Delegating Communicator Web Access Activation

  • Article

[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]

To activate Microsoft® Office Communicator Web Access server, you must be logged on as a member of either the DomainAdmins group or a group with equivalent user rights. If you do not want to add an administrator to the DomainAdmins group, you can still allow that administrator to activate the server by creating a new security group, granting the security group only the rights and permissions that are required to run the Communicator Web Access Activation Wizard, and adding the administrator to the new security group.

The following permissions are required to run the Communicator Web Access Activation Wizard:

  • Rights equivalent to membership in the Administrators group on the local computer.
  • Permissions on the Office Communications Server 2007 R2 global container RTC Service, to create and delete global settings.
  • Permissions on the container that contains the RTCUniversalServerAdmins group and the RTCHSUniversalServices group to create and delete accounts.
  • Read and Write permissions on the service account that is specified during activation.

Granting a user the rights to activate Communicator Web Access entails the following high-level steps. Each step is described in detail in the procedures that follow.

Note

To perform the steps shown here, you can use Dsa.msc. You can download the Windows Server 2003 Service Pack 1 Administration Tools Pack from https://go.microsoft.com/fwlink/?LinkId=125772.

  1. Create a service account for Communicator Web Access that will be specified during activation, and add this account to the RTCHSUniversalServices security group.
  2. Create a global security group and give it a name, for example, CWAServerAdmins.
  3. Grant the new security group the permissions necessary to create and delete global settings. The group must have the following permissions on the RTC Service object: Read, Create All Child Objects, and Delete All Child Objects.
  4. Grant the new security group the permissions necessary to create and delete accounts. The account must have the following permissions on the Users container (or the container that contains the RTCUniversalServerAdmins group and the RTCHSUniversalServices group): Read, Create All Child Objects, and Delete All Child Objects.
  5. Grant the new security group Read and Write permissions on the service account that will be specified during activation.
  6. Add the administrator's user account to the new security group, so that the administrator can run the Communicator Web Access Activation Wizard without membership in the DomainAdmins group.

To create a service account that will be specified during activation

  1. Log on to a computer as a member of the DomainAdmins group for the domain where you will deploy Communicator Web Access.

  2. Open Active Directory Users and Computers: Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.

  3. In the scope pane, expand the domain node, right-click Users, click New, and then click User.

  4. In the First name box, type the account name (for example, CWAServiceAccount).

  5. In the User logon name box, type the same account name, and then click Next.

  6. In the Password box, type a password.

  7. In the Confirm password box, type the same password.

  8. Clear the User must change password at next logon check box, click Next, and then click Finish.

  9. In the details pane, right-click RTCHSUniversalServices, and then click Properties.

  10. Click the Security tab.

  11. Click Add. Under Enter the object names to select, type the service account name, and then click OK.

To create a security group

  1. Log on to a computer as a member of the DomainAdmins group for the domain where you will deploy Communicator Web Access.

  2. Open Active Directory Users and Computers: Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.

  3. In the Active Directory Users and Computers scope pane, right-click Users, click New, and then click Group.

  4. In Group name, type the group name (for example CWAServerAdmins). Under Group Scope, accept the default Global. Under Group type, accept the default Security.

  5. Click OK.

To grant the required global permissions to the security group

  1. Log on to a computer as a member of the DomainAdmins group for the domain where you will deploy Communicator Web Access.

  2. Open Active Directory Users and Computers: Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.

  3. On the View menu, click Advanced Features.

  4. In the scope pane, expand the root domain node, expand System, expand Microsoft, and then expand RTC Service.

  5. Right-click Global Settings, and then click Properties.

  6. Click the Security tab, and then click Add.

  7. In the Enter the object names to select box, type the name of the global security group (for example, CWAServerAdmins), and then click OK.

  8. Next to the following permissions, click Allow:

    • Read
    • Create All Child Objects
    • Delete all Child Objects

  9. Click OK.

To grant permissions required to create and delete accounts to the security group

  1. Log on to a computer as a member of the DomainAdmins group for the domain where you will deploy Communicator Web Access.

  2. Open Active Directory Users and Computers: Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.

  3. In the Active Directory Users and Computers scope pane, expand the node of the domain where Communicator Web Access will be installed. Right-click Users (or the container that contains the RTCUniversalServerAdmins group and the RTCHSUniversalServices group), and then click Properties.

  4. Click the Security tab, and then click Add.

  5. In the Enter the object names to select box, type the name of the global security group (for example, CWAServerAdmins), and then click OK.

  6. Next to the following permissions, click Allow:

    • Read
    • Create All Child Objects
    • Delete all Child Objects

  7. Click OK.

To grant permissions on the service account to the security group

  1. Log on to a computer as a member of the DomainAdmins group for the domain where you will deploy Communicator Web Access.

  2. Open Active Directory Users and Computers: Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.

  3. In the Active Directory Users and Computers scope pane, click Users. In the details pane, right-click the service account you created (for example CWAServiceAccount), and then click Properties.

  4. Click the Security tab, and then click Add.

  5. Under Enter the object names to select, type the name of the global security group (for example, CWAServerAdmins), and then click OK.

  6. Next to the following permissions, click Allow:

    • Read
    • Write

  7. Click OK.

To add a user to the security group

  1. In the Active Directory Users and Computers details pane, right-click the name of the global security group (for example, CWAServerAdmins), and then click Properties. Click the Members tab.

  2. Click Add. Under Enter the object names to select, type the user account name, and then click OK twice.

    The user now has the rights necessary to run the Communicator Web Access Activation Wizard.