This section describes the domain-specific actions you can use to assign, check, or remove permissions from a domain group.

For details about delegating permissions, including syntax examples, see Delegating Office Communications Server Setup and Administrationin Preparing Active Directory Domain Services for Office Communications Server 2007 R2 in the Deployment documentation.

Delegate Permissions on a Domain

In Office Communications Server 2007 R2, you can use the CreateDelegationaction to delegate permissions to perform setup and administration tasks to users who are not members of an authorized Active Directory group, such as Domain Admins, RTCUniversalServerAdmins, RTCUniversalUserAdmins, RTCUniversalReadOnlyAdmins, RTCUniversalServerReadOnlyGroup, or RTCUniversalUserReadOnlyGroup, depending on the task.

The CreateDelegationaction accepts the following parameters.

Parameter	Description
/Delegation	Specifies the type of permissions granted to the trustee group. The options for this parameter are: ReadOnlyAdmin – read-only permissions to a server or user group ServerAdmin – permissions to administer Office Communications Servers UserAdmin – permissions to administer Office Communications Server users SetupAdmin – permissions to install and activate servers
/TrusteeGroup	Specifies the domain group to which you are granting permissions.
/TrusteeDomain	Specifies the FQDN of the domain in which the trustee group resides.
/ServiceAccount	Specifies the RTC service account name.
/ComponentServiceAccount	Specifies the RTC component service account name.
/ComputerOU	Specifies the distinguished name (DN) of the organizational unit (OU) that contains the computers running Office Communications Servers. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain. If you want to delegate the administration of users in a domain other than the domain where Office Communications Server is installed, the organizational unit that is specified by the /ComputerOUparameter still must reside in the same domain as the organizational unit that is specified by the /UserOUparameter.
/UserOU	Specifies the DN of the organizational unit containing the users that the trustee group will administer. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.
/UserType	Specifies the type of the user object on which to create, check, or remove delegations. The options for this parameter are User, Contact, InetOrgPerson, or Computer.
/UserTypePermission	New in Office Communications Server 2007 R2. Specifies a list of permissions to grant. This is a comma-separated list, with possible values of Read and Write. The default is Read.
/PoolName	Specifies the name of the Standard Edition server or Enterprise pool in which the trustee group can administer users or servers, and adds the trustee group to the Local Administrators group of each computer in the pool and to the ReadOnlyRole on the Microsoft SQL Server back-end databases.
/ExtraServers	Specifies a comma separated list of FQDNs of computers to which the group requires access but are not part of the pool. You can enter the FQDN of Archiving Servers, Mediation Servers, or the internal FQDN of Edge Servers.

Checking Delegation

Use the CheckDelegationaction to validate that permissions to perform setup or administration tasks have been delegated correctly.

The CheckDelegationaction accepts the following parameters.

Parameter	Description
/TrusteeGroup	Specifies the group to which you are granting permissions.
/TrusteeDomain	Specifies the FQDN of the domain in which the trustee group resides.
/ServiceAccount	Specifies the RTC service account name.
/ComponentServiceAccount	Specifies the RTC component service account name.
/ComputerOU	Specifies the DN of the organizational unit containing the computers running Office Communications Server servers. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.
/UserOU	Specifies the DN of the organizational unit containing the users that the trustee group administers. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.
/UserType	Specifies the type of the user object on which to create, check, or remove delegations.
/PoolName	Specifies the name of the Standard Edition server or Enterprise pool in which the trustee group can administer users or servers, and adds the trustee group to the Local Administrators group of each computer in the pool and to the ReadOnlyRole on the SQL Server back-end databases.
/ExtraServers	Specifies a comma separated list of FQDNs of computers to which the group requires access but are not part of the pool. You can enter the FQDN of Archiving Servers, Mediation Servers, or the internal FQDN of Edge Servers.

The following command runs the CheckDelegationaction.

	Copy Code
LCSCmd.exe /domain[:<Domain FQDN>] /action:CheckDelegation /TrusteeGroup:<name of the universal group with delegated permissions>

Such as:

	Copy Code
LCSCmd.exe /domain /action:CheckDelegation /TrusteeGroup:MyDomainGroup

Removing Delegation

Use the RemoveDelegationaction to remove permissions to perform setup or administration tasks from a trustee group. The following command runs the RemoveDelegationaction.

	Copy Code
LCSCmd.exe /domain[:<Domain FQDN>] /action:RemoveDelegation /TrusteeGroup:<name of the universal group with delegated permissions>

Such as:

	Copy Code
LCSCmd.exe /domain /action:RemoveDelegation /TrusteeGroup:MyDomainGroup

The following optional parameters exist to augment the RemoveDelegationaction.

Parameter	Description
/TrusteeGroup	Specifies the domain group to which you are granting permissions.
/TrusteeDomain	Specifies the FQDN of the domain in which the trustee group resides.
/ServiceAccount	Specifies the RTC service account name.
/ComponentServiceAccount	Specifies the RTC component service account name.
/ComputerOU	Specifies the DN of the organizational unit containing the computers running Office Communications Servers. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.
/UserOU	Specifies the DN of the organizational unit containing the users that the trustee group administers. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.
/UserType	Specifies the type of the user object on which to create, check, or remove delegations.
/PoolName	Specifies the name of the Standard Edition server or Enterprise pool in which the trustee group can administer users or servers, and adds the trustee group to the Local Administrators group of each computer in the pool and to the ReadOnlyRole on the SQL Server back-end database.
/ExtraServers	Specifies a comma separated list of FQDNs of computers to which the group requires access but are not part of the pool. You can enter the FQDN of Archiving Servers, Mediation Servers, or the internal FQDN of Edge Servers.