This section describes the domain-specific actions you can use to assign, check, or remove permissions from a domain group.

For details about delegating permissions, including syntax examples, see Delegating Office Communications Server Setup and Administrationin Preparing Active Directory Domain Services for Office Communications Server 2007 R2 in the Deployment documentation.

Delegate Permissions on a Domain

In Office Communications Server 2007 R2, you can use the CreateDelegationaction to delegate permissions to perform setup and administration tasks to users who are not members of an authorized Active Directory group, such as Domain Admins, RTCUniversalServerAdmins, RTCUniversalUserAdmins, RTCUniversalReadOnlyAdmins, RTCUniversalServerReadOnlyGroup, or RTCUniversalUserReadOnlyGroup, depending on the task.

The CreateDelegationaction accepts the following parameters.

Parameter Description

/Delegation

Specifies the type of permissions granted to the trustee group. The options for this parameter are:

  • ReadOnlyAdmin – read-only permissions to a server or user group

  • ServerAdmin – permissions to administer Office Communications Servers

  • UserAdmin – permissions to administer Office Communications Server users

  • SetupAdmin – permissions to install and activate servers

/TrusteeGroup

Specifies the domain group to which you are granting permissions.

/TrusteeDomain

Specifies the FQDN of the domain in which the trustee group resides.

/ServiceAccount

Specifies the RTC service account name.

/ComponentServiceAccount

Specifies the RTC component service account name.

/ComputerOU

Specifies the distinguished name (DN) of the organizational unit (OU) that contains the computers running Office Communications Servers. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.

If you want to delegate the administration of users in a domain other than the domain where Office Communications Server is installed, the organizational unit that is specified by the /ComputerOUparameter still must reside in the same domain as the organizational unit that is specified by the /UserOUparameter.

/UserOU

Specifies the DN of the organizational unit containing the users that the trustee group will administer. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.

/UserType

Specifies the type of the user object on which to create, check, or remove delegations. The options for this parameter are User, Contact, InetOrgPerson, or Computer.

/UserTypePermission

New in Office Communications Server 2007 R2. Specifies a list of permissions to grant. This is a comma-separated list, with possible values of Read and Write. The default is Read.

/PoolName

Specifies the name of the Standard Edition server or Enterprise pool in which the trustee group can administer users or servers, and adds the trustee group to the Local Administrators group of each computer in the pool and to the ReadOnlyRole on the Microsoft SQL Server back-end databases.

/ExtraServers

Specifies a comma separated list of FQDNs of computers to which the group requires access but are not part of the pool. You can enter the FQDN of Archiving Servers, Mediation Servers, or the internal FQDN of Edge Servers.

Checking Delegation

Use the CheckDelegationaction to validate that permissions to perform setup or administration tasks have been delegated correctly.

The CheckDelegationaction accepts the following parameters.

Parameter Description

/TrusteeGroup

Specifies the group to which you are granting permissions.

/TrusteeDomain

Specifies the FQDN of the domain in which the trustee group resides.

/ServiceAccount

Specifies the RTC service account name.

/ComponentServiceAccount

Specifies the RTC component service account name.

/ComputerOU

Specifies the DN of the organizational unit containing the computers running Office Communications Server servers. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.

/UserOU

Specifies the DN of the organizational unit containing the users that the trustee group administers. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.

/UserType

Specifies the type of the user object on which to create, check, or remove delegations.

/PoolName

Specifies the name of the Standard Edition server or Enterprise pool in which the trustee group can administer users or servers, and adds the trustee group to the Local Administrators group of each computer in the pool and to the ReadOnlyRole on the SQL Server back-end databases.

/ExtraServers

Specifies a comma separated list of FQDNs of computers to which the group requires access but are not part of the pool. You can enter the FQDN of Archiving Servers, Mediation Servers, or the internal FQDN of Edge Servers.

The following command runs the CheckDelegationaction.

Copy Code
LCSCmd.exe /domain[:<Domain FQDN>] /action:CheckDelegation
/TrusteeGroup:<name of the universal group with delegated
permissions>

Such as:

Copy Code
LCSCmd.exe /domain /action:CheckDelegation
/TrusteeGroup:MyDomainGroup

Removing Delegation

Use the RemoveDelegationaction to remove permissions to perform setup or administration tasks from a trustee group. The following command runs the RemoveDelegationaction.

Copy Code
LCSCmd.exe /domain[:<Domain FQDN>] /action:RemoveDelegation
/TrusteeGroup:<name of the universal group with delegated
permissions>

Such as:

Copy Code
LCSCmd.exe /domain /action:RemoveDelegation
/TrusteeGroup:MyDomainGroup

The following optional parameters exist to augment the RemoveDelegationaction.

Parameter Description

/TrusteeGroup

Specifies the domain group to which you are granting permissions.

/TrusteeDomain

Specifies the FQDN of the domain in which the trustee group resides.

/ServiceAccount

Specifies the RTC service account name.

/ComponentServiceAccount

Specifies the RTC component service account name.

/ComputerOU

Specifies the DN of the organizational unit containing the computers running Office Communications Servers. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.

/UserOU

Specifies the DN of the organizational unit containing the users that the trustee group administers. The organizational unit that is specified by the /ComputerOUparameter and the organizational unit that is specified by the /UserOUparameter must reside in the same domain.

/UserType

Specifies the type of the user object on which to create, check, or remove delegations.

/PoolName

Specifies the name of the Standard Edition server or Enterprise pool in which the trustee group can administer users or servers, and adds the trustee group to the Local Administrators group of each computer in the pool and to the ReadOnlyRole on the SQL Server back-end database.

/ExtraServers

Specifies a comma separated list of FQDNs of computers to which the group requires access but are not part of the pool. You can enter the FQDN of Archiving Servers, Mediation Servers, or the internal FQDN of Edge Servers.