Granting Organizational Unit Permissions
Topic Last Modified: 2012-01-17
If you have locked down your Active Directory domain (that is, if you have disabled permission inheritance), then the domain preparation that takes place when you install Lync Server 2010 will not be able to add the rights needed to manage users, computers, contacts, application contacts, and InetOrg persons. (Domain administrators will still be able to manage these objects, but no one else, including members of the RTCUniversalUserAdmins group, will have management rights.) In that case, you will need to use the Grant-CsOUPermission cmdlet to give the required security groups the required rights. This must be done on a container-by-container basis.
You can use the Grant-CsOuPermission cmdlet to grant permissions to objects in specified organizational units (OUs) so that members of the RTC universal groups created by forest preparation can access them without being members of the Domain Admins group. The permissions added to the specified OU are the same permissions that the Enable-CsAdDomain cmdlet adds to the computers and users containers during domain preparation.
Use the Test-CsOuPermission cmdlet to verify the permissions you set up by using the Grant-CsOuPermission cmdlet.
You can use the Revoke-CsOuPermission cmdlet to remove permissions that you granted by using the Grant-CsOuPermission cmdlet.
To grant OU permissions
Log on to a computer running Lync Server 2010 in the domain where you want to grant OU permissions. Use an account that is a member of the Domain Admins group or the Enterprise Admins group if the OU is in a different child domain.
Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.
Run:
Grant-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <DN of the OU> [-Domain <Domain FQDN>]If you do not specify the Domain parameter, the default value is the local domain.
To verify OU permissions
Log on to a computer running Lync Server 2010 in the domain where you want to verify OU permissions that you granted by using the Grant-CsOuPermission cmdlet. Use an account that is a member of the Domain Admins group or the Enterprise Admins group if the OU is in a different child domain.
Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.
Run:
Test-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <DN of the OU> [-Domain <Domain FQDN>]If you do not specify the Domain parameter, the default value is the local domain.
To revoke OU permissions
Log on to a computer running Lync Server 2010 in the domain where you want to revoke OU permissions that were granted by the Grant-CsOuPermission cmdlet. Use an account that is a member of the Domain Admins group or the Enterprise Admins group if the OU is in a different child domain.
Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.
Run:
Revoke-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <DN of the OU> [-Domain <Domain FQDN>]If you do not specify the Domain parameter, the default value is the local domain.