Search, and Public Information. When permissions inheritance is disabled, security groups do not inherit these ACEs and cannot manage servers or users.
To discover servers and pools, Office Communications Server servers rely on ACEs set by activation on computer-related objects, including the Microsoft Container and Server object. When permissions inheritance is disabled, security groups, servers, and pools do not inherit these ACEs and cannot take advantage of these ACEs.
To address these issues, Office Communications Server provides an additional Active Directory preparation procedure called CreateLcsOuPermissions, available with the LcsCmd.exe command-line tool. This procedure sets required Office Communications Server ACEs directly on a specified container and the objects within the container.
Set Permissions for User, InetOrgPerson, and Contact Objects after Running Domain Preparation
In a locked-down Active Directory environment where permissions inheritance is disabled, domain preparation does not set the necessary ACEs on the containers holding Users or InetOrgPerson objects within the domain. In this situation, you must run LcsCmd.exe with the CreateLcsOuPermissions action on each container that has User or InetOrgPerson objects for which permissions inheritance is disabled. If you have a central forest topology, you must also perform this procedure on the container that holds Contact objects. (For details about central forest topologies, see Supported Active Directory Topologies in the Office Communications Server 2007 R2 Supported Topologies and Infrastructure Requirements documentation.) The /objecttype parameter specifies the object type.
This procedure adds the required ACEs directly on the specified containers and the User or InetOrgPerson objects within the container.
User rights equivalent to DomainAdmins group membership are required to perform this procedure. If the authenticated user ACEs have also been removed in the locked-down environment, you must grant this account read-access ACEs on the relevant containers in the forest root domain as described in or use an account that is a member of the EnterpriseAdmins group.
To set required ACEs for User, InetOrgPerson, and Contact objects
1.Log on to a computer joined to the domain with an account that is a member of the DomainAdmins group or that has equivalent user rights.
2.Open a command prompt and then run:
LcsCmd.exe /domain[:<FQDN of domain where the OUs are located>] /action:CreateLcsOuPermissions /ou:<DN name for the OU container relative to the domain root container DN> /objectType:<type of object to create Office Communications Server ACEs for – user, InetOrgPerson, contact, AppContact>
LcsCmd.exe /domain /action:CreateLcsOuPermissions /