Delegating Server Administration (2007 R2 Beta)
[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]
To administer Office Communications Server Standard Edition or Enterprise Edition, a user must have an account in the DomainAdmins group or the RTCUniversalServerAdmins group. Some organizations do not want to grant membership in the DomainAdmins group to users or groups who only need to manage Office Communications Server. You can choose to add unauthorized users or groups to the RTCUniversalServerAdmins group, which is a universal group that can administer all servers in the forest. Delegating server administration allows you to grant a user or group the subset of permissions required to administer a specific Office Communications Server.
When you delegate server administration, you grant the following permissions:
- Read/write permissions to global settings
- Read/write permissions to a computer organizational unit (OU) container
- Optional Read permissions to a user OU container
Important
You must specify an existing global or universal group to which you want to delegate permissions. You cannot use a local group.
To delegate server administration
Log on to a computer in the domain where you want to grant permissions. Use an account that is a member of the RTCUniversalServerAdmins and DomainAdmins groups or that has equivalent user rights.
Use the following command:
LcsCmd /Domain[:<domain FQDN>] /Action:CreateDelegation /Delegation:ServerAdmin /TrusteeGroup:<name of the universal group that you will delegate to> /TrusteeDomain: <FQDN of the domain where the trustee group resides> /ServiceAccount:<RTC service account name> /ComponentServiceAccount:<RTC component service account name> /ComputerOU:<DN of the OU or container where the computer objects that run Office Communications Server reside> /PoolName:<Name of an Enterprise pool or Standard Edition server> [/ExtraServers:<FQDN of server1, FQDN of server2>]Where:
TrusteeGroup is the group to which you are granting permissions.
TrusteeDomain is the domain in which the trustee group resides.
ServiceAccount is the RTC service account name.
ComponentServiceAccount is the RTC component service account name.
ComputerOU is the DN of the organizational unit containing the computer running the server to which you are granting administrative permissions.
PoolName is the name of the Standard Edition server or Enterprise pool in which the trustee group can administer servers; adds the trustee group to the Local Administrators group of each computer in the pool to the AdminRole of the RTC database, and to the ReadWriteRole of the RTCConfig database on the SQL Server back-end database server.
ExtraServers is a comma separated list of FQDNs of computers that are not part of a pool to which the trustee group requires access. You can enter the FQDN of Archiving Servers, Monitoring (CDR and QoE) Servers, Mediation Servers, or the internal FQDN of edge servers (if the edge servers are domain edge servers; if they are in a workgroup, they cannot be delegated).