Share via


Granting Setup Permissions

 

Topic Last Modified: 2012-02-13

You can use the Grant-CsSetupPermission cmdlet to add Read, Write, ReadSPN, and WriteSPN permissions to the RTCUniversalServerAdmins group for a specified Active Directory organizational unit (OU). Then, members of the RTCUniversalServerAdmins group in that OU can install servers running Lync Server 2010 in the specified domain without being members of the Domain Admins group. For details about the permissions granted by the Grant-CsSetupPermission cmdlet, see Changes Made by Grant-CsSetupPermission.

Use the Test-CsSetupPermission cmdlet to verify the permissions you set up by using the Grant-CsSetupPermission cmdlet.

You can use the Revoke-CsSetupPermission cmdlet to remove permissions that you granted by using the Grant-CsSetupPermission cmdlet.

To grant setup permissions

  1. Log on to a computer running Lync Server 2010 in the domain where you want to grant setup permissions. Use an account that is a member of the Domain Admins group or the Enterprise Admins group if the OU is in a different child domain.

  2. Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.

  3. Run:

    Grant-CsSetupPermission -ComputerOu <DN of the OU or container where the computer objects that will run Lync Server reside > [-Domain <Domain FQDN>]
    

    You can specify the ComputerOu parameter as relative to the default naming context of the specified domain (for example, CN=computers). Alternatively, you can specify this parameter as the full OU distinguished name (DN) (for example, "CN=computers,DC=Contoso,DC=com"). In the latter case, you must specify an OU DN that is consistent with the domain you specify.

    If you do not specify the Domain parameter, the default value is the local domain.

To verify setup permissions

  1. Log on to a computer running Lync Server 2010 in the domain where you want to verify setup permissions that you granted by using the Grant-CsSetupPermission cmdlet. Use an account that is a member of the Domain Admins group or the Enterprise Admins group if the OU is in a different child domain.

  2. Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.

  3. Run:

    Test-CsSetupPermission -ComputerOu <DN of the OU or container where the computer objects that will run Lync Server reside> [-Domain <Domain FQDN>]
    

    You can specify the ComputerOu parameter as relative to the default naming context of the specified domain (for example, CN=computers). Alternatively, you can specify this parameter as the full OU distinguished name (DN) (for example, "CN=computers,DC=Contoso,DC=com"). In the latter case, you must specify an OU DN that is consistent with the domain you specify.

    If you do not specify the Domain parameter, the default value is the local domain.

To revoke setup permissions

  1. Log on to a computer running Lync Server 2010 in the domain where you want to revoke setup permissions that were granted by the Grant-CsSetupPermission cmdlet. Use an account that is a member of the Domain Admins group or the Enterprise Admins group if the OU is in a different child domain.

  2. Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.

  3. Run:

    Revoke-CsSetupPermission -ComputerOu <DN of the OU or container where the computer objects that will run Lync Server reside > [-Domain <Domain FQDN>]
    

    You can specify the ComputerOu parameter as relative to the default naming context of the specified domain (for example, CN=computers). Alternatively, you can specify this parameter as the full OU distinguished name (DN) (for example, "CN=computers,DC=Contoso,DC=com"). In the latter case, you must specify an OU DN that is consistent with the domain you specify.

    If you do not specify the Domain parameter, the default value is the local domain.