• Article

Scenario 1: Authenticated User Permissions Are Removed

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

In a locked-down Active Directory, authenticated user ACEs are removed from the default Active Directory containers, including the Users, Systems, and OUs where User and Computer objects are stored. Removing authenticated user ACEs prevents read-access to Active Directory information, but this removal creates problems for Office Communications Server. Office Communications Server depends on read permission to these containers, in order for users to run Prep Domain.

In this situation, membership in the Domain Admins group, which is required to run Prep Domain, server activation, and pool creation no longer grants read access to Active Directory information stored in the default containers. You must manually grant read-access permissions on various containers in the forest root domain to check that the prerequisite Prep Forest procedure is completed.

To address this issue, use an account with Enterprise Admins credentials to run these procedures or give an account with Domain Admins credentials explicit read permission on the required containers where authenticated user ACEs have been removed.

To enable a user to run Prep Domain, server activation, or pool creation on any non-forest root domain, you have the following options:

  • Use an account with Enterprise Admins credentials to run Prep Domain.

  • Use an account with Domain Admin credentials and grant this account read-access permissions on each of the following containers in the forest root domain:

    • Domain

    • System

The following sections provide step-by-step instructions for granting the required read-only access to enable a user to run Prep Domain and other setup tasks.

Enable a User to Run Prep Domain or Setup Tasks

If you do not want to use an account with Enterprise Admins credentials to run Prep Domain or other Setup tasks that require Domain Admin, explicitly grant the account you want to use read-access on the relevant containers in the forest root.

To give user read-access permissions on containers in the forest root domain

  1. Log on to the computer joined to the forest root domain with an account that has Domain Admins credentials for the forest root domain.

  2. Run Adsiedit.msc for the forest root domain.

  3. If authenticated user ACEs were removed from either the Domain or System container, you must grant read-only permissions to the container.

  4. Right-click the container, and then click Properties.

  5. Click the Security tab.

  6. Click Advanced.

  7. On the Permissions tab, click Add.

  8. Enter the name of the user or group receiving permissions using the following format: domain\account name.

  9. Click OK.

  10. On the Objects tab, in Applies To, click This Object Only.

  11. In Permissions, select the following Allow ACEs by clicking the Allow column: List Content, Read All Properties, and Read Permissions.

  12. Click OK twice.

  13. Repeat these steps for any of the relevant containers listed in step 3.