[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-03-26

In a locked-down Active Directory Domain Services (AD DS) environment, authenticated user access control entries (ACEs) are removed from the default Active Directory containers, including the Users, Configuration or System, and organizational units (OUs) where User and Computer objects are stored. Removing authenticated user ACEs prevents read-access to Active Directory information. However, removing the ACEs creates problems for Communications Server 2010 because it depends on read permission to these containers to allow users to run domain preparation.

In this situation, membership in the DomainAdmins group, which is required to run domain preparation, server activation, and pool creation, no longer grants read access to Active Directory information stored in the default containers. You must manually grant read-access permissions on various containers in the forest root domain to check that the prerequisite forest preparation procedure is complete.

To enable a user to run domain preparation, server activation, or pool creation on any non-forest root domain, you have the following options:

If you do not want to use an account that is a member of the EnterpriseAdmins group to run domain preparation or other Setup tasks, explicitly grant the account you want to use read-access on the relevant containers in the forest root.

To give user read-access permissions on containers in the forest root domain

  1. Log on to the computer joined to the forest root domain with an account that is a member of the DomainAdmins group for the forest root domain.

  2. Run adsiedit.msc for the forest root domain.

    If authenticated user ACEs were removed from the Domain, Configuration or System container, you must grant read-only permissions to the container, as described in the following steps.

  3. Right-click the container, and then click Properties.

  4. Click the Security tab.

  5. Click Advanced.

  6. On the Permissions tab, click Add.

  7. Type the name of the user or group receiving permissions using the following format: domain\account name.

  8. Click OK.

  9. On the Objects tab, in Applies To, click This Object Only.

  10. In Permissions, select the following Allow ACEs by clicking the Allow column: List Content, Read All Properties, and Read Permissions.

  11. Click OK twice.

  12. Repeat these steps for any of the relevant containers listed in Step 2.