Topic Last Modified: 2010-07-17
You can use the Grant-CsOuPermission cmdlet to grant permissions to objects in specified organizational units (OUs) so that members of the RTC universal groups created by forest preparation can access them without being members of the DomainAdmins group. The permissions added to the specified OU are the same permissions that the Enable-CsAdDomain cmdlet adds to the computers and users containers during domain preparation.
Use the Test-CsOuPermission to verify the permissions you set up by using the Grant-CsOuPermission cmdlet.
You can use the Revoke-CsOuPermission cmdlet to remove permissions that you granted by using the Grant-CsOuPermission cmdlet.
To grant OU permissions
-
Log on to a computer running Communications Server 2010 in the domain where you want to grant OU permissions. Use an account that is a member of the DomainAdmins group or the EnterpriseAdmins group if the OU is in a different child domain.
-
Open the Communications Server Management Shell, and then run:
Copy Code Grant-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact> -OU <DN of the OU> [-Domain <Domain FQDN>]
If you do not specify the Domain parameter, the value defaults to the local domain.
To verify OU permissions
-
Log on to a computer running Communications Server 2010 in the domain where you want to verify OU permissions that you granted by using the Grant-CsOuPermission cmdlet. Use an account that is a member of the DomainAdmins group or the EnterpriseAdmins group if the OU is in a different child domain.
-
Open the Communications Server Management Shell console, and then run:
Copy Code Test-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact> -OU <DN of the OU> [-Domain <Domain FQDN>]
If you do not specify the Domain parameter, the value defaults to the local domain.
To revoke OU permissions
-
Log on to a computer running Communications Server 2010 in the domain where you want to revoke OU permissions that were granted by the Grant-CsOuPermission cmdlet. Use an account that is a member of the DomainAdmins group or the EnterpriseAdmins group if the OU is in a different child domain.
-
Open the Communications Server Management Shell console, and then run:
Copy Code Revoke-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact> -OU <DN of the OU> [-Domain <Domain FQDN>]
If you do not specify the Domain parameter, the value defaults to the local domain.