Enabling users from both the Lync control panel and PowerShell was producing this error:

“Active Directory operation failed on “abc.domain.com”. You cannot retry this operation: “Insufficient access rights to perform the operation
00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.”

Most solutions to this topic mention ensuring that Inheritable Permissions are set on the user’s security tab in AD, but in our case these were already set.

A user with Domain Admin privileges could enable the users but not our Lync Admin account that had both CSAdministrator and RTCUniversalUserAdmins membership.

After much head scratching, it turned out that the Lync server had been removed from the membership in the RTCUniversalUserAdmins group. Adding the computer back to that group was the solution.