How to enable a Domain Admin for Skype for Business

Perhaps you have seen the error message below when trying to enable a Domain Admin (not recommended) in the Skype for Business control panel.

Active Directory operation failed on “DC01.skypedev.nl”. You cannot retry this operation:
“Insufficient access rights to perform the operation
00002098: SecErr: DSID-03150F93, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.You do not have the appropriate permissions to perform this operation in Active Directory. One
possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify
users who belong to protected scurity groups (for example, the Domain Admins group). To manage
users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain
Admins account. There are other possible causes. For details, see skype for Business Server 2015 Help.

You cannot use the Control Panel to users who belong to protected security groups. So your options are to either use Powershell as suggested in the error message or you could try this magical thing:

  1. Open active directory users and computers
  2. Enable the advanced features in the view menu
  3. Search for the account which is in a protected security group
  4. Go to Properties / Security / Advanced
  5. Check the following box: Include inheritable permissions
  6. Retry what you were doing in the Lync Control Panel
Now this might not be the best “securest” way of solving this issue, but for my lab environment I do not care too much about that, but i should think twice before doing this in a productional environment. Probably you should not Skype enable your domain admin accounts at all if you want to be and stay secure.
#EOF

Lync Server 2013 CU 9 – July 2017

This article lists the available updates for Microsoft Lync Server 2013, and specifies the applicability of the updates for each server role. The latest update for Lync Server 2013 was released on July, 2017.

Improvements and fixes that the July 2017 update contains

Updates that are released for Lync Server 2013

Download the Cumulative Server Update Installer.

Microsoft Lync Connectivity Analyzer

Yesterday June 13  2017 Microsoft announced the retirement of the Lync Connectivity Analyzer, and will be no longer available for public download.
I’ve uploaded the latest version on my host. You can Download LyncConnectivityAnalyzer it right here.

What can you do with this tool?

This tool can help you to test both your internal and external network for the Lync Apps which are available via both the Windows Store and several other stores for mobile devices such as the MarketPlace.

There are a few parameters you will need to configure before you can start the test:

  • SIP URI;
  • password;
  • Username;
  • If Lync Discover will need to be used;
  • If the test is performed from internal or external;
  • For what kind of app you want to test.

Once these parameters have been specified you can push the start button.

After several seconds the result will be available and you know if your Lync infrastructure can offer service to the Apps.

Security Updates Skype for Business (Lync) Client – June 2017

Patch Tuesday

During patch Tuesday Microsoft released two security patches for Skype for Business and one for Lync 2013.

Security update for Skype for Business 2016

Summary

This security update resolves vulnerabilities in Microsoft Office that could allow
remote code execution if a user opens a specially crafted Office file.
To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2017-0283.

Note To apply this security update, you must have the release version of
Skype for Business 2016 installed on the computer.

(download KB3203382)

Security update for Skype for Business 2015 (Lync 2013)

Summary

This security update resolves vulnerabilities in Microsoft Office that could allow
remote code execution if a user opens a specially crafted Office file.
To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2017-0283.

Note To apply this security update, you must have the release version of
Skype for Business 2015 (Lync 2013) installed on the computer.

Disable .NET Framework 4.7 from Windows Update

Dot NET

Microsoft posted a blog about .NET 4.7 with Exchange is not supported yet.  (link)

About the .NET Framework 4.7

The .NET Framework 4.7 is an in-place upgrade to versions 4, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, and 4.6.2 of the .NET Framework.
In case of Exchange we will need to block the automatic installation through Windows Update of the .NET Framework 4.7 patch.

These steps describes how to perform this blocking action.

How to disable update .NET 4.7 from Windows Update in Server 2016

  1. Back up the registry.
  2. Start Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter.
  3. Locate and click the following subkey:
     HKEY_LOCAL_MACHINE\Software\Microsoft\NET Framework Setup\NDP
  4. After you select this subkey, point to New on the Edit menu, and then click Key.
  5. Type WU, and then press Enter.
  6. Right-click WU, point to New, and then click DWORD Value.
  7. Type BlockNetFramework47, and then press Enter.
  8. Right-click BlockNetFramework47, and then click Modify.
  9. In the Value data box, type 1, and then click OK.
  10. On the File menu, click Exit to exit Registry Editor.

registry editor

Disable via Powershell

Thanks to Pat Richard for noticing the Powershell line!

New-Item -Path 'HKLM:\Software\Microsoft\NET Framework Setup\NDP\WU' -force
New-ItemProperty -Path 'HKLM:\Software\Microsoft\NET Framework Setup\NDP\WU' -Name BlockNetFramework47 -Value 1 -PropertyType 'DWord' -Force