Delegating User Administration
Topic Last Modified: 2009-01-23
To administer Office Communications Server users, a user must have an account in the DomainAdmins group or the RTCUniversalUserAdmins group. Some organizations do not want to grant membership in the DomainAdmins group to users or groups who only need to manage Office Communications Server users. You can choose to add unauthorized users or groups to the RTCUniversalUserAdmins group, which is a universal group that can administer all users in the forest. By delegating user administration, you can grant a user or group the subset of permissions required to administer a specific set of Office Communications Server users.
When you delegate user administration, you grant the following permissions:
- Read permissions to global settings
- Read permissions to a computer organizational unit (OU)
- Read/write permissions to a user OU
- Member in the RTC Local User Administrators group on all servers within a specified pool
- ReadOnlyRole on the pool or server RTC and RTCConfig databases
To delegate user administration
Log on to a computer in the domain where you want to grant permissions. Use an account that is a member of the DomainAdmins groups or that has equivalent user rights.
Open a command prompt and then type the following command:
LcsCmd.exe /Domain[:<domain FQDN>] /Action:CreateDelegation /Delegation:UserAdmin /TrusteeGroup:<name of the universal group that you will delegate to> /TrusteeDomain:<FQDN of the domain where the trustee group resides> /ServiceAccount:<RTC service account name> /ComponentServiceAccount:<RTC component service account name> /ComputerOU:<DN of the OU or container where the computer objects that run Office Communications Server reside> /UserOU:<DN of the OU or container where the Office Communications Server user objects reside> /UserType:{User | Contact | InetOrgPerson} /PoolName:<Name of a Standard Edition server or an Enterprise pool>Where:
TrusteeGroup is the group to which you are granting permissions.
TrusteeDomain is the domain in which you are granting permissions.
ServiceAccount is the Real-time Communications (RTC) service account name.
ComponentServiceAccount is the RTC component service account name.
ComputerOU is the distinguished name (DN) of the OU containing the computer running the Office Communications Server Front End Server that hosts the users the trustee group will administer. The OU that is specified by the /Computer OU parameter and the OU that is specified by the /UserOU parameter must reside in the same domain. If you want to delegate the administration of users in a domain other than the domain where Office Communications Server is installed, the organizational unit that is specified by the /Computer OU parameter still must reside in the same domain as the OU that is specified by the /UserOU parameter.
UserOU specifies the DN of the OU containing the users that the trustee group will administer. The OU that is specified by the /Computer OU parameter and the OU that is specified by the /UserOU parameter must reside in the same domain.
UserType is the type of user object that the trustee group will have permissions to administer. Valid values are User, Contact, or InetOrgPerson.
PoolName is the name of the Standard Edition server or Enterprise pool in which the trustee group can administer users, and adds the trustee group to the Local Administrators group of each computer in the pool and to the ReadOnlyRole of the SQL Server back-end databases.