Issue
Using Skype for Business Server Control Panel, when trying to commit changes made to a Skype for Business Server User, the following error is returned:
Active Directory operation failed on “dc1.x500.co.uk”. You cannot retry this operation: “Insufficient access rights to perform the operation”.
Cause
This is happening when I’m trying to edit the properties of the user. It would also happen if I tried to enable/disable the user for Skype for Business, or move the user between pools.
The account I am trying to edit is a member of Domain Admins, a designated protected security group. As it’s a designated protected security group, this results in blocked inheritance of non-default Access Control Entries (ACEs) to their default Access Control List (ACL) as a security measure. Here the absence of ACEs & ACLs for RTCUniversalUserAdmins & RTCUniversalUserReadOnlyGroup is the cause of the issue.
Other designated protected security groups are: Account Operators; Administrators; Backup Operators; Domain Controllers; Enterprise Admins; Krbtgt; Print Operators; Read-only Domain Controllers; Replicator; Schema Admins; and Server Operators.
Note this may also happen on accounts that have previously been members of protected security groups.
Resolution
There are two options.
1. Use Skype for Business Server Management Shell (PowerShell) to perform the task.
2. Enable security inheritance as detailed below to re-apply permissions.
Open Active Directory Users and Computers, make sure you enable Advanced Features (View > Advanced Features).
Open the relevant user account. Go to the Security tab, click Advanced.
Click Enable inheritance. Click Apply.
Accept the warning.
Click OK to close the object.
Perform whatever task you were trying to pretty quick after making this change, as inheritance will be removed again by the AdminSDHolder within the next hour!