Delegating Server Administration
Topic Last Modified: 2009-01-23
To administer Office Communications Server 2007 R2 Standard Edition or Office Communications Server 2007 R2 Enterprise Edition, a user must have an account in the DomainAdmins group or the RTCUniversalServerAdmins group. Some organizations do not want to grant membership in the DomainAdmins group to users or groups who only need to manage Office Communications Server. You can choose to add unauthorized users or groups to the RTCUniversalServerAdmins group, which is a universal group that can administer all servers in the forest. By delegating server administration, you can grant a user or group the subset of permissions required to administer a specific Office Communications Server.
When you delegate server administration, you grant the following permissions:
- Read/write permissions to global settings
- Read/write permissions to a computer organizational unit (OU) container
- Optional Read permissions to a user OU container
Important
You must specify an existing global or universal group to which you want to delegate permissions. You cannot use a local group.
To delegate server administration
Log on to a computer in the domain where you want to grant permissions. Use an account that is a member of the RTCUniversalServerAdmins and DomainAdmins groups or that has equivalent user rights.
Open a command prompt and then type the following command:
LcsCmd /Domain[:<domain FQDN>] /Action:CreateDelegation /Delegation:ServerAdmin /TrusteeGroup:<name of the universal group that you will delegate to> /TrusteeDomain: <FQDN of the domain where the trustee group resides> /ServiceAccount:<RTC service account name> /ComponentServiceAccount:<RTC component service account name> /ComputerOU:<DN of the OU or container where the computer objects that run Office Communications Server reside> /PoolName:<Name of an Enterprise pool or Standard Edition server> [/ExtraServers:<FQDN of server1, FQDN of server2>]Where:
TrusteeGroup is the group to which you are granting permissions.
TrusteeDomain is the domain in which the trustee group resides.
ServiceAccount is the Real-time Communications (RTC) service account name.
ComponentServiceAccount is the RTC component service account name.
ComputerOU is the distinguished name (DN) of the OU containing the computer running the server to which you are granting administrative permissions.
PoolName is the name of the Standard Edition server or Enterprise pool in which the trustee group can administer servers; adds the trustee group to the Local Administrators group of each computer in the pool to the AdminRole of the RTC database, and to the ReadWriteRole of the RTCConfig database on the SQL Server back-end database server.
ExtraServers is a comma separated list of fully qualified domain names (FQDNs) of computers that are not part of a pool to which the trustee group requires access. You can enter the FQDN of Archiving Servers, Monitoring Servers (that is, Call Detail Recording (CDR) and Quality of Experience (QoE)), Mediation Servers, or the internal FQDN of edge servers (that is, if the edge servers are domain edge servers; if they are in a workgroup, they cannot be delegated).