Lync 2013 CommonAreaPhones - Delegating Permissions

I am trying to grant limited permissions to some junior administrators in Lync 2013.  I tasked them with creating some new common area phones for conference rooms.  The policies for the phones have already been setup and I thought I delegated the proper active directory permissions to the OU where the lync contacts are created.  They were able to create the common area phones but they cannot grant-csclientpolicy successfully.  They receive the following error.  I can run it with a user that is a domain admin but honestly I am not going to grant all of our IT staff domain admin rights to manage Lync phones.  I haven't been able to find documentation explaining what permissions are required in active directory.  Any suggestions would be helpful.lyncerror.png
LVL 1
bullfrog264Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Lync 2013 has RBAC (kind of like Exchange 2010/2013). If you cannot find a group appropriate for the tasks you want them to perform, you can create new Role Groups just like in Exchange. Take a look at the Permission Chart below which outlines default groups and permissions and also illustrates how to create new Role Groups and assigning specific permissions to them.

https://technet.microsoft.com/en-us/library/gg425917.aspx

Will.
0
bullfrog264Author Commented:
Thank you will.  I placed the users into the csadministrators group to be sure it wasn't the problem.  I am in the same rbac group. The only difference between our accounts is that I am a domain admin and they are not.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Lync groups should not require any special AD Group Permission like Domain Admins etc to operate correctly. You should only have to add them to the appropriate CSGroup for the permissions to take affect. I would ensure that your AD replication is working properly as well.

Will.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

bullfrog264Author Commented:
Ad replication is working properly.  Like I said he was able to create the phones he just couldn't modify the assigned client policy.
0
Will SzymkowskiSenior Solution ArchitectCommented:
So based on your comment i am assuing that this user is part of CsUserAdministrator Group?

CsUserAdministrator
Can enable and disable users for Lync Server, move users and assign existing policies to users. Cannot modify policies.

If this is correct the user cannot modify policies.

CsVoiceAdministrator
CsVoiceAdministrator
Can create, configure, and manage voice-related settings and policies.

CcVoiceAdministrator can modify policies. So if you add them to this group they should be able to perform the tasks needed. As stated already if you need something more granular you will need to create a New Role Group and assign a role permission to this group, then add your user to the new Role Group.

Examples are in the link provided.

Will.
0
bullfrog264Author Commented:
You must have misunderstood.  He was originally in the csuseradministrators and csvoiceadminiatrators groups.  When I started having issues I moved him into the csadministrators groups which should have allowed him to take any action in Lync.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Ahh, ok sounds good. Not sure exactly what would be going on in your environment. Based on the permission groups the user should in fact be able to manage the above Lync features.

I would start by checking your AD Permisisons to see if there are any denied permissions or something of that nature which would be preventing the CsGroups from working properly.

Also, have the user login to a workstation the run the following command
whoami /groups

Is the user in fact part of the group when you run the above command?

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bullfrog264Author Commented:
He was missing the proper permissions in active directory.  I had to manually grant his account access.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server Apps

From novice to tech pro — start learning today.