Your company's ad could live here and reach over 50,000 people a month!

Share This Post

Lync Server Control Panel : Insufficient access rights to perform the operation; A strange Active Directory PropertySet issue

Hi All,

Today, a colleague of me asked me to help on a strange Lync Server issue.

The symptoms was :

  • From the Lync Server Control Panel, he was unable to view the Lync Enabled Users
  • He was unable to “lync enable” user
  • The error message was “Insufficient access rights to perform the operation”

There are many articles and forum where you can find some help :

  • Check the membership of the lync server computer account : OK
  • Check the inherited permissions : OK
  • Check that the target user is not member of an builtin admin group : OK
  • Check ACLs in details : OK, using this technet article :http://technet.microsoft.com/en-us/library/gg398742.aspx

All Acls seems to be good. But this kind of issue is always a rights issue, so I decided to go deeper in those ACL.

First, to be sure that this is a right issue, I have enable Directory Access Failure Logon, and for a specific user, I have enable Fail Audit for all attributes and properties issued by the Lync Server Computer Account. You can do that in the Security Tab of an user account :

image

Then, I tried to “lync enable” the specific user account, and I found in the security logs of my Domain Controller, the following Failure Audit :

image

As you can see, it seems that my Lync Server doesn’t have the right to write 3 properties :

  • msRTCSIP-PrimaryUserAddress
  • msRTCSIP-UserEnabled
  • msRTCSIP-PrimaryHomeServer

That was strange, because in my mind, I think that the Lync Schema/Forest/Domain preparation should create a delegation on those properties for the RTCUniversal-UserAdmins group.

In that technet articlehttp://blogs.technet.com/b/jenstr/archive/2011/02/07/grant-cssetuppermission-and-grant-csoupermission.aspx I have found that the RTCPropertySet and the RTCUserSearchPropertySet should contain those attribute.

Had a look in the configuration partition, and found the 2 PropertySet in the Extended-Rights container :

image

Then I found that the 3 Lync Properties was not in a property set. So, I change 2 attributes on each schema attribute :

  • attributesecurityGUID : rightsguid of the PropertySet
  • isMeberOfPartialAttributeSet : true

image

image

After a schema refresh (right click on schema partition and Refresh Schema Now), the Lync Server Control Panel was working well.

Share This Post

Leave a Reply