See Also
Topic Last Modified: 2010-10-01
Verifies that the required permissions needed to manage users, computers, and other objects have been set on the specified Active Directory container.
Syntax
Test-CsOUPermission -ObjectType <User | Computer |
InetOrgPerson | Contact | AppContact | Device> -OU
<String> [-Domain <Fqdn>] [-DomainController
<Fqdn>] [-GlobalCatalog <Fqdn>] [-Report
<String>]
|
Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
|
ObjectType |
Required |
ObjectType object |
Type of object to be checked. Valid values are: User Computer Contact AppContact InetOrgPerson To check multiple objects in the same kind, separate the object types by using commas: -ObjectType "user","computer","contact". |
|
OU |
Required |
Active Directory distinguished name |
Distinguished name of the organizational unit (OU) to be checked. For example: -OU "ou=Redmond,dc=litwareinc,dc=com". Note that you can only check a single OU per command. |
|
Domain |
Optional |
String |
Name of the domain where the OU to be checked is located. If this parameter is not included, then Test-CsOUPermission will look for the OU on the current domain. |
|
DomainController |
Optional |
String |
Fully qualified domain name (FQDN) of a domain controller in your domain. This parameter is not required if you are running Test-CsOUPermission on a computer with an account in your domain. |
|
GlobalCatalog |
Optional |
String |
FQDN of a global catalog server in your domain. This parameter is not required if you are running Test-CsOUPermission on a computer with an account in your domain. |
|
Report |
Optional |
String |
Enables you to specify a file path for the log file created when the cmdlet runs. For example: -Report "C:\Logs\OUPermissions.html". If this file already exists, it will be overwritten when you run the cmdlet. |
|
Verbose |
Optional |
String |
Reports detailed activity to the screen as the cmdlet runs. |
Detailed Description
If you have locked down your Active Directory domain (that is, if you have disabled permission inheritance), then the domain preparation that takes place when you install Microsoft Lync Server 2010 will not be able to add the permissions needed to manage users, computers, contacts, application contacts, and InetOrg persons. (Domain administrators will still be able to manage these objects, but no one else, including members of the RTCUniversalServerAdmins group, will have management permissions.) In that case, you will need to use the Grant-CsOUPermission cmdlet to grant the RTCUniversalServerAdmins group the appropriate permissions. In addition, you will need to do this on a container-by-container basis.
The Test-CsOUPermission cmdlet enables you to determine whether or not the required permissions have been added to a specified Active Directory container. Test-CsOUPermission returns True if the correct permissions have been applied, and returns False if the correct permissions have not been applied. If the cmdlet returns False, you will then need to run Grant-CsOUPermission in order to make the necessary changes.
Who can run this cmdlet: To return a list of all the role-based access control (RBAC) roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself), run the following command from the Windows PowerShell prompt:
Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Test-CsOUPermission"}
Input Types
None. Test-CsOUPermission does not accept pipelined input.
Return Types
Test-CsOUPermission returns an instance of the Microsoft.Rtc.SyntheticTransactions.TaskOutput object.
Example
-------------------------- Example 1 ------------------------
 Copy Code |
|
|---|---|
Test-CsOUPermission -OU "ou=Redmond,dc=litwareinc,dc=com" -ObjectType "user" |
|
The command shown in Example 1 verifies that user permissions have been set on the Redmond OU in the litwareinc.com domain.