Administrative Rights and Roles
The following table shows the administrative rights and roles required for each Active Directory preparation task.
User rights required for Active Directory preparation
Required administrative rights or roles
Member of Schema Admins group or sufficient delegated rights and permissions to modify the schema
Member of EnterpriseAdmins group for the forest root domain
Member of EnterpriseAdmins or DomainAdmins group
Custom Container Permissions
If your organization uses custom containers instead of the three built-in containers (that is, Users, Computers, and Domain Controllers), the Authenticated Users group must have read access to the custom containers. If the Authenticated Users group does not have read access to the custom container, run LcsCmd.exe with the CreateLcsOuPermissions action as illustrated below to grant read permissions for each custom container.
lcscmd /Domain:<Domain FQDN>
/ObjectType:<User | Contact | InetOrgPerson | Computer | AppContact>
where /OU specifies the distinguished name (DN) of the OU, excluding the domain root portion of the DN.
Locked Down Active Directory Requirements
If permissions inheritance is disabled or authenticated user permissions must be disabled in your organization, you must perform additional steps during domain preparation. For details, see .
Deciding Where to Store Global Settings
Before you perform the forest preparation step to prepare Active Directory Domain Services (AD DS) for Office Communications Server 2007 R2, you must decide where to store global settings by evaluating several factors.