Lync Error Insufficient access rights to perform the operation

Access denied

Lync Error Insufficient access rights to perform the operation. I recently installed Lync 2013 on my lab setup. When I launched the Lync Server Control Panel to enable Lync account for a user, I saw an error “Active Directory operation failed on “fe.prajwal.local”. You cannot retry this operation: “Insufficient access rights to perform the operation”.

This error is seen when you use Lync Server Control Panel to enable or move an Active Directory domain user for use with Lync Server. Although you may have full Enterprise access, you will still fail to add new users. Let’s see why this error comes up and what are the steps to fix this error.

Lync Error Insufficient access rights to perform the operation

The above error that is described in the post is caused by the combination of the following two reasons:

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

1) The user account that is part of the Lync Server move or enable operation is a member of an AD DS protected domain security group. This user account belongs to a Windows Server protected domain security group. Hence it is unable to keep the RTCUniversalUserAdmins and RTCUniversalUserReadOnlyGroup Lync Server Universal Security groups and their permissions as Access Control Entries.

2) The Lync Server Control Panel is not designed to delegate the permissions of RTCUniversalUserAdmins and RTCUniversalUserReadOnlyGroup Lync Server Universal Security groups that are needed to complete the user account move or enable operation.

In order to enable an account that has admin rights for Lync, you need to login with a Lync admin account that also has domain admin rights and enable the user using Lync Shell. Using the Lync control panel will not work.

Lync Error Insufficient access rights to perform the operation

Open the Lync Server Management Shell and type the command.

Enable-CsUser -Identity "Name" -RegistrarPool "Pool Name" -SipAddressType EmailAddress -SipDomain domain name

For example, in my case I used the below command.

Enable-CsUser -Identity "Jason Tim" -RegistrarPool "fe.prajwal.local" -SipAddressType sip:jason.tim@prajwal.local -SipDomain prajwal.local

Lync Error Insufficient access rights to perform the operation

After you run the above command, launch the Lync Server control panel. Provide the credentials in the windows security box. Click on Users.

Type name in search box and press Find. In the search results you can see a tick under Enabled.

Lync Error Insufficient access rights to perform the operation

Need more help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.