Topic Last Modified: 2010-10-01

Verifies that the required permissions needed to manage users, computers, and other objects have been set on the specified Active Directory container.

Syntax

Test-CsOUPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <String> [-Domain <Fqdn>] [-DomainController <Fqdn>] [-GlobalCatalog <Fqdn>] [-Report <String>]

Parameters

Parameter Required Type Description

ObjectType

Required

ObjectType object

Type of object to be checked. Valid values are:

User

Computer

Contact

AppContact

InetOrgPerson

To check multiple objects in the same kind, separate the object types by using commas: -ObjectType "user","computer","contact".

OU

Required

Active Directory distinguished name

Distinguished name of the organizational unit (OU) to be checked. For example: -OU "ou=Redmond,dc=litwareinc,dc=com".

Note that you can only check a single OU per command.

Domain

Optional

String

Name of the domain where the OU to be checked is located. If this parameter is not included, then Test-CsOUPermission will look for the OU on the current domain.

DomainController

Optional

String

Fully qualified domain name (FQDN) of a domain controller in your domain. This parameter is not required if you are running Test-CsOUPermission on a computer with an account in your domain.

GlobalCatalog

Optional

String

FQDN of a global catalog server in your domain. This parameter is not required if you are running Test-CsOUPermission on a computer with an account in your domain.

Report

Optional

String

Enables you to specify a file path for the log file created when the cmdlet runs. For example: -Report "C:\Logs\OUPermissions.html". If this file already exists, it will be overwritten when you run the cmdlet.

Verbose

Optional

String

Reports detailed activity to the screen as the cmdlet runs.

Detailed Description

If you have locked down your Active Directory domain (that is, if you have disabled permission inheritance), then the domain preparation that takes place when you install Microsoft Lync Server 2010 will not be able to add the permissions needed to manage users, computers, contacts, application contacts, and InetOrg persons. (Domain administrators will still be able to manage these objects, but no one else, including members of the RTCUniversalServerAdmins group, will have management permissions.) In that case, you will need to use the Grant-CsOUPermission cmdlet to grant the RTCUniversalServerAdmins group the appropriate permissions. In addition, you will need to do this on a container-by-container basis.

The Test-CsOUPermission cmdlet enables you to determine whether or not the required permissions have been added to a specified Active Directory container. Test-CsOUPermission returns True if the correct permissions have been applied, and returns False if the correct permissions have not been applied. If the cmdlet returns False, you will then need to run Grant-CsOUPermission in order to make the necessary changes.

Who can run this cmdlet: To return a list of all the role-based access control (RBAC) roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself), run the following command from the Windows PowerShell prompt:

Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Test-CsOUPermission"}

Input Types

None. Test-CsOUPermission does not accept pipelined input.

Return Types

Test-CsOUPermission returns an instance of the Microsoft.Rtc.SyntheticTransactions.TaskOutput object.

Example

-------------------------- Example 1 ------------------------

Copy Code
Test-CsOUPermission -OU "ou=Redmond,dc=litwareinc,dc=com" -ObjectType "user"

The command shown in Example 1 verifies that user permissions have been set on the Redmond OU in the litwareinc.com domain.

See Also