Article
01/30/2017

Appendix A: How to Prepare a Locked Down Active Directory

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

Organizations often lock down Active Directory to help mitigate security risks, using a variety of procedures. However, Active Directory lockdown can circumscribe the permissions required by applications, including Office Communications Server. This section documents the additional considerations and steps to properly prepare a locked down Active Directory for Office Communications Server.
The following two common conditions in a locked down Active Directory can cause problems for Communications Server deployment:
- Authenticated user ACEs are removed from containers.
- Permissions inheritance is disabled on containers of User, Contact, InetOrgPerson, or Computer objects.

The following tables describe the issues and solutions required for each condition.

Table A-1. Issues and Solutions to Active Directory Lockdown Conditions-Authenticated user ACEs are removed from containers

Active Directory Lockdown Issue	Solution
Additional permissions are required to enable a user to run Prep Domain, Activation, and Create Pool.	Using an account with Domain Admin credentials is always required to run Prep Domain, Activation, and Create Pool. In a locked down environment, you must also explicitly grant this account read-access permissions on relevant containers in the forest root, because these permissions are removed by Active Directory lock-down procedures. Alternatively, use an account with Enterprise Admins credentials to run these procedures.

Additional permissions are required to enable a user to run Prep Domain, Activation, and Create Pool.

Using an account with Domain Admin credentials is always required to run Prep Domain, Activation, and Create Pool.

In a locked down environment, you must also explicitly grant this account read-access permissions on relevant containers in the forest root, because these permissions are removed by Active Directory lock-down procedures.

Alternatively, use an account with Enterprise Admins credentials to run these procedures.

Table 7. Issues and Solutions to Active Directory Lockdown Conditions Permissions inheritance disabled on containers of User, InetOrgPerson, Contact, and Computer objects

Active Directory Lockdown Issue	Solution
Setting additional ACEs on User object containers.	To set ACEs for service and administrative groups, run the CreateLcsOuPermissions procedure directly on each container of User objects in the domain. If your organization uses Contacts or InetOrgPerson objects in your Office Communications Server deployment, run the CreateLcsOuPermissions procedure directly on each of these containers as well.
Setting ACEs on Computer object containers.	To set ACEs for the service and administrative groups, run the CreateLcsOupermissions procedure on a container of computer objects.

The following sections explain how to prepare Active Directory when authenticated users' ACEs are removed or permission inheritance is disabled:

Appendix A: How to Prepare a Locked Down Active Directory

Table A-1. Issues and Solutions to Active Directory Lockdown Conditions-Authenticated user ACEs are removed from containers

Table 7. Issues and Solutions to Active Directory Lockdown Conditions Permissions inheritance disabled on containers of User, InetOrgPerson, Contact, and Computer objects

Additional resources