When trying to move a user to a new Lync pool within the Lync Server Control Panel you may receive the error below:
1 Error(s) – Failed while updating destination pool.
If you select the “Force” check box, you receive a different error:
1 Error(s) – Active Directory operation failed on “domaincontroller.domain.com”. You cannot retry this operation: “Insufficient access rights to perform the operation
This error occurs when the user is a member (or has previously been a member) of a protected Active Directory group (e.g. Domain Admins). When a user is a member of a protected AD group, AD automatically removes security inheritance for that user. To be able to move the user in Lync you need to re-apply security inheritance on the users account.
- Open Active Directory Users and Computers (ensure you are viewing advanced features “View – Advanced Features”)
- Open the user account properties for the user you want to move
- Open the “Security” tab
- Click the “Advanced” button
- Check “Allow inheritable permissions from the parent to propagate to this object and all child objects”
- Click “Apply”
You should now be able to move the user to a new Lync 2010 pool. The AD AdminSDHolder will remove the inheritance from this user again so you need to move the user straight away.
I encountered this error when moving users from an OCS 2007 R2 pool to a Lync 2010 pool.
Technical Architect at Symity
Fabulous! Thanks for this. I ran into an issue related to this the other day whilst trying to enable some domain admins for Lync. In the end I added the RTCUniversalUserAdmins group to their accounts with full rights. Might be an easier solution if there are lots of user accounts like this, then afterwards you can take the group off the accounts again.
Pingback: The Lync Insider » Upgrading Users from OCS to Lync? How to Correct the “Failed While Updating” Error
thank you!
thanks
Pingback: Skype for Business 2015 – Enable User “Active Directory operation failed” – ChrisHayward.co.uk