Topic Last Modified: 2012-06-20
To delegate Lync Server 2013 administration, you can add permissions to specified organizational units (OUs) so that members of the RTC universal groups created by forest preparation can access the OUs without being members of the Domain Admins group.
The Grant-CsOuPermission cmdlet grants permissions to objects in the specified OU as specified in the following tables.
Granting Permission for User Objects
When you run the Grant-CsOuPermission cmdlet for User objects on an OU, groups are granted permissions as shown in the following table.
Permissions Granted for User Objects
Group | Permission | Applies to |
---|---|---|
RTCHSUniversalServices |
Replicating directory changes |
This object only |
RTCUniversalServerReadOnlyGroup |
List contents Read all properties Read permissions |
This object only |
RTCUniversalUserReadOnlyGroup |
List contents Read all properties Read permissions |
This object only |
RTCUniversalUserReadOnlyGroup |
Read RTCUserSearchPropertySet Read RTCUserProvisioningPropertySet Read RTCPropertySet Read Public-Information Read General-Information Read User-Account-Restrictions |
Descendant User objects |
RTCUniversalUserAdmins |
Write RTCUserSearchPropertySet Write msExchUCVoiceMailSettings Write RTCUserProvisioningPropertySet Write RTCPropertySet Write proxyAddresses |
Descendant User objects |
Granting Permission for Computer Objects
When you run the Grant-CsOuPermission cmdlet for Computer objects on an OU, groups are granted permissions as shown in the following table.
Permissions Granted for Computer Objects
Group | Permission | Applies to |
---|---|---|
RTCHSUniversalServices |
Replicating directory changes |
This object only |
RTCUniversalServerReadOnlyGroup |
List contents Read all properties Read permissions |
This object only |
RTCUniversalUserReadOnlyGroup |
List contents Read all properties Read permissions |
This object only |
RTCUniversalUserReadOnlyGroup |
Read Public-Information Read Validated-DNS-Host-Name |
Descendant Computer objects |
RTCUniversalUserAdmins |
Read Public-Information Read Validated-DNS-Host-Name |
Descendant Computer objects |
Granting Permission for Contact or AppContact Objects
When you run the Grant-CsOuPermission cmdlet for Contact objects or AppContact objects on an OU, groups are granted permissions as shown in the following table.
Permissions Granted for Contact or AppContact Objects
Group | Permission | Applies to |
---|---|---|
RTCHSUniversalServices |
Replicating directory changes |
This object only |
RTCUniversalServerReadOnlyGroup |
List contents Read all properties Read permissions |
This object only |
RTCUniversalUserReadOnlyGroup |
List contents Read all properties Read permissions |
This object only |
RTCUniversalUserReadOnlyGroup |
Read RTCUserSearchPropertySet Read RTCUserProvisioningPropertySet Read RTCPropertySet Read Public-Information Read General-Information Read Personal-Information Read User-Account-Restrictions |
Descendant Contact objects |
RTCUniversalUserAdmins |
Write RTCUserSearchPropertySet Write otherIpPhone Write displayName Write description Write telephoneNumber Write msExchUCVoiceMailSettings Write RTCUserProvisioningPropertySet Write RTCPropertySet Write proxyAddresses |
Descendant Contact objects |
Granting Permission for Device Objects
When you run the Grant-CsOuPermission cmdlet for Device objects on an OU, groups are granted permissions as shown in the following table.
Permissions Granted for Device Objects
Group | Permission | Applies to |
---|---|---|
RTCHSUniversalServices |
Replicating directory changes |
This object only |
RTCUniversalServerReadOnlyGroup |
List contents Read all properties Read permissions |
This object only |
RTCUniversalUserReadOnlyGroup |
List contents Read all properties Read permissions |
This object only |
RTCUniversalUserReadOnlyGroup |
Read RTCUserSearchPropertySet Read RTCUserProvisioningPropertySet Read RTCPropertySet Read Public-Information Read Personal-Information Read General-Information Read User-Account-Restrictions |
Descendant Contact objects |
RTCUniversalUserAdmins |
Create child Delete child Delete tree |
Contact |
RTCUniversalUserAdmins |
Write displayName Write description Write telephoneNumber |
Descendant User objects |
RTCUniversalUserAdmins |
Write RTCUserSearchPropertySet Write otherIpPhone Write displayName Write description Write telephoneNumber Write msExchUCVoiceMailSettings Write RTCUserProvisioningPropertySet Write RTCPropertySet Write proxyAddresses |
Descendant Contact objects |
Granting Permission for InetOrgPerson Objects
When you run the Grant-CsOuPermission cmdlet for InetOrgPerson objects on an OU, groups are granted permissions as shown in the following table.
Permissions Granted for InetOrgPerson Objects
Group | Permission | Applies to |
---|---|---|
RTCHSUniversalServices |
Replicating directory changes |
This object only |
RTCUniversalServerReadOnlyGroup |
List contents Read all properties Read permissions |
This object only |
RTCUniversalUserReadOnlyGroup |
List contents Read all properties Read permissions |
This object only |
RTCUniversalUserReadOnlyGroup |
Read RTCUserSearchPropertySet Read RTCUserProvisioningPropertySet Read RTCPropertySet Read Personal-Information Read Public-Information Read General-Information Read User-Account-Restrictions |
Descendant inetOrgPerson objects |
RTCUniversalUserAdmins |
Write RTCUserSearchPropertySet Write RTCUserProvisioningPropertySet Write RTCPropertySet Write proxyAddresses |
Descendant inetOrgPerson objects |