Topic Last Modified: 2012-06-20

To delegate Lync Server 2013 administration, you can add permissions to specified organizational units (OUs) so that members of the RTC universal groups created by forest preparation can access the OUs without being members of the Domain Admins group.

The Grant-CsOuPermission cmdlet grants permissions to objects in the specified OU as specified in the following tables.

Granting Permission for User Objects

When you run the Grant-CsOuPermission cmdlet for User objects on an OU, groups are granted permissions as shown in the following table.

Permissions Granted for User Objects

Group Permission Applies to

RTCHSUniversalServices

Replicating directory changes

This object only

RTCUniversalServerReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

Read RTCUserSearchPropertySet

Read RTCUserProvisioningPropertySet

Read RTCPropertySet

Read Public-Information

Read General-Information

Read User-Account-Restrictions

Descendant User objects

RTCUniversalUserAdmins

Write RTCUserSearchPropertySet

Write msExchUCVoiceMailSettings

Write RTCUserProvisioningPropertySet

Write RTCPropertySet

Write proxyAddresses

Descendant User objects

Granting Permission for Computer Objects

When you run the Grant-CsOuPermission cmdlet for Computer objects on an OU, groups are granted permissions as shown in the following table.

Permissions Granted for Computer Objects

Group Permission Applies to

RTCHSUniversalServices

Replicating directory changes

This object only

RTCUniversalServerReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

Read Public-Information

Read Validated-DNS-Host-Name

Descendant Computer objects

RTCUniversalUserAdmins

Read Public-Information

Read Validated-DNS-Host-Name

Descendant Computer objects

Granting Permission for Contact or AppContact Objects

When you run the Grant-CsOuPermission cmdlet for Contact objects or AppContact objects on an OU, groups are granted permissions as shown in the following table.

Permissions Granted for Contact or AppContact Objects

Group Permission Applies to

RTCHSUniversalServices

Replicating directory changes

This object only

RTCUniversalServerReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

Read RTCUserSearchPropertySet

Read RTCUserProvisioningPropertySet

Read RTCPropertySet

Read Public-Information

Read General-Information

Read Personal-Information

Read User-Account-Restrictions

Descendant Contact objects

RTCUniversalUserAdmins

Write RTCUserSearchPropertySet

Write otherIpPhone

Write displayName

Write description

Write telephoneNumber

Write msExchUCVoiceMailSettings

Write RTCUserProvisioningPropertySet

Write RTCPropertySet

Write proxyAddresses

Descendant Contact objects

Granting Permission for Device Objects

When you run the Grant-CsOuPermission cmdlet for Device objects on an OU, groups are granted permissions as shown in the following table.

Permissions Granted for Device Objects

Group Permission Applies to

RTCHSUniversalServices

Replicating directory changes

This object only

RTCUniversalServerReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

Read RTCUserSearchPropertySet

Read RTCUserProvisioningPropertySet

Read RTCPropertySet

Read Public-Information

Read Personal-Information

Read General-Information

Read User-Account-Restrictions

Descendant Contact objects

RTCUniversalUserAdmins

Create child

Delete child

Delete tree

Contact

RTCUniversalUserAdmins

Write displayName

Write description

Write telephoneNumber

Descendant User objects

RTCUniversalUserAdmins

Write RTCUserSearchPropertySet

Write otherIpPhone

Write displayName

Write description

Write telephoneNumber

Write msExchUCVoiceMailSettings

Write RTCUserProvisioningPropertySet

Write RTCPropertySet

Write proxyAddresses

Descendant Contact objects

Granting Permission for InetOrgPerson Objects

When you run the Grant-CsOuPermission cmdlet for InetOrgPerson objects on an OU, groups are granted permissions as shown in the following table.

Permissions Granted for InetOrgPerson Objects

Group Permission Applies to

RTCHSUniversalServices

Replicating directory changes

This object only

RTCUniversalServerReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

Read RTCUserSearchPropertySet

Read RTCUserProvisioningPropertySet

Read RTCPropertySet

Read Personal-Information

Read Public-Information

Read General-Information

Read User-Account-Restrictions

Descendant inetOrgPerson objects

RTCUniversalUserAdmins

Write RTCUserSearchPropertySet

Write RTCUserProvisioningPropertySet

Write RTCPropertySet

Write proxyAddresses

Descendant inetOrgPerson objects