Today, a colleague of me asked me to help on a strange Lync Server issue.
The symptoms was :
- From the Lync Server Control Panel, he was unable to view the Lync Enabled Users
- He was unable to “lync enable” user
- The error message was “Insufficient access rights to perform the operation”
There are many articles and forum where you can find some help :
- Check the membership of the lync server computer account : OK
- Check the inherited permissions : OK
- Check that the target user is not member of an builtin admin group : OK
- Check ACLs in details : OK, using this technet article :http://technet.microsoft.com/en-us/library/gg398742.aspx
All Acls seems to be good. But this kind of issue is always a rights issue, so I decided to go deeper in those ACL.
First, to be sure that this is a right issue, I have enable Directory Access Failure Logon, and for a specific user, I have enable Fail Audit for all attributes and properties issued by the Lync Server Computer Account. You can do that in the Security Tab of an user account :
Then, I tried to “lync enable” the specific user account, and I found in the security logs of my Domain Controller, the following Failure Audit :
As you can see, it seems that my Lync Server doesn’t have the right to write 3 properties :
That was strange, because in my mind, I think that the Lync Schema/Forest/Domain preparation should create a delegation on those properties for the RTCUniversal-UserAdmins group.
In that technet articlehttp://blogs.technet.com/b/jenstr/archive/2011/02/07/grant-cssetuppermission-and-grant-csoupermission.aspx I have found that the RTCPropertySet and the RTCUserSearchPropertySet should contain those attribute.
Had a look in the configuration partition, and found the 2 PropertySet in the Extended-Rights container :
Then I found that the 3 Lync Properties was not in a property set. So, I change 2 attributes on each schema attribute :
- attributesecurityGUID : rightsguid of the PropertySet
- isMeberOfPartialAttributeSet : true
After a schema refresh (right click on schema partition and Refresh Schema Now), the Lync Server Control Panel was working well.