Friday, February 17, 2012

How to Lync enable a Domain Admin

Perhaps you have seen the error message below when trying to Lync enable a Domain Admin in the Lync control panel.

Active Directory operation failed on You cannot retry this operation:
"Insufficient access rights to perform the operation
00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".You do not have the appropriate permissions to perform this operation in Active Directory. One
possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify
users who belong to protected scurity groups (for example, the Domain Admins group). To manage
users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain
Admins account. There are other possible causes. For details, see Lync Server 2010 Help.

(The comment "You cannot retry this operation" is kind of fun - "Yes I can...")

It is pretty much as harsh as it is described here - you cannot use the Control Panel to fiddle with users who belong to protected security groups. So your options are to either use Powershell as suggested in the error message or you could try this:

1. Open active directory users and computers
2. Enable the advanced features in the view menu
3. Search for the account which is in a protected security group
4. Go to Properties / Security / Advanced
5. Check the following box: Include inheritable permissions
6. Retry what you were doing in the Lync Control Panel

Now this might not be the best "securest" way of solving this issue, but for my lab environments I do not care too much about that, but think twice before doing this in a production system. Probably you should not Lync enable your domain admin accounts at all if you want to stay secure.


  1. You can also run from powershell without clicking around in AD:

    Enable-CsUser -Identity “user” -RegistrarPool -SipAddressType EmailAddress


  2. Hello Mange!

    Thanks for the tip, it works great!
    "To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account."

  3. If you check "Include inheritable permissions from this object's parent" to resolve the issue you will have up to an hour before the permissions is reset again.

    The best thing to do is, just as you say, to not enable a domain admin account. :)


  4. Hi Joakim,

    That is probably correct, but most of the time it gives you enough time to Lync enable that account which will still be Lync enabled and work even after the reset.


  5. Great effort and good sharing, this will be helpful to everyone
    in the industry :)