Delegating Read-Only Server Administration
Topic Last Modified: 2009-01-23
To administer Office Communications Servers in a read-only capacity, a user must have an account in the DomainAdmins group or the RTCUniversalReadOnlyAdmins group. Some organizations do not want to grant membership in the DomainAdmins group to users or groups who only need to view the properties of Office Communications Server. You can choose to add unauthorized users or groups to the RTCUniversalReadOnlyAdmins group or RTCUniversalServerReadOnlyGroup, which are universal groups that have read-only administration permissions for all servers in the forest. By delegating read-only server administration, you can grant a user or group the subset of permissions required to perform read-only administration for a specific Office Communications Server.
Membership in a read-only server administration group can be useful for troubleshooting server issues on a specific server.
When you delegate read-only server administration, you grant the following permissions:
- Read permission to global settings.
- Read permission to a specified computer organizational unit (OU).
- Membership in the RTC Local Read-Only Administrators group on all servers within a specified pool or on the local Standard Edition server.
- ReadOnlyRole on the pool or server Real-time Communications (RTC) and RTCConfig databases.
To delegate read-only server administration
Log on to a computer in the domain where you want to grant permissions. Use an account that has RTCUniversalServerAdmins and DomainAdmins or equivalent user rights.
Use the following command:
LcsCmd /Domain[:<domain FQDN>] /Action:CreateDelegation /Delegation:ReadOnlyAdmin /TrusteeGroup:<name of the universal group that you will delegate to> /TrusteeDomain:<FQDN of the domain where the trustee group resides> /ServiceAccount:<RTC service account name> /ComponentServiceAccount:<RTC component service account name> /ComputerOU:<DN of the OU or container where the computer objects that run Office Communications Server reside> /PoolName:<Name of a Standard Edition server or an Enterprise pool> [/ExtraServers:<FQDN of server1, FQDN of server2>]Where:
TrusteeGroup is the group to which you are granting permissions.
TrusteeDomain is the domain in which you are granting permissions.
ServiceAccount is the RTC service account name.
ComponentServiceAccount is the RTC component service account name.
ComputerOU is the distinguished name (DN) of the OU containing the computer running the server to which you are granting the trustee group read-only administrative permissions.
PoolName is the name of the Standard Edition server or Enterprise pool in which the trustee group can perform read-only server administration, and adds the trustee group to the Local Administrators group of each computer in the pool and to the ReadOnlyRole of the SQL Server back-end databases.
ExtraServers is a comma separated list of fully qualified domain names (FQDNs) of computers to which the group requires access but which are not part of the pool. You can enter the FQDN of Archiving Servers, Monitoring Servers (that is, Call Detail Recording (CDR) and Quality of Experience (QoE)), Mediation Servers, or the internal FQDN of Edge Servers (that is, if the Edge Servers are domain Edge Servers; if they are in a workgroup, they cannot be delegated).