How to enable a Domain Admin for Skype for Business

Perhaps you have seen the error message below when trying to enable a Domain Admin (not recommended) in the Skype for Business control panel.

Active Directory operation failed on “DC01.skypedev.nl”. You cannot retry this operation:
“Insufficient access rights to perform the operation
00002098: SecErr: DSID-03150F93, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.You do not have the appropriate permissions to perform this operation in Active Directory. One
possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify
users who belong to protected scurity groups (for example, the Domain Admins group). To manage
users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain
Admins account. There are other possible causes. For details, see skype for Business Server 2015 Help.

You cannot use the Control Panel to users who belong to protected security groups. So your options are to either use Powershell as suggested in the error message or you could try this magical thing:

  1. Open active directory users and computers
  2. Enable the advanced features in the view menu
  3. Search for the account which is in a protected security group
  4. Go to Properties / Security / Advanced
  5. Check the following box: Include inheritable permissions
  6. Retry what you were doing in the Lync Control Panel
Now this might not be the best “securest” way of solving this issue, but for my lab environment I do not care too much about that, but i should think twice before doing this in a productional environment. Probably you should not Skype enable your domain admin accounts at all if you want to be and stay secure.
#EOF

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *