When enabling users for Skype for Business you may encounter the following error:
“Active Directory operation failed on “Domain Controller”. You cannot retry this operation: “Insufficient access rights to perform the operation”
I first blogged about this in 2011 for Microsoft Lync 2010 when moving users from an OCS 2007 R2 to Lync 2010 pool:
This problem can occur when:
- Enabling a user
- Moving a user between pools
- Changing any of the users Skype for Business properties, including policies
You verify that your administrative account is a member of CsAdministrator and you may also be a member of RTCUniversalServerAdmins and Domain Admins.
This error occurs when the user you are administering is a member (or has previously been a member) of a protected Active Directory group (e.g. Domain Admins). When a user is a member of a protected AD group, AD automatically removes security inheritance for that user. More about AdminSDHolder and SDProp here.
In order to manage the user you need to re-apply security inheritance on the users account.
- Open Active Directory Users and Computers (ensure you are viewing advanced features “View – Advanced Features”)
- Open the user account properties for the user you want to move
- Open the “Security” tab
- Click the “Advanced” button
- Check “Allow inheritable permissions from the parent to propagate to this object and all child objects”
- Click “Apply”
You should now be able enable the user for Skype for Business. The AD AdminSDHolder will remove the inheritance from this user again (runs once per hour) so you need to make your changes in Skype for Business fairly quickly.