Topic Last Modified: 2011-03-30
Setup and deployment of Microsoft Lync Server 2010 requires that the person installing and deploying the software be a member of local or domain-level groups. Administrative tools for Lync Server 2010 can require additional permissions.
Group Membership Requirements
The following table summarizes the group or groups that a person should belong to in order to successfully install, manage, and troubleshoot Lync Server 2010.
Lync Server Executable | Group Membership Required | ||
---|---|---|---|
Setup.exe – Executable that starts the installation of the Lync Server administrative tools. |
Member of the Local Administrators group on the computer from which the executable is run. Member of Domain Users group to read information in Active Directory Domain Services (AD DS). This level of permission is required because the automatic installation of required MSI packages on the local computer requires privileges that allow reading from and writing to protected local computer resources such as Program Files directories, and protected registry such as the Local Machine hive.
|
||
Deploy.exe – Called by setup.exe, deploy.exe is responsible for the deployment of the software components for the server roles. |
Member of the Local Administrators group on the computer from which the executable is run. Member of Domain Users group to read information in AD DS. This level of permission is required because the automatic installation of required MSI packages on the local computer requires privileges that allow reading from and writing to protected local computer resources such as Program Files directories, and protected registry such as the Local Machine hive. Membership in RtcUniversalReadOnlyAdmins group is necessary to read the Central Management store.
|
||
Bootstrapper.exe – Called by setup.exe, bootstrapper.exe is responsible for deployment and configuration of server roles. |
Member of the Local Administrators group on the computer from which the executable is run. Member of Domain Users group to read information in AD DS. This level of permission is required because the automatic installation of required MSI packages on the local computer requires privileges that allow reading from and writing to protected local computer resources such as Program Files directories, and protected registry such as the Local Machine hive. |
||
OCSLogger.exe – Administrative troubleshooting tool for capturing messages on server roles. |
Member of the Local Administrators group on the computer from which the executable is run. The executable is manifested as requireAdministrator. |
||
TopologyBuilder.msc – Wizard-driven user interface to create, view, adjust, and validate Lync Server topologies. |
Member of the Local Administrators group on the computer from which the executable is run to view the topology. Member of the RTCUniversalServerAdmins group to change configuration settings. Member of the RTCUniversalServerAdmins group and Domain Admins group, or member of the RTCUniversalServerAdmins group (only if the group has been granted delegate setup permissions), to publish the topology. For details about delegating setup permissions to allow members of the RTCUniversalServerAdmins group to publish the topology without being members of the Domain Admins group, see Granting Setup Permissions in the Deployment documentation. |
||
AdminUIHost.exe – Web-based graphical user interface for managing Lync Server. |
Member of CsAdministrator group or member of another role-based access control (RBAC) role to which the specific administrative task is assigned. Microsoft Lync Server 2010 Control Panel executes configuration changes by running Lync Server Management Shell cmdlets. For a list of predefined roles and the cmdlets members are permitted to run, see Role-Based Access Control in the Planning documentation. |
||
PowerShell.exe with the Lync Server module loaded – Command-line administrative tool with cmdlets specific to management of Lync Server. |
Member of CsAdministrator group or member of another RBAC role to which the specific cmdlet has been assigned. For a list of predefined roles and the cmdlets members are permitted to run, see Role-Based Access Control in the Planning documentation. Or, member of one or more of the following groups, depending on the cmdlet:
|
The group memberships in the preceding table represent the minimum memberships. Other memberships which will grant the permissions necessary to initiate the setup and deployment are possible, including membership in the Domain Admins group or Enterprise Admins group.