Topic Last Modified: 2010-07-16
In a locked-down Active Directory Domain Service (AD DS), Users and Computer objects are often placed in specific organizational units (OUs) with permissions inheritance disabled to help secure administrative delegation and to enable use of Group Policy objects (GPOs) to enforce security policies.
Domain preparation and server activation set the access control entries (ACEs) required by Communications Server 2010. When permissions inheritance is disabled, the Communications Server security groups cannot inherit these ACEs. When these permissions are not inherited, Communications Server security groups cannot access settings, and the following two issues arise:
- To administer Users, InetOrgPersons, and Contacts, and to
operate servers, the Communications Server security groups require
ACEs set by the domain preparation procedure on each user’s
property sets, Real-time Communications (RTC), RTC User Search, and
Public Information. When permissions inheritance is disabled,
security groups do not inherit these ACEs and cannot manage servers
or users.
- To discover servers and pools, Communications Server servers
rely on ACEs set by activation on computer-related objects,
including the Microsoft Container and Server object. When
permissions inheritance is disabled, security groups, servers, and
pools do not inherit these ACEs and cannot take advantage of these
ACEs.
To address these issues, Communications Server provides a Communications Server Management Shell cmdlet called Grant-CsOuPermission. This cmdlet sets required Communications Server ACEs directly on a specified container and the objects within the container.
Set Permissions for User,
InetOrgPerson, and Contact Objects after Running Domain
Preparation
In a locked-down Active Directory environment where permissions inheritance is disabled, domain preparation does not set the necessary ACEs on the containers holding Users or InetOrgPerson objects within the domain. In this situation, you must run the Grant-CsOuPermission cmdlet on each container that has User or InetOrgPerson objects for which permissions inheritance is disabled. If you have a central forest topology, you must also perform this procedure on the container that holds Contact objects. The ObjectType parameter specifies the object type. The OU parameter specifies the organizational unit.
This cmdlet adds the required ACEs directly on the specified containers and the User or InetOrgPerson objects within the container.
You need user rights equivalent to DomainAdmins group membership to run this cmdlet. If the authenticated user ACEs have also been removed in the locked-down environment, you must grant this account read-access ACEs on the relevant containers in the forest root domain as described in Authenticated User Permissions Are Removed or use an account that is a member of the EnterpriseAdmins group.
To set required ACEs for User, InetOrgPerson, and Contact objects-
Log on to a computer joined to the domain with an account that is a member of the DomainAdmins group or that has equivalent user rights.
-
Open the Communications Server Management Shell console, and then run:
Copy CodeGrant-CsOuPermission -ObjectType <User | InetOrgPerson | Contact | AppContact> -OU <DN name for the OU container relative to the domain root container DN> [Domain <Domain FQDN>]
If you do not specify the Domain parameter, the value defaults to the local domain.
For example:
Copy CodeGrant-CsOuPermission -ObjectType User -OU usersOU
-
In the log file, look for <Success> Execution Result at the end of each task to verify that the permissions were set, and then close the log window. Or, you can run the following command to determine whether the permissions were set:
Copy CodeGet-CsOuPermission -ObjectType <type of object> -OU <DN name for the OU container relative to the domain root container DN> [Domain <Domain FQDN>]
You can also run the following cmdlet to test permissions:
Copy CodeTest-CsOuPermission -ObjectType <type of object> -OU <DN name for the OU container relative to the domain root container DN> [Domain <Domain FQDN>]
Set Permissions for Computer
Objects after Running Domain Preparation
In a locked-down Active Directory environment where permissions inheritance is disabled, domain preparation does not set the necessary ACEs on the containers that hold Computer objects within the domain. In this situation, you must run the Grant-CsOuPermission cmdlet on each container that has computers running Communications Server with permissions inheritance is disabled. The ObjectType parameter specifies the object type.
This procedure adds the required ACEs directly on the specified containers.
You need user rights equivalent to DomainAdmins group membership to run this cmdlet. If the authenticated user ACEs have also been removed, you must grant this account read-access ACEs on the relevant containers in the forest root domain as described in Authenticated User Permissions Are Removed or use an account that is a member of the EnterpriseAdmins group.
To set required ACEs for Computer objects-
Log on to the domain computer with an account that is a member of the DomainAdmins group or that has equivalent user rights.
-
Open the Communications Server Management Shell console, and then run:
Copy CodeGrant-CsOuPermission -ObjectType <Computer> -OU <DN name for the computer OU container relative to the domain root container DN> [Domain <Domain FQDN>]
If you do not specify the Domain parameter, the value defaults to the local domain.
For example:
Copy CodeGrant-CsOuPermission -ObjectType Computer -OU computersOU
-
In the log file, look for <Success> Execution Result at the end of each task and verify that there are no errors, and then close the log. Or, you can run the following command to determine whether the permissions were set:
Copy CodeGet-CsOuPermission -ObjectType <type of object> -OU <DN name for the OU container relative to the domain root container DN> [Domain <Domain FQDN>]
You can also run the following cmdlet to test permissions:
Copy CodeTest-CsOuPermission -ObjectType <type of object> -OU <DN name for the OU container relative to the domain root container DN> [Domain <Domain FQDN>]
Note:If you run domain preparation on the forest root domain in a locked-down Active Directory environment, be aware that Communications Server requires access to the Active Directory Schema and Configuration containers.
If the default authenticated user permission is removed from the Schema or the Configuration containers in AD DS, only members of the Schema Admins group or Enterprise Admins group are permitted to access this container. Because Setup.exe, Communications Server Management Shell cmdlets, and Communications Server Control Panel require access to these containers, Setup and installation of the administrative tools fails unless the user running installation has user rights equivalent to Schema Admins and Enterprise Admins group membership.
To remedy this situation, you must grant RTCUniversalGlobalReadOnly group access to the Schema and Configuration containers.