To administer Office Communications Server users, a user must have an account in the DomainAdmins group or the RTCUniversalUserAdmins group. Some organizations do not want to grant membership in the DomainAdmins group to users or groups who only need to manage Office Communications Server users. You can choose to add unauthorized users or groups to the RTCUniversalUserAdmins group, which is a universal group that can administer all users in the forest. By delegating user administration, you can grant a user or group the subset of permissions required to administer a specific set of Office Communications Server users.
When you delegate user administration, you grant the following permissions:
- Read permissions to global settings
- Read permissions to a computer organizational unit (OU)
- Read/write permissions to a user OU
- Member in the RTC Local User Administrators group on all
servers within a specified pool
- ReadOnlyRole on the pool or server RTC and RTCConfig databases
To delegate user administration
-
Log on to a computer in the domain where you want to grant permissions. Use an account that is a member of the DomainAdmins groups or that has equivalent user rights.
-
Open a command prompt and then type the following command:
Copy Code LcsCmd.exe /Domain[:<domain FQDN>] /Action:CreateDelegation /Delegation:UserAdmin /TrusteeGroup:<name of the universal group that you will delegate to> /TrusteeDomain:<FQDN of the domain where the trustee group resides> /ServiceAccount:<RTC service account name> /ComponentServiceAccount:<RTC component service account name> /ComputerOU:<DN of the OU or container where the computer objects that run Office Communications Server reside> /UserOU:<DN of the OU or container where the Office Communications Server user objects reside> /UserType:{User | Contact | InetOrgPerson} /PoolName:<Name of a Standard Edition server or an Enterprise pool>
Where:
TrusteeGroupis the group to which you are granting permissions.
TrusteeDomainis the domain in which you are granting permissions.
ServiceAccountis the Real-time Communications (RTC) service account name.
ComponentServiceAccountis the RTC component service account name.
ComputerOUis the distinguished name (DN) of the OU containing the computer running the Office Communications Server Front End Server that hosts the users the trustee group will administer. The OU that is specified by the /Computer OUparameter and the OU that is specified by the /UserOUparameter must reside in the same domain. If you want to delegate the administration of users in a domain other than the domain where Office Communications Server is installed, the organizational unit that is specified by the /Computer OUparameter still must reside in the same domain as the OU that is specified by the /UserOUparameter.
UserOUspecifies the DN of the OU containing the users that the trustee group will administer. The OU that is specified by the /Computer OUparameter and the OU that is specified by the /UserOUparameter must reside in the same domain.
UserTypeis the type of user object that the trustee group will have permissions to administer. Valid values are User, Contact, or InetOrgPerson.
PoolNameis the name of the Standard Edition server or Enterprise pool in which the trustee group can administer users, and adds the trustee group to the Local Administrators group of each computer in the pool and to the ReadOnlyRole of the SQL Server back-end databases.