Administrator Rights and Permissions Required for Setup and Administration

 

Topic Last Modified: 2011-08-18

Setup and deployment of Microsoft Lync Server 2010 requires that the person installing and deploying the software be a member of local or domain-level groups. Administrative tools for Lync Server 2010 can require additional permissions.

Group Membership Requirements

The following table summarizes the group or groups that a person should belong to in order to successfully install, manage, and troubleshoot Lync Server 2010.

Lync Server Executable Group Membership Required

Setup.exe – Executable that starts the installation of the Lync Server administrative tools.

Member of the Local Administrators group on the computer from which the executable is run. Member of Domain Users group to read information in Active Directory Domain Services (AD DS). This level of permission is required because the automatic installation of required MSI packages on the local computer requires privileges that allow reading from and writing to protected local computer resources such as Program Files directories, and protected registry such as the Local Machine hive.

Tip

You can also delegate setup permissions to users or groups to whom you do not want to grant membership in the Domain Admins group. For details, see Granting Setup Permissions in the Deployment documentation.

Deploy.exe – Called by setup.exe, deploy.exe is responsible for the deployment of the software components for the server roles.

Member of the Local Administrators group on the computer from which the executable is run. Member of Domain Users group to read information in AD DS. This level of permission is required because the automatic installation of required MSI packages on the local computer requires privileges that allow reading from and writing to protected local computer resources such as Program Files directories, and protected registry such as the Local Machine hive. Membership in RtcUniversalReadOnlyAdmins group is necessary to read the Central Management store.

Note

If you are running the Windows Vista operating system or Windows 7 operating system, you will be prompted by User Account Control (UAC) to proceed with installation. If you are logged on with a standard user account, you will need someone who is a member of the Local Administrators group to provide credentials when prompted for an account with permissions to install the software.

Bootstrapper.exe – Called by setup.exe, bootstrapper.exe is responsible for deployment and configuration of server roles.

Member of the Local Administrators group on the computer from which the executable is run. Member of Domain Users group to read information in AD DS. This level of permission is required because the automatic installation of required MSI packages on the local computer requires privileges that allow reading from and writing to protected local computer resources such as Program Files directories, and protected registry such as the Local Machine hive.

OCSLogger.exe – Administrative troubleshooting tool for capturing messages on server roles.

Member of the Local Administrators group on the computer from which the executable is run. The executable is manifested as requireAdministrator.

TopologyBuilder.msc – Wizard-driven user interface to create, view, adjust, and validate Lync Server topologies.

Member of the Local Administrators group on the computer from which the executable is run to view the topology. Member of the RTCUniversalServerAdmins group to change configuration settings. Member of the RTCUniversalServerAdmins group and Domain Admins group, or member of the RTCUniversalServerAdmins group (only if the group has been granted delegate setup permissions), to publish the topology. For details about delegating setup permissions to allow members of the RTCUniversalServerAdmins group to publish the topology without being members of the Domain Admins group, see Granting Setup Permissions in the Deployment documentation.

AdminUIHost.exe – Web-based graphical user interface for managing Lync Server.

Member of CsAdministrator group or member of another role-based access control (RBAC) role to which the specific administrative task is assigned. Microsoft Lync Server 2010 Control Panel implements configuration changes by running Lync Server Management Shell cmdlets. For a list of predefined roles and the cmdlets members are permitted to run, see Role-Based Access Control in the Planning documentation.

PowerShell.exe with the Lync Server module loaded – Command-line administrative tool with cmdlets specific to management of Lync Server.

Member of CsAdministrator group or member of another RBAC role to which the specific cmdlet has been assigned. For a list of predefined roles and the cmdlets members are permitted to run, see Role-Based Access Control in the Planning documentation.

Or, member of one or more of the following groups, depending on the cmdlet:

  • RTCUniversalServerAdmins

  • RTCUniversalUserAdmins

  • RTCUniversalReadOnlyAdmins

The group memberships in the preceding table represent the minimum memberships. Other memberships which will grant the permissions necessary to initiate the setup and deployment are possible, including membership in the Domain Admins group or Enterprise Admins group.