If you do not want to use an account that is a member of the EnterpriseAdmins group to run domain preparation or other Setup tasks, explicitly grant the account you want to use read-access on the relevant containers in the forest root.
To give user read-access permissions on containers in the forest root domain
1.Log on to the computer joined to the forest root domain with an account that is a member of the DomainAdmins group for the forest root domain.
2.Run adsiedit.msc for the forest root domain.
If authenticated user ACEs were removed from the Domain, Configuration or System container, you must grant read-only permissions to the container, as described in the following steps.
3.Right-click the container, and then click Properties.
4.Click the Security tab.
6.On the Permissions tab, click Add.
7.Type the name of the user or group receiving permissions using the following format: domain\account name.
9.On the Objects tab, in Applies To, click This Object Only.
10.In Permissions, select the following Allow ACEs by clicking the Allow column: List Content, Read All Properties, and Read Permissions.
11.Click OK twice.
12.Repeat these steps for any of the relevant containers listed in Step 2.
Permissions Inheritance Is Disabled on Computers, Users, or InetOrgPerson Containers
In a locked-down Active Directory Domain Service (AD DS), Users and Computer objects are often placed in specific organizational units (OUs) with permissions inheritance disabled to help secure administrative delegation and to enable use of Group Policy objects (GPOs) to enforce security policies.
Domain preparation and server activation set the access control entries (ACEs) required by Office Communications Server 2007 R2. When permissions inheritance is disabled, the Office Communications Server security groups cannot inherit these ACEs. When these permissions are not inherited, Office Communications Server security groups cannot access settings, and the following two issues arise:
To administer Users, InetOrgPersons, and Contacts, and to operate servers, the Office Communications Server security groups require ACEs set by the domain preparation procedure on each user’s property sets, Real-time Communications (RTC), RTC User