Error enabling users in sub-domain via LSCP
A customer recently reported that they were getting an error when trying to enable a user in a sub-domain when trying to import a user via Lync Server Control Panel (LSCP). The resolution is really simple and I thought that I will post it our there for anyone having the same problem. Here is the offending error :
![clip_image001[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/87/93/metablogapi/7827.clip_image0014_4CE49AF6.png "clip_image001[4]")
1 Error(s)
Active Directory operation failed on “domain.treyresearch.net”. You cannot retry this operation: “Insufficient access rights to perform the operation
00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync
Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for
example, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and
log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.
As the error message suggests the problem is either because the user has Admin privileges in Active Directory (See https://support.microsoft.com/kb/2466000 for resolution) or because you do not have appropriate permissions in active directory. In this scenario there were two domains:
treyresearch.net
defense.treyresearch.net
Whenever we tried to activate a user in the defense.treyresearch.net domain they will get the error above. If we tried to enable the user in the sub-domain via Power Shell it will succeed, for eg :
PS C:\> Enable-CsUser -Identity JaneDoe@TreyResearch.net -RegistarPool LyncPool.TreyResearch.net -SipAddressType UserPrincipalName
I started by checking the state of the Forest
PS C:\> Get-CsAdForest
LC_FORESTSETTINGS_STATE_READY
I then checked the state of the parent domain
PS C:\> Get-CsAdDomain
LC_DOMAINSETTINGS_STATE_READY
Then, I looked at the problematic sub-domain
PS C:\> Get-CsAdDomain -Domain Defense.TreyResearch.net
LC_DOMAINSETTINGS_STATE_DISCOVERED, LC_DOMAINSETTINGS_STATE_ACCOUNTS_READY
WARNING: “get-csaddomain” processing has completed with warnings. "10" warnings were recorded during this run.
WARNING: Detailed results can be found at ‘C:\Users\Akshat\AppData\Local\Temp\2\get—csaddomain—1ab612e0—d6lf—4672—a4f4—fea5555l5b6c .html”.
The error log mentioned in the warning reported several warnings about ACEs in the sub-domain
![clip_image002[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/87/93/metablogapi/0564.clip_image0024_47DB757D.png "clip_image002[4]")
To fix this we simply run the following in Lync Power-Shell (https://technet.microsoft.com/en-us/library/gg412764.aspx):
Enable-CsAdDomain -Domain Defense.TreyResearch.net
The domain preparation step adds the necessary access control entries (ACEs) to universal groups that grant permissions to host and manage users within the domain. Domain preparation creates ACEs on the domain root and three built-in containers: User, Computers, and Domain Controllers.
Additional Links:
https://support.microsoft.com/kb/2466000
https://support.microsoft.com/kb/2549544
https://technet.microsoft.com/en-us/library/gg429696.aspx
https://technet.microsoft.com/en-us/library/gg398721.aspx