Log on to a computer in the domain where you want to grant permissions. Use an account that is a member of the Domain Admins group or that has equivalent user rights.

From the Office Communications Server installation folder or CD, run SetupEE.exe (for Enterprise Edition server consolidated configuration) or SetupSE.exe (for Standard Edition server) to start the deployment tool.

Click Prepare Environment.

Click Prepare Active Directory.

Click Delegate Setup and Administration.

At Delegate Setup Tasks, click Run.

On the Welcomepage, click Next.

On the Authorize Grouppage, in Select Trustee domain, specify the domain that contains the group to which you want to delegate permissions.

In Name of existing group, type the name of the group to which you want to delegate permissions, and then click Next.

Note:
This group must be a universal group or a global group. It cannot be a domain local group.

On the Location of Computer Objects for Deploymentpage, type the distinguished name (DN) of the organizational unit (OU) or container that hosts the computer objects on which Office Communications Server will be deployed.

Note:
You can use the ADSI Edit tool to navigate to the properties of the group, and then copy and paste the DN of the group into the wizard.

On the Service Accountpage, type the Session Initiation Protocol (SIP) service account and component service account that will be used by Office Communications Server.

On the Ready to Perform Setup Delegationpage, verify your settings, and then click Next.

When the wizard is complete, click Finish.

Add the new trustee group to the Local Administrators group of each server where you want to install Office Communications Server and the computer running the SQL Server back-end database server for any Enterprise pools.

If, in your organization, Authenticated Users security group permissions have been removed from Active Directory, you must either add the new trustee group for setup tasks to RTCUniversalServerAdmins or manually grant Read permissions to the trustee group for the following containers in the forest root:

• Forest root domain
  
  
• Forest root domain System container
  
  
• Configuration container
  
  
• Root of the domain where permissions is delegated
  
  
• Parent containers of computer objects and service account objects
  
  

Open a command prompt, and then type whoami.exe /allto verify that the user has appropriate permissions. The output should be similar to the following:

Copy Code

Everyone Well-known group S-1-1-0 BUILTIN\Administrators Alias S-1-5-32-544 BUILTIN\Users Alias S-1-5-32-545 NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 NT AUTHORITY\This Organization Well-known group S-1-5-15 LOCAL Well-known group S-1-2-0 CONTOSO\RTCUniversalUserReadOnlyGroup Group S-1-5-21-4264192570- CONTOSO\RTCUniversalGlobalWriteGroup Group S-1-5-21-4264192570- CONTOSO\RTCUniversalGlobalReadOnlyGroup S-1-5-21-4264192570- CONTOSO\RTCUniversalServerReadOnlyGroup S-1-5-21-4264192570- CONTOSO\RTCSetupDelegate S-1-5-21-4264192570- CONTOSO\CERTSVC_DCOM_ACCESS Alias S-1-5-21-4264192570-

Log on to a computer running Office Communications Server in the domain where you want to grant permissions. Use an account that is a member of the Domain Admins group or that has equivalent credentials.

Open a command prompt and then type the following command:

Copy Code

LCSCmd.exe /Domain[:<domain FQDN>] /Action:CreateDelegation /Delegation:SetupAdmin /TrusteeGroup:<name of the universal group that you will delegate to> /TrusteeDomain:<FQDN of the domain where the trustee group resides> /ServiceAccount:<RTC service account name> /ComponentServiceAccount:<RTC component service account name> /ComputerOU:<DN of the OU or container where the computer objects that will run Office Communications Server reside>

Where:

TrusteeGroupis the group to which you are granting permissions.

TrusteeDomainis the domain in which the trustee group resides.

ServiceAccountis the Real-time Communications (RTC) service account name

ComponentServiceAccountis the RTC component service account name.

ComputerOUspecifies the DN of the OU containing the computers on which the trustee group can run Office Communications Server setup tasks.

Add the new trustee group to the Local Administrators group of each computer where you want to install Office Communications Server and the computer running the SQL Server back-end database server for any Enterprise pools.

If, in your organization, Authenticated Users security group permissions have been removed from Active Directory Domain Services (AD DS), you must either add the new trustee group for setup tasks to RTCUniversalServerAdmins or manually grant Read permissions to the trustee group for the following containers in the forest root:

• Forest root domain
  
  
• Forest root domain System container
  
  
• Configuration container
  
  
• Root of the domain where permissions is delegated
  
  
• Parent containers of computer objects and service account objects
  
  
• Open a command prompt and then type whoami.exe /allto verify the user has appropriate permissions. The output should be similar to the following:
  
  

  Copy Code

  Everyone Well-known group S-1-1-0 BUILTIN\Administrators Alias S-1-5-32-544 BUILTIN\Users Alias S-1-5-32-545 NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 NT AUTHORITY\This Organization Well-known group S-1-5-15 LOCAL Well-known group S-1-2-0 CONTOSO\RTCUniversalUserReadOnlyGroup Group S-1-5-21-4264192570- CONTOSO\RTCUniversalGlobalWriteGroup Group S-1-5-21-4264192570- CONTOSO\RTCUniversalGlobalReadOnlyGroup S-1-5-21-4264192570- CONTOSO\RTCUniversalServerReadOnlyGroup S-1-5-21-4264192570- CONTOSO\delegatedLSSetup Group S-1-5-21-4264192570- CONTOSO\CERTSVC_DCOM_ACCESS Alias S-1-5-21-4264192570-