In a locked-down Active Directory Domain Service (AD DS), Users and Computer objects are often placed in specific organizational units (OUs) with permissions inheritance disabled to help secure administrative delegation and to enable use of Group Policy objects (GPOs) to enforce security policies.

Domain preparation and server activation set the access control entries (ACEs) required by Office Communications Server 2007 R2. When permissions inheritance is disabled, the Office Communications Server security groups cannot inherit these ACEs. When these permissions are not inherited, Office Communications Server security groups cannot access settings, and the following two issues arise:

To address these issues, Office Communications Server provides an additional Active Directory preparation procedure called CreateLcsOuPermissions, available with the LcsCmd.exe command-line tool. This procedure sets required Office Communications Server ACEs directly on a specified container and the objects within the container.

Set Permissions for User, InetOrgPerson, and Contact Objects after Running Domain Preparation

In a locked-down Active Directory environment where permissions inheritance is disabled, domain preparation does not set the necessary ACEs on the containers holding Users or InetOrgPerson objects within the domain. In this situation, you must run LcsCmd.exe with the CreateLcsOuPermissions action on each container that has User or InetOrgPerson objects for which permissions inheritance is disabled. If you have a central forest topology, you must also perform this procedure on the container that holds Contact objects. (For details about central forest topologies, see Supported Active Directory Topologiesin the Office Communications Server 2007 R2 Supported Topologies and Infrastructure Requirements documentation.) The /objecttypeparameter specifies the object type.

This procedure adds the required ACEs directly on the specified containers and the User or InetOrgPerson objects within the container.

User rights equivalent to DomainAdmins group membership are required to perform this procedure. If the authenticated user ACEs have also been removed in the locked-down environment, you must grant this account read-access ACEs on the relevant containers in the forest root domain as described in Authenticated User Permissions Are Removedor use an account that is a member of the EnterpriseAdmins group.

To set required ACEs for User, InetOrgPerson, and Contact objects
  1. Log on to a computer joined to the domain with an account that is a member of the DomainAdmins group or that has equivalent user rights.

  2. Open a command prompt and then run:

    Copy Code
    LcsCmd.exe /domain[:<FQDN of domain where the OUs are
    located>] 
    /action:CreateLcsOuPermissions 
    /ou:<DN name for the OU container relative to the domain root
    container DN> 
    /objectType:<type of object to create Office Communications
    Server ACEs for – user, InetOrgPerson, contact, AppContact>
    

    For example:

    Copy Code
    LcsCmd.exe /domain /action:CreateLcsOuPermissions 
    /ou:”OU=usersOU” /objectType:user
    
  3. In the log file, look for <Success>Execution Result at the end of each task to verify that the permissions were set, and then close the log window. Or, you can run the following command to determine whether the permissions were set:

    Copy Code
    LcsCmd.exe /domain[:<FQDN of domain where the OUs are
    located>] 
    /action:CheckLcsOuPermissions 
    /ou:<DN name for the OU container relative to the domain root
    container DN> 
    /objectType:<type of object – user, InetOrgPerson, contact,
    AppContact
    

Set Permissions for Computer Objects after Running Domain Preparation

In a locked-down Active Directory environment where permissions inheritance is disabled, domain preparation does not set the necessary ACEs on the containers that hold Computer objects within the domain. In this situation, you must run LcsCmd.exe with the CreateLcsOuPermissions action on each container that has computers running Office Communications Server with permissions inheritance is disabled. The /objecttypeparameter specifies the object type.

This procedure adds the required ACEs directly on the specified containers.

User rights equivalent to DomainAdmins group membership are required to perform this procedure. If the authenticated user ACEs have also been removed, you must grant this account read-access ACEs on the relevant containers in the forest root domain as described in Authenticated User Permissions Are Removedor use an account that is a member of the EnterpriseAdmins group.

To set required ACEs for Computer objects
  1. Log on to the domain computer with an account that is a member of the DomainAdmins group or that has equivalent user rights.

  2. Open a command prompt and then run:

    Copy Code
    LcsCmd.exe /domain[:<FQDN of domain where the computer OU is
    located>]
    /action:CreateLcsOuPermissions 
    /ou:<DN name for the computer OU container relative to the
    domain root container DN>
    /objectType:<computer>
    

    For example:

    Copy Code
    LcsCmd.exe /domain:resources.corp.woodgrovebank.com 
    /action:CreateLcsOuPermissions /ou:”OU=computersOU”
    /objectType:computer
    
  3. In the log file, look for <Success>Execution Result at the end of each task and verify that there are no errors, and then close the log. Or, you can run the following command to determine whether the permissions were set:

    Copy Code
    LcsCmd.exe /domain[:<FQDN of domain where the computer OU is
    located>] 
    /action:CheckLcsOuPermissions 
    /ou:<DN name for the computer OU container relative to the
    domain root container DN> /objectType:<computer>
    
    Note:
    If you run domain preparation on the forest root domain in a locked-down Active Directory environment, be aware that Office Communications Server requires access to the Active Directory Schema and Configuration containers.

    If the default authenticated user permission is removed from the Schema or the Configuration containers in AD DS, only members of the Schema Admins group or EnterpriseAdmins group are permitted to access this container. Because Setup.exe, LcsCmd.exe, and the snap-in require access to these containers, Setup and installation of the administrative tools fails unless the user running installation has user rights equivalent to Schema Admins and EnterpriseAdmins group membership.

    To remedy this situation, you must grant RTCUniversalGlobalReadOnly group access to the Schema and Configuration containers.