When using the Lync Server Control Panel to enable or move an Active Directory, directory service domain user for use with Lync Server the following error is returned:
Active Directory operation failed on "DC1.contoso.com". You cannot retry this operation: "Insufficient access rights to perform the operation"
The error that is described in the SYMPTOMS section of this article is caused by the combination of the following two reasons:
The user account that is part of the Lync Server move or enable operation is a member of an Active Directory, directory service protected domain security group. Since the user account belongs to a Windows Server protected domain security group it is unable to keep the RTCUniversalUserAdmins and RTCUniversalUserReadOnlyGroup Lync Server Universal Security groups and their permissions as Access Control Entries (ACEs) for the protected domain security group's default Access Control List (ACL).
The Lync Server Control Panel is not designed to delegate the permissions of RTCUniversalUserAdmins and RTCUniversalUserReadOnlyGroup Lync Server Universal Security groups that are needed to complete the user account move or enable operation.
Note As an example, the Domain Admins global security group is a Windows Server protected group. For detailed information on the Windows Server protected security groups and the Active Directory, directory service processes that maintain their default Access Control list entries see the MORE INFORMATION section of this article.
Use the Lync Server Management shell to administer the following Lync Server PowerShell cmdlets to perform the user account enable of move operations:
Note Permissions equivalent to the RTCUniversalUserAmins group are required to successfully use the Enable-CsUser, Move-CsUser, Move-CsLegacyuser Lync Server PowerShell cmdlets.
To view a list of examples for the usage of the Move-CsLegacyUser Lync Server PowerShell cmdlet use the Lync Management Shell and enter the following PowerShell cmdlet: Get-Help Move-LegacyCsUser -Examples
For more detailed information on the permissions needed to use the Lync Server Control Panel and how to use the Lync Server Control Panel to add Active Directory, directory service users to the Lync Server pool please review the following information:
Windows Server Active Directory, directory service security groups that are designated protected groups will block the inheritance of non-default Access Control Entries (ACEs) to their default Access Control List (ACL) as a security measure. Windows Server protected groups consist of the list of default administrative groups that are used to manage the Windows Server enterprise.
The link listed below provides the details of the processes that are used to manage the default level of security for the Windows Server protected security groups: