Changes made by Grant-CsOUPermission in Skype for Business Server

Article
01/25/2023

To delegate Skype for Business Server administration, you can add permissions to specified organizational units (OUs) so that members of the RTC universal groups created by forest preparation can access the OUs without being members of the Domain Admins group.

The Grant-CsOuPermission cmdlet grants permissions to objects in the specified OU as specified in the following tables.

Granting Permission for User Objects

When you run the Grant-CsOuPermission cmdlet for User objects on an OU, groups are granted permissions as shown in the following table.

Permissions Granted for User Objects

Group	Permission	Applies to
RTCHSUniversalServices	Replicating directory changes	This object only
RTCUniversalServerReadOnlyGroup	List contents Read all properties Read permissions	This object only
RTCUniversalUserReadOnlyGroup	List contents Read all properties Read permissions	This object only
RTCUniversalUserReadOnlyGroup	Read RTCUserSearchPropertySet Read RTCUserProvisioningPropertySet Read RTCPropertySet Read Public-Information Read General-Information Read User-Account-Restrictions	Descendant User objects
RTCUniversalUserAdmins	Write RTCUserSearchPropertySet Write msExchUCVoiceMailSettings Write RTCUserProvisioningPropertySet Write RTCPropertySet Write proxyAddresses	Descendant User objects

Granting Permission for Computer Objects

When you run the Grant-CsOuPermission cmdlet for Computer objects on an OU, groups are granted permissions as shown in the following table.

Permissions Granted for Computer Objects

Group	Permission	Applies to
RTCHSUniversalServices	Replicating directory changes	This object only
RTCUniversalServerReadOnlyGroup	List contents Read all properties Read permissions	This object only
RTCUniversalUserReadOnlyGroup	List contents Read all properties Read permissions	This object only
RTCUniversalUserReadOnlyGroup	Read Public-Information Read Validated-DNS-Host-Name	Descendant Computer objects
RTCUniversalUserAdmins	Read Public-Information Read Validated-DNS-Host-Name	Descendant Computer objects

Granting Permission for Contact or AppContact Objects

When you run the Grant-CsOuPermission cmdlet for Contact objects or AppContact objects on an OU, groups are granted permissions as shown in the following table.

Permissions Granted for Contact or AppContact Objects

Group	Permission	Applies to
RTCHSUniversalServices	Replicating directory changes	This object only
RTCUniversalServerReadOnlyGroup	List contents Read all properties Read permissions	This object only
RTCUniversalUserReadOnlyGroup	List contents Read all properties Read permissions	This object only
RTCUniversalUserReadOnlyGroup	Read RTCUserSearchPropertySet Read RTCUserProvisioningPropertySet Read RTCPropertySet Read Public-Information Read General-Information Read Personal-Information Read User-Account-Restrictions	Descendant Contact objects
RTCUniversalUserAdmins	Write RTCUserSearchPropertySet Write otherIpPhone Write displayName Write description Write telephoneNumber Write msExchUCVoiceMailSettings Write RTCUserProvisioningPropertySet Write RTCPropertySet Write proxyAddresses	Descendant Contact objects

Granting Permission for Device Objects

When you run the Grant-CsOuPermission cmdlet for Device objects on an OU, groups are granted permissions as shown in the following table.

Permissions Granted for Device Objects

Group	Permission	Applies to
RTCHSUniversalServices	Replicating directory changes	This object only
RTCUniversalServerReadOnlyGroup	List contents Read all properties Read permissions	This object only
RTCUniversalUserReadOnlyGroup	List contents Read all properties Read permissions	This object only
RTCUniversalUserReadOnlyGroup	Read RTCUserSearchPropertySet Read RTCUserProvisioningPropertySet Read RTCPropertySet Read Public-Information Read Personal-Information Read General-Information Read User-Account-Restrictions	Descendant Contact objects
RTCUniversalUserAdmins	Create child Delete child Delete tree	Contact
RTCUniversalUserAdmins	Write displayName Write description Write telephoneNumber	Descendant User objects
RTCUniversalUserAdmins	Write RTCUserSearchPropertySet Write otherIpPhone Write displayName Write description Write telephoneNumber Write msExchUCVoiceMailSettings Write RTCUserProvisioningPropertySet Write RTCPropertySet Write proxyAddresses	Descendant Contact objects

Granting Permission for InetOrgPerson Objects

When you run the Grant-CsOuPermission cmdlet for InetOrgPerson objects on an OU, groups are granted permissions as shown in the following table.

Permissions Granted for InetOrgPerson Objects

Group	Permission	Applies to
RTCHSUniversalServices	Replicating directory changes	This object only
RTCUniversalServerReadOnlyGroup	List contents Read all properties Read permissions	This object only
RTCUniversalUserReadOnlyGroup	List contents Read all properties Read permissions	This object only
RTCUniversalUserReadOnlyGroup	Read RTCUserSearchPropertySet Read RTCUserProvisioningPropertySet Read RTCPropertySet Read Personal-Information Read Public-Information Read General-Information Read User-Account-Restrictions	Descendant inetOrgPerson objects
RTCUniversalUserAdmins	Write RTCUserSearchPropertySet Write RTCUserProvisioningPropertySet Write RTCPropertySet Write proxyAddresses	Descendant inetOrgPerson objects