About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2016) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2011/08/02

AdminSDHolder with Exchange and Lync

The adminsdholder function protects certain user accounts inside of AD.  However, that same protection also presents challenges when connecting users to mobile devices, migrating accounts from application system to a new version, or moving accounts to new locations (like upgrading from OCS R2 to Lync).
If you get “access denied” or “Insufficient rights” errors, then you may have bumped up against some built-in protections that are provided by the AdminSDholder AD DS function set.  Simply, every 20 minutes or so, this process goes through and resets rights and permissions on certain accounts in AD.  This will screw up Exchange and Lync migrations because users in specific groups stop inheriting perms from above (they are protected!).  Going in an twiddling one check box fixes the situation, but you need to know where and why.
After reading this excellent blog article by AD DS MVP John Policelli, try this.
Uh oh.  that blog article cannot be found no more!  Try this location instead:
https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

First, make sure your ADUC is set to show advanced features:
image
Then, take a look at the account that is giving you the error:
locate the user object, select properties | security | advanced, and then tick the check box indicated by balloon #3.
image
I think that I have seen this issue at least once (literally) in every Lync, OCS, and Exchange project I have worked on in the last 10 years.  The best practice, of course, would never have one of those protected group members with an email account or Lync/OCS account, but we know that is not always practical or enforced.
YMMV.

No comments:

Technical Consulting

Something went through both of my brain cells today. And to keep a long story short, it centers on your approach to the question – whatever ...