Server back-end databases.
Delegating Read-Only Server Administration
To administer Office Communications Servers in a read-only capacity, a user must have an account in the DomainAdmins group or the RTCUniversalReadOnlyAdmins group. Some organizations do not want to grant membership in the DomainAdmins group to users or groups who only need to view the properties of Office Communications Server. You can choose to add unauthorized users or groups to the RTCUniversalReadOnlyAdmins group or RTCUniversalServerReadOnlyGroup, which are universal groups that have read-only administration permissions for all servers in the forest. By delegating read-only server administration, you can grant a user or group the subset of permissions required to perform read-only administration for a specific Office Communications Server.
Membership in a read-only server administration group can be useful for troubleshooting server issues on a specific server.
When you delegate read-only server administration, you grant the following permissions:
Read permission to global settings.
Read permission to a specified computer organizational unit (OU).
Membership in the RTC Local Read-Only Administrators group on all servers within a specified pool or on the local Standard Edition server.
ReadOnlyRole on the pool or server Real-time Communications (RTC) and RTCConfig databases.
To delegate read-only server administration
1.Log on to a computer in the domain where you want to grant permissions. Use an account that has RTCUniversalServerAdmins and DomainAdmins or equivalent user rights.
2.Use the following command:
LcsCmd /Domain[:<domain FQDN>] /Action:CreateDelegation /Delegation:ReadOnlyAdmin /TrusteeGroup:<name of the universal group that you will delegate to> /TrusteeDomain:<FQDN of the domain where the trustee group resides> /ServiceAccount:<RTC service account name> /ComponentServiceAccount:<RTC component service account name> /ComputerOU:<DN of the OU or container where the computer objects that run Office Communications Server reside> /PoolName:<Name of a Standard Edition server or an Enterprise pool> [/ExtraServers:<FQDN of server1, FQDN of server2>]