Scenario 2: Permissions Inheritance Is Disabled on Computers, Users, or InetOrgPerson Containers
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
In a locked-down Active Directory, Users and Computer objects are often placed in specific OUs with permissions inheritance disabled, to help secure administrative delegation and to enable use of GPOs to enforce security policies.
Prep Domain and server activation set the ACEs required by Office Communications Server in the forest root domain. When permissions inheritance is disabled, the Office Communications Server security groups cannot inherit these ACEs from the domain root. When these permissions are not inherited, Office Communications Server security groups cannot access settings stored in the forest root domain, and the following two issues arise:
To administer Users, InetOrgPersons, and Contacts, and to operate servers, the Office Communications Server security groups require ACEs set by the Prep Domain procedure on each user’s property sets, RTC, RTC User Search, and Public Information. When permissions inheritance is disabled, security groups do not inherit these ACEs and cannot manage servers or users.
To discover servers and pools, Office Communications Server servers rely on ACEs set by activation on computer-related objects, including the Microsoft Container and Server object. When permissions inheritance is disabled, security groups, servers, and pools do not inherit these ACEs and cannot take advantage of these ACEs.
To address these issues, Office Communications Server provides an additional Active Directory preparation procedure called CreateLcsOuPermissions, available from the command-line deployment tool, LcsCmd.exe. This procedure sets required Office Communications Server ACEs directly on a specified container and the objects within the container.
The following sections explain how to grant these permissions:
Set Permissions on User, InetOrgPerson, and Contact Containers after Running Prep Domain.
Set Permissions on Computer Containers after Running Prep Domain.
Setting Permissions on User, InetOrgPerson, and Contact Containers after Running Prep Domain
In a locked-down Active Directory during Prep Domain, the necessary ACEs on the Users or InetOrgPerson containers within the domain are not set if permissions inheritance is disabled.
After running Prep Domain in a domain, run CreateLcsOuPermissions on each container with User or InetOrgPerson objects where permissions inheritance is disabled. If you have deployed a central forest topology, you must also run CreateLcsOuPermission on the container with Contact objects. This procedure adds the required ACEs directly on the specified containers and the User or InetOrgPerson objects within the container. When you run CreateLcsOuPermissions, specify the object type using the /objecttype parameter.
Domain Admins credentials are required to run this procedure. If the authenticated user ACEs have also been removed, you must grant this account read-access ACEs on the relevant containers in the forest root domain as described earlier in Scenario 1: Authenticated User Permissions Are Removed, or use an account with Enterprise Admins credentials.
To run Create OU Permissions using LcsCmd.exe
Log on to a computer joined to the domain with an account that has the Domain Admins or equivalent credentials.
Run:
LcsCmd.exe /domain[:<FQDN of domain where the OUs are located>] /action:CreateLcsOuPermissions /ou:<DN name for the OU container relative to the domain root container DN> /objectType:<type of object to create Office Communications Server ACEs for - user, InetOrgPerson, contact>For example:
LcsCmd.exe /domain /action:CreateLcsOuPermissions /ou:"OU=usersOU" /objectType:userVerify that CreateLcsOuPermissions procedure succeeded by checking that the LcsCmd log file indicates "Success" and does not have any errors. You can also run:
LcsCmd.exe /domain[:<FQDN of domain where the OUs are located>] /action:CheckLcsOuPermissions /ou:<DN name for the OU container relative to the domain root container DN> /objectType:<type of object - user, InetOrgPerson, contact>
Setting Permissions on Computer Containers after Running Prep Domain
In a locked-down Active Directory during Prep Domain, the necessary ACEs on the Computer containers within the domain are not set if permissions inheritance is disabled.
After running Prep Domain in a domain, run CreateLcsOuPermissions on each container with computers running Office Communications Server where permissions inheritance is disabled. This procedure adds the required ACEs directly on the specified containers. When you run CreateLcsOuPermissions, specify the object type using the /objecttype parameter.
Domain Admins credentials are required to run this procedure. If the authenticated user ACEs have also been removed, you must grant this account read-access ACEs on the relevant containers in the forest root domain as described earlier in Scenario 1: Authenticated User Permissions Are Removed, or use an account with Enterprise Admins credentials.
To set the required ACEs on the Computer containers
Log on to the domain computer with an account that has the credentials previously described.
Run:
LcsCmd.exe /domain[:<FQDN of domain where the computer OU is located>] /action:CreateLcsOuPermissions /ou:<DN name for the computer OU container relative to the domain root container DN> /objectType:<computer>For example:
LcsCmd.exe /domain:resources.corp.woodgrovebank.com /action:CreateLcsOuPermissions /ou:"OU=computersOU" /objectType:computerVerify that CreateLcsOuPermissions procedure succeeded by checking that the LcsCmd log file indicates "Success" and does not have any errors. You can also run:
LcsCmd.exe /domain[:<FQDN of domain where the computer OU is located>] /action:CheckLcsOuPermissions /ou:<DN name for the computer OU container relative to the domain root container DN> /objectType:<computer>Note
If you are running Prep Domain on the forest root domain in a locked-down Active Directory environment, be aware that Office Communications Server requires access to the Schema and Configuration containers in Active Directory.
If the default authenticated user permission is removed from the Schema or the Configuration containers in Active Directory only, Schema Admins or Enterprise Admins are permitted to access this container. Because Setup.exe, LcsCmd.exe, and the administrative snap-in require access to these containers, Setup and installation of the administrative tools fails unless the user running installation has Schema Admins and Enterprise Admins credentials.
To remedy this situation, you must grant RTCUniversalGlobalReadyOnly group access to the schema and configuration container.