[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-07-17

You can use the Grant-CsSetupPermission cmdlet to add Read, Write, ReadSPN, and WriteSPN permissions to the RTCUniversalServerAdmins group for a specified Active Directory organizational unit (OU). Then, members of the RTCUniversalServerAdmins group in that OU can install Communications Server 2010 servers in the specified domain without being members of the DomainAdmins group.

Use the Test-CsSetupPermission to verify the permissions you set up by using the Grant-CsSetupPermission cmdlet.

You can use the Revoke-CsSetupPermission cmdlet to remove permissions that you granted by using the Grant-CsSetupPermission cmdlet.

To grant setup permissions

  1. Log on to a computer running Communications Server 2010 in the domain where you want to grant setup permissions. Use an account that is a member of the DomainAdmins group or the EnterpriseAdmins group if the OU is in a different child domain.

  2. Open the Communications Server Management Shell console, and then run:

    Copy Code 
    Grant-CsSetupPermission -ComputerOu <DN of the OU or container where the computer objects that will run Communications Server reside > [-Domain <Domain FQDN>]

    You can specify the ComputerOu parameter as relative to the default naming context of the specified domain (for example, CN=computers). Alternatively, you can specify this parameter as the full OU distinguished name (DN) (for example, "CN=computers,DC=Contoso,DC=com"). In the latter case, you must specify an OU DN that is consistent with the domain you specify.

    If you do not specify the Domain parameter, the value defaults to the local domain.

To verify setup permissions

  1. Log on to a computer running Communications Server 2010 in the domain where you want to verify setup permissions that you granted by using the Grant-CsSetupPermission cmdlet. Use an account that is a member of the DomainAdmins group or the EnterpriseAdmins group if the OU is in a different child domain.

  2. Open the Communications Server Management Shell console, and then run:

    Copy Code 
    Test-CsSetupPermission -ComputerOu <DN of the OU or container where the computer objects that will run Communications Server reside> [-Domain <Domain FQDN>]

    You can specify the ComputerOu parameter as relative to the default naming context of the specified domain (for example, CN=computers). Alternatively, you can specify this parameter as the full OU distinguished name (DN) (for example, "CN=computers,DC=Contoso,DC=com"). In the latter case, you must specify an OU DN that is consistent with the domain you specify.

    If you do not specify the Domain parameter, the value defaults to the local domain.

To revoke setup permissions

  1. Log on to a computer running Communications Server 2010 in the domain where you want to revoke setup permissions that were granted by the Grant-CsSetupPermission cmdlet. Use an account that is a member of the DomainAdmins group or the EnterpriseAdmins group if the OU is in a different child domain.

  2. Open the Communications Server Management Shell, and then run:

    Copy Code 
    Revoke-CsSetupPermission -ComputerOu <DN of the OU or container where the computer objects that will run Communications Server reside > [-Domain <Domain FQDN>]

    You can specify the ComputerOu parameter as relative to the default naming context of the specified domain (for example, CN=computers). Alternatively, you can specify this parameter as the full OU distinguished name (DN) (for example, "CN=computers,DC=Contoso,DC=com"). In the latter case, you must specify an OU DN that is consistent with the domain you specify.

    If you do not specify the Domain parameter, the value defaults to the local domain.