OCS 2007 Delegation of User Administration

By default it is required that in order to be able to administer users for OCS, (i.e. to enable and configure and delete them) you need to be a member of the RTCUniversalServerAdmins group. You will also require the OCS MMC snap-in which extends the Active Directory Users and Computers snap-in with OCS options.

This scenario is fine if you expect your OCS administrators to be doing the user administration however, in many companies this is not the case. Therefore OCS provides a way to delegate administration of users to a group, for example your helpdesk.

The simplest way of doing this is to make the relevant users administrators a member of the RTCUniversalUserAdmins groups. However, this grants rights to the entire forest. So what about if you want to be a little more specific?

Well, I found the detail of how to do this in the OCS AD Guide which you can get from the link below:

http://www.microsoft.com/downloads/details.aspx?familyid=384793A6-D315-4217-B034-6D189EF6DF13&displaylang=en

However, I found that there were a few areas which were not 100% clear so I will re-iterate the process below:

When you perform the delegation, you are granting the following permissions:

? Read permissions to global settings.

? Read permissions to a computer OU.

? Read/write permissions to a user OU.

? Membership in the RTC Local User Administrators group on all servers within a specified pool

? ReadOnlyRole on the pool or server RTC and RTCConfig databases

So to actually delegate the permissions, log onto a server which has the SQL workstation tools, to enable connection to the database, and also the OCS LCSCMD command which is installed with the OCS Admin console. The user account must have domain admin rights or at least the ability to make the above permissions changes.

Next use the following command:

LcsCmd.exe /Domain[:] /Action:CreateDelegation /Delegation:UserAdmin /TrusteeGroup:

/TrusteeDomain:

/ServiceAccount:

/ComponentServiceAccount:

/ComputerOU:

/UserOU:

/UserType:{User | Contact | InetOrgPerson}

/PoolName:

The section below gives a little more info about the command elements:

TrusteeGroup is the group to which you are granting permissions (For example your helpdesk)

TrusteeDomain is the domain in which you are granting permissions.

ServiceAccount is the RTC service account name.

ComponentServiceAccount is the RTC component service account name.

ComputerOU specifies the DN of the organizational unit containing the computer running the Office Communications Server Front End Server that hosts the users the trustee group will administer.

UserOU specifies the DN of the organizational unit containing the users that the trustee group will administer.

UserType specifies the type of user object that the trustee group will have permissions to administer. Valid values are User, Contact, or InetOrgPerson.

PoolName specifies the name of the Standard Edition server or Enterprise pool in which the trustee group can administer users and adds the trustee group to the Local Administrators group of each computer in the pool and to the ReadOnlyRole of the SQL Server back-end databases.

? Note: The PoolName should be only the first section (i.e. Pool1) rather than the FQDN

? Note: The UserType is required and can only be set to a single value so to enable multiple types the command must be run multiple times.

? Note: The settings are inherited by OUs lower than the OU specified in the UserOU parameter.

Below is the command I used in my lab to delegate permissions to the admins group over the users in the testusers OU on the pool cepool.

lcscmd /domain:child.gaots.co.uk /action:createdelegation /delegation:useradmin /trusteegroup:admins /trusteedomain:child.gaots.co.uk /serviceaccount:rtcservice /componentserviceaccount:rtccomponentservice /computerou:CN=Computers,DC=Child,dc=gaots,DC=co,DC=uk /userou:OU=testusers,DC=child,DC=gaots,DC=co,DC=uk /usertype:user /poolname:cepool

One final point is how to remove the above delegation.

Here the existing documentation is incorrect. It states that you need to use the /delegation switch however, you don?t! See the command below:

lcscmd /domain:child.gaots.co.uk /action:removedelegation /trusteegroup:admins /trusteedomain:child.gaots.co.uk /serviceaccount:rtcservice /componentserviceaccount:rtccomponentservice /computerou:CN=Computers,DC=Child,dc=gaots,DC=co,DC=uk /userou:OU=testusers,DC=child,DC=gaots,DC=co,DC=uk /usertype:inetorgperson /poolname:cepool