About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.

2011/08/02

AdminSDHolder with Exchange and Lync

The adminsdholder function protects certain user accounts inside of AD.  However, that same protection also presents challenges when connecting users to mobile devices, migrating accounts from application system to a new version, or moving accounts to new locations (like upgrading from OCS R2 to Lync).
If you get “access denied” or “Insufficient rights” errors, then you may have bumped up against some built-in protections that are provided by the AdminSDholder AD DS function set.  Simply, every 20 minutes or so, this process goes through and resets rights and permissions on certain accounts in AD.  This will screw up Exchange and Lync migrations because users in specific groups stop inheriting perms from above (they are protected!).  Going in an twiddling one check box fixes the situation, but you need to know where and why.
After reading this excellent blog article by AD DS MVP John Policelli, try this.
Uh oh.  that blog article cannot be found no more!  Try this location instead:
https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

First, make sure your ADUC is set to show advanced features:
image
Then, take a look at the account that is giving you the error:
locate the user object, select properties | security | advanced, and then tick the check box indicated by balloon #3.
image
I think that I have seen this issue at least once (literally) in every Lync, OCS, and Exchange project I have worked on in the last 10 years.  The best practice, of course, would never have one of those protected group members with an email account or Lync/OCS account, but we know that is not always practical or enforced.
YMMV.

No comments:

test 02 Feb

this is a test it’s only a test this should be a picture