O R G A N I C / F E R T I L I Z E R: delegating lcs administration for users...

Aug 26, 2005

delegating lcs administration for users...

when i was told that user administration couldn't be delegated to just the domain, i refused to take that for an answer. this is Live Communications Server 2005! that means two full product releases from exchange im. if you recall, there was a lcs 2003 as well, but it didn't get quite that much play. after a few rounds, microsoft came back with an answer. admittedly, it was a little difficult to understand in the context they provided. let me see if i can make it a little easier. kind in mind, these steps are for a multi-domain forest. high-level steps:
  • create root domain universal group
  • delegate access to msRTCSIP objects
  • delegate access to computer objects
  • grant access to RTC Local User Administrators
  • delegate access to user objects
in this example, we'll use a root domain global group called RTCPerms. we need to give RTCPerms some object-level access so in order to do this, go to your root domain and navigate to dc=root,cn=system,cn=microsoft,cn=rtc service.
  • msRTCSIP-Pool objects
    • Read All Properties
  • msRTCSIP-PoolService objects
    • Read All Properties
  • msRTCSIP-Service objects
    • List Contents, Read All Properties
  • msRTCSIP-GlobalContainer objects
    • List Contents, Read All Properties
not done quite yet. connect back to the domain where your lcs servers reside. switch aduc to list users, groups, and computers as objects. go to your lcs servers and drop them down. you'll see a microsoft container. drop it down to see the rtc services container. remember the RTCPerms universal group in the root domain? okay, good. grant it Read All Properties rights to container. alright one more thing, then you're on your own. add the RTCPerms to the "RTC Local User Administrators" on your lcs server. assuming you're using a pool, add it to the same local group on each pool member. now you're on your own. however you want to delegate permissions to your users, do it that way. whether you delegate full control, read/write all properties, or RTC specific properties it will all work now. all you have to do is add the group to the RTCPerms universal group that sits in the root domain. ah, more for the gray matter. time to drop another childhood memory.