Active Directory operation failed. “Insufficient access rights to perform the operation”.

Issue

Using Skype for Business Server Control Panel, when trying to commit changes made to a Skype for Business Server User, the following error is returned:

Active Directory operation failed on “dc1.x500.co.uk”.  You cannot retry this operation: “Insufficient access rights to perform the operation”.

ADOpFailed

 

Cause

This is happening when I’m trying to edit the properties of the user.  It would also happen if I tried to enable/disable the user for Skype for Business, or move the user between pools.

The account I am trying to edit is a member of Domain Admins, a designated protected security group.  As it’s a designated protected security group, this results in blocked inheritance of non-default Access Control Entries (ACEs) to their default Access Control List (ACL) as a security measure.  Here the absence of ACEs & ACLs for RTCUniversalUserAdmins & RTCUniversalUserReadOnlyGroup is the cause of the issue.

Other designated protected security groups are: Account Operators; Administrators; Backup Operators; Domain Controllers; Enterprise Admins; Krbtgt; Print Operators; Read-only Domain Controllers; Replicator; Schema Admins; and Server Operators.

Note this may also happen on accounts that have previously been members of protected security groups.

Resolution

There are two options.

1. Use Skype for Business Server Management Shell (PowerShell) to perform the task.

2. Enable security inheritance as detailed below to re-apply permissions.

Open Active Directory Users and Computers, make sure you enable Advanced Features (View > Advanced Features).

AD_AdvancedFeatures

Open the relevant user account.  Go to the Security tab, click Advanced.

Ad_Advanced

Click Enable inheritance.  Click Apply.

AD_EnableInheritance

Accept the warning.

ADPermissions

Click OK to close the object.

Perform whatever task you were trying to pretty quick after making this change, as inheritance will be removed again by the AdminSDHolder within the next hour!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s