Granting Organizational Unit Permissions

[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-07-17

You can use the Grant-CsOuPermission cmdlet to grant permissions to objects in specified organizational units (OUs) so that members of the RTC universal groups created by forest preparation can access them without being members of the DomainAdmins group. The permissions added to the specified OU are the same permissions that the Enable-CsAdDomain cmdlet adds to the computers and users containers during domain preparation.

Use the Test-CsOuPermission to verify the permissions you set up by using the Grant-CsOuPermission cmdlet.

You can use the Revoke-CsOuPermission cmdlet to remove permissions that you granted by using the Grant-CsOuPermission cmdlet.

To grant OU permissions

Log on to a computer running Communications Server 2010 in the domain where you want to grant OU permissions. Use an account that is a member of the DomainAdmins group or the EnterpriseAdmins group if the OU is in a different child domain.
Open the Communications Server Management Shell, and then run:
Copy Code
Grant-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact> -OU <DN of the OU> [-Domain <Domain FQDN>]
If you do not specify the Domain parameter, the value defaults to the local domain.

	Copy Code
Grant-CsOuPermission -ObjectType <User \| Computer \| InetOrgPerson \| Contact \| AppContact> -OU <DN of the OU> [-Domain <Domain FQDN>]

To verify OU permissions

Log on to a computer running Communications Server 2010 in the domain where you want to verify OU permissions that you granted by using the Grant-CsOuPermission cmdlet. Use an account that is a member of the DomainAdmins group or the EnterpriseAdmins group if the OU is in a different child domain.
Open the Communications Server Management Shell console, and then run:
Copy Code
Test-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact> -OU <DN of the OU> [-Domain <Domain FQDN>]
If you do not specify the Domain parameter, the value defaults to the local domain.

	Copy Code
Test-CsOuPermission -ObjectType <User \| Computer \| InetOrgPerson \| Contact \| AppContact> -OU <DN of the OU> [-Domain <Domain FQDN>]

To revoke OU permissions

Log on to a computer running Communications Server 2010 in the domain where you want to revoke OU permissions that were granted by the Grant-CsOuPermission cmdlet. Use an account that is a member of the DomainAdmins group or the EnterpriseAdmins group if the OU is in a different child domain.
Open the Communications Server Management Shell console, and then run:
Copy Code
Revoke-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact> -OU <DN of the OU> [-Domain <Domain FQDN>]
If you do not specify the Domain parameter, the value defaults to the local domain.