group S-1-1-0 BUILTIN\Administrators Alias S-1-5-32-544 BUILTIN\Users Alias S-1-5-32-545 NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 NT AUTHORITY\This Organization Well-known group S-1-5-15 LOCAL Well-known group S-1-2-0 CONTOSO\RTCUniversalUserReadOnlyGroup Group S-1-5-21-4264192570- CONTOSO\RTCUniversalGlobalWriteGroup Group S-1-5-21-4264192570- CONTOSO\RTCUniversalGlobalReadOnlyGroup S-1-5-21-4264192570- CONTOSO\RTCUniversalServerReadOnlyGroup S-1-5-21-4264192570- CONTOSO\delegatedLSSetup Group S-1-5-21-4264192570- CONTOSO\CERTSVC_DCOM_ACCESS Alias S-1-5-21-4264192570-
Delegating Server Administration
To administer Office Communications Server 2007 R2 Standard Edition or Office Communications Server 2007 R2 Enterprise Edition, a user must have an account in the DomainAdmins group or the RTCUniversalServerAdmins group. Some organizations do not want to grant membership in the DomainAdmins group to users or groups who only need to manage Office Communications Server. You can choose to add unauthorized users or groups to the RTCUniversalServerAdmins group, which is a universal group that can administer all servers in the forest. By delegating server administration, you can grant a user or group the subset of permissions required to administer a specific Office Communications Server.
When you delegate server administration, you grant the following permissions:
Read/write permissions to global settings
Read/write permissions to a computer organizational unit (OU) container
Optional Read permissions to a user OU container
You must specify an existing global or universal group to which you want to delegate permissions. You cannot use a local group.
To delegate server administration
1.Log on to a computer in the domain where you want to grant permissions. Use an account that is a member of the RTCUniversalServerAdmins and DomainAdmins groups or that has equivalent user rights.
2.Open a command prompt and then type the following command:
LcsCmd /Domain[:<domain FQDN>] /Action:CreateDelegation /