S-1-5-21-4264192570- CONTOSO\RTCSetupDelegate S-1-5-21-4264192570- CONTOSO\CERTSVC_DCOM_ACCESS Alias S-1-5-21-4264192570-
To use LcsCmd.exe to grant permissions
1.Log on to a computer running Office Communications Server in the domain where you want to grant permissions. Use an account that is a member of the Domain Admins group or that has equivalent credentials.
2.Open a command prompt and then type the following command:
LCSCmd.exe /Domain[:<domain FQDN>] /Action:CreateDelegation /Delegation:SetupAdmin /TrusteeGroup:<name of the universal group that you will delegate to> /TrusteeDomain:<FQDN of the domain where the trustee group resides> /ServiceAccount:<RTC service account name> /ComponentServiceAccount:<RTC component service account name> /ComputerOU:<DN of the OU or container where the computer objects that will run Office Communications Server reside>
TrusteeGroup is the group to which you are granting permissions.
TrusteeDomain is the domain in which the trustee group resides.
ServiceAccount is the Real-time Communications (RTC) service account name
ComponentServiceAccount is the RTC component service account name.
ComputerOU specifies the DN of the OU containing the computers on which the trustee group can run Office Communications Server setup tasks.
3.Add the new trustee group to the Local Administrators group of each computer where you want to install Office Communications Server and the computer running the SQL Server back-end database server for any Enterprise pools.
4.If, in your organization, Authenticated Users security group permissions have been removed from Active Directory Domain Services (AD DS), you must either add the new trustee group for setup tasks to RTCUniversalServerAdmins or manually grant Read permissions to the trustee group for the following containers in the forest root:
Forest root domain
Forest root domain System container
Root of the domain where permissions is delegated
Parent containers of computer objects and service account objects
Open a command prompt and then type whoami.exe /all to verify the user has appropriate permissions. The output should be similar to the following: