Skype for Business 2015 – Enable User “Active Directory operation failed”

When enabling users for Skype for Business you may encounter the following error:

“Active Directory operation failed on “Domain Controller”.  You cannot retry this operation: “Insufficient access rights to perform the operation”


I first blogged about this in 2011 for Microsoft Lync 2010 when moving users from an OCS 2007 R2 to Lync 2010 pool:

Lync 2010 move user – 1 Error(s) Failed while updating destination pool

This problem can occur when:

  • Enabling a user
  • Moving a user between pools
  • Changing any of the users Skype for Business properties, including policies

You verify that your administrative account is a member of CsAdministrator and you may also be a member of RTCUniversalServerAdmins and Domain Admins.

This error occurs when the user you are administering is a member (or has previously been a member) of a protected Active Directory group (e.g. Domain Admins).  When a user is a member of a protected AD group, AD automatically removes security inheritance for that user.   More about AdminSDHolder and SDProp here.

In order to manage the user you need to re-apply security inheritance on the users account.

  1. Open Active Directory Users and Computers (ensure you are viewing advanced features “View – Advanced Features”)
  2. Open the user account properties for the user you want to move
  3. Open the “Security” tab
  4. Click the “Advanced” button
  5. Check “Allow inheritable permissions from the parent to propagate to this object and all child objects”
  6. Click “Apply”

You should now be able enable the user for Skype for Business.  The AD AdminSDHolder will remove the inheritance from this user again (runs once per hour) so you need to make your changes in Skype for Business fairly quickly.

3 Replies to “Skype for Business 2015 – Enable User “Active Directory operation failed””

  1. Pingback: Weekly IT Newsletter – December 14-18, 2015 | Just a Lync Guy

  2. Pingback: NeWay Technologies – Weekly Newsletter #178 – December 18, 2015 | NeWay

  3. Pingback: NeWay Technologies – Weekly Newsletter #178 – December 17, 2015 | NeWay

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.