons:
Use the Lync Server Management shell to administer the following Lync Server PowerShell cmdlets to perform the user account enable of move operations:
Note Permissions equivalent to the RTCUniversalUserAmins group are required to successfully use the Enable-CsUser, Move-CsUser, Move-CsLegacyuser Lync Server PowerShell cmdlets.
For more detailed information on the permissions needed to use the Lync Server Control Panel and how to use the Lync Server Control Panel to add Active Directory, directory service users to the Lync Server pool please review the following information:
Enable or Disable Users for Lync Server
Windows Server Active Directory, directory service security groups that are designated protected groups will block the inheritance of non-default Access Control Entries (ACEs) to their default Access Control List (ACL) as a security measure. Windows Server protected groups consist of the list of default administrative groups that are used to manage the Windows Server enterprise.
The link listed below provides the details of the processes that are used to manage the default level of security for the Windows Server protected security groups:
AdminSDHolder, Protected Groups and SDPROP for Windows Server
For more detailed information on using the Enable-CsUser, Move-CsUser, and Move-CsLegacyUser Lync Server PowerShell cmdlets, please review the following Microsoft TechNet information:
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.