Granting organizational unit permissions in Lync Server 2013
Topic Last Modified: 2012-05-14
You can use the Grant-CsOuPermission cmdlet to grant permissions to objects in specified organizational units (OUs) so that members of the RTC universal groups created by forest preparation can access them without being members of the Domain Admins group. The permissions added to the specified OU are the same permissions that the Enable-CsAdDomain cmdlet adds to the computers and users containers during domain preparation.
Use the Test-CsOuPermission cmdlet to verify the permissions you set up by using the Grant-CsOuPermission cmdlet.
You can use the Revoke-CsOuPermission cmdlet to remove permissions that you granted by using the Grant-CsOuPermission cmdlet.
To grant OU permissions
Log on to a computer running Lync Server 2013 in the domain where you want to grant OU permissions. Use an account that is a member of the Domain Admins group or the Enterprise Admins group if the OU is in a different child domain.
Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell.
Run:
Grant-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <DN of the OU> [-Domain <Domain FQDN>]
If you do not specify the Domain parameter, the default value is the local domain.
To verify OU permissions
Log on to a computer running Lync Server 2013 in the domain where you want to verify OU permissions that you granted by using the Grant-CsOuPermission cmdlet. Use an account that is a member of the Domain Admins group or the Enterprise Admins group if the OU is in a different child domain.
Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell.
Run:
Test-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <DN of the OU> [-Domain <Domain FQDN>]
If you do not specify the Domain parameter, the default value is the local domain.
To revoke OU permissions
Log on to a computer running Lync Server 2013 in the domain where you want to revoke OU permissions that were granted by the Grant-CsOuPermission cmdlet. Use an account that is a member of the Domain Admins group or the Enterprise Admins group if the OU is in a different child domain.
Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell.
Run:
Revoke-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <DN of the OU> [-Domain <Domain FQDN>]
If you do not specify the Domain parameter, the default value is the local domain.