Problem:
The enable-csuser and disable-csuser will throw "Insufficient Access rights to perform operation" while running through Remote Power Shell or Lync Control Pannel.System.Management.Automation.RemoteException: Active Directory operation failed on "abc.domain.com". You cannot retry this operation: "Insufficient access rights to perform the operation
00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.
00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.
Any Idea why its throwing exception.
Help is Greatly appreciated.
Cause:
The lync ACLS are missing in the organizational container. For example the organizational container is ou=people,dc=test,dc=edu.
Solution:
1. Executing the Grant-CsOuPermission command let in powershell
Login as a domain admin to the lync installed server and Open the Lync Management Shell window.
Run the following Command and it will setup the Lync Object permission to the Organizational container.
Grant-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <DN name for the OU container relative to the domain root container DN> [-Domain <Domain FQDN>]
For Example
Grant-CsOuPermission -ObjectType InetOrgPerson -OU "ou=people,dc=test,dc=edu" -Domain test.edu
2. Assign Lync Roles to the Administrator to enable or disable the lync user
The following roles are required to execute the enable-csuser or disable-csuser command let through remote powershell or lync control panel. They are
CSUserAdministrator
RTCUserUniversalAdministrator
DomainAdministrator
