Enable-CSUser Insufficient Permission

Enabling users from both the Lync control panel and PowerShell was producing this error:

“Active Directory operation failed on “abc.domain.com”. You cannot retry this operation: “Insufficient access rights to perform the operation
00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.”

Most solutions to this topic mention ensuring that Inheritable Permissions are set on the user’s security tab in AD, but in our case these were already set.

A user with Domain Admin privileges could enable the users but not our Lync Admin account that had both CSAdministrator and RTCUniversalUserAdmins membership.

After much head scratching, it turned out that the Lync server had been removed from the membership in the RTCUniversalUserAdmins group. Adding the computer back to that group was the solution.

Advertisements

Sharing internet connection with Hyper-V client

Had to do this a little differently than all of the blog posts I’d seen because using an Internal virtual switch and trying to allow it to share my local network resulted in an IP address conflict.

The fix was to create an External virtual switch with “Allow management operating system to share this network adapter” checked. Creating this takes a minute and Internet connectivity is dropped for a second while it applies changes.

Then, in the VM settings, select this new switch as the network adapter.

The VM might need to be turned off when making this setting change, but it worked for me while the VM was running.