cant add any user to lync 2013

Hi hello 

after installed lync 2013  i cant add any user and got this error:

Active Directory operation failed on "ActiveDirctory.mehr.lab". You cannot retry this operation: "Insufficient access rights to perform the operation
00002098: SecErr: DSID-03150BC1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.

thank u all. 

June 24th, 2015 6:16am

Hello Mehrdad,

It seems the user's you're trying to add belong to protected security groups like the error states, you have two workarounds for this, 1) Use an elevated powershell session and enable users 2) From active directory users and computers select view>>Advanced features.. Then browse to the user you want to add to Lync and from the properties select security>>then check the checkbox "include inheritable permissions". Then try enabling them again from Lync control panel.

Hope this helps,

Regards,

Muhammad Hazem

uchazem.wordpress.com

Free Windows Admin Tool Kit Click here and download it now
June 24th, 2015 6:39am

Please make sure user is not member of any admin groups,specially domain admins.if so then you can only use Lync powershell to admister their account.

And as Muhammed mentioned,check security tab and make sure it says disable inheritance

If says enable,then you have to click it to enable inheritance.

This issue occurs if users UPN and logon name have been changed lately

June 24th, 2015 7:16am

Hello Mehrdad,

It seems the user's you're trying to add belong to protected security groups like the error states, you have two workarounds for this, 1) Use an elevated powershell session and enable users 2) From active directory users and computers select view>>Advanced features.. Then browse to the user you want to add to Lync and from the properties select security>>then check the checkbox "include inheritable permissions". Then try enabling them again from Lync control panel.

Hope this helps,

Regards,

Muhammad Hazem

uchazem.wordpress.com

Free Windows Admin Tool Kit Click here and download it now
June 24th, 2015 10:38am

Hello Mehrdad,

It seems the user's you're trying to add belong to protected security groups like the error states, you have two workarounds for this, 1) Use an elevated powershell session and enable users 2) From active directory users and computers select view>>Advanced features.. Then browse to the user you want to add to Lync and from the properties select security>>then check the checkbox "include inheritable permissions". Then try enabling them again from Lync control panel.

Hope this helps,

Regards,

Muhammad Hazem

uchazem.wordpress.com

June 24th, 2015 10:38am

Hello Mehrdad,

It seems the user's you're trying to add belong to protected security groups like the error states, you have two workarounds for this, 1) Use an elevated powershell session and enable users 2) From active directory users and computers select view>>Advanced features.. Then browse to the user you want to add to Lync and from the properties select security>>then check the checkbox "include inheritable permissions". Then try enabling them again from Lync control panel.

Hope this helps,

Regards,

Muhammad Hazem

uchazem.wordpress.com

Free Windows Admin Tool Kit Click here and download it now
June 24th, 2015 10:38am

Hello Mehrdad,

It seems the user's you're trying to add belong to protected security groups like the error states, you have two workarounds for this, 1) Use an elevated powershell session and enable users 2) From active directory users and computers select view>>Advanced features.. Then browse to the user you want to add to Lync and from the properties select security>>then check the checkbox "include inheritable permissions". Then try enabling them again from Lync control panel.

Hope this helps,

Regards,

Muhammad Hazem

uchazem.wordpress.com

June 24th, 2015 10:38am

Thank you for the comment Friends

I tried these solutions but the problem is not solved yet.


Free Windows Admin Tool Kit Click here and download it now
June 27th, 2015 2:04am

Run the command below in Lync Shell and your issue will be solved.

Enable-CsUser user SipAddressType type SipDomain domain Registrarpool pool fqdn

i cant add new user lync/users i can add user just with command

thanks

June 28th, 2015 4:26am

Hi Mehrdad2015,

The error might be caused by the combination of the following two reasons:

  • The user account that is part of the Lync Server move or enable operation is a member of an Active Directory, directory service protected domain security group. Since the user account belongs to a Windows Server protected domain security group it is unable to keep the RTCUniversalUserAdmins and RTCUniversalUserReadOnlyGroup Lync Server Universal Security groups and their permissions as Access Control Entries (ACEs) for the protected domain security group's default Access Control List (ACL).
  • The Lync Server Control Panel is not designed to delegate the permissions of RTCUniversalUserAdmins and RTCUniversalUserReadOnlyGroup Lync Server Universal Security groups that are needed to complete the user account move or enable operation.

There's a related KB for your reference.

https://support.microsoft.com/en-us/kb/2466000

Best regards,

Eric

Free Windows Admin Tool Kit Click here and download it now
June 28th, 2015 5:32am

Hi Mehrdad2015,

I'm marking the reply as answer as there has been no update for a couple of days.

If you come back to find it doesn't work for you, please reply to us and unmark the answer.

 

Best regards,

Eric

July 6th, 2015 5:45am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics