Lync Error Insufficient access rights to perform the operation. I recently installed Lync 2013 on my lab setup. When I launched the Lync Server Control Panel to enable Lync account for a user, I saw an error “Active Directory operation failed on “fe.prajwal.local”. You cannot retry this operation: “Insufficient access rights to perform the operation”.
This error is seen when you use Lync Server Control Panel to enable or move an Active Directory domain user for use with Lync Server. Although you may have full Enterprise access, you will still fail to add new users. Let’s see why this error comes up and what are the steps to fix this error.
Lync Error Insufficient access rights to perform the operation
The above error that is described in the post is caused by the combination of the following two reasons:
1) The user account that is part of the Lync Server move or enable operation is a member of an AD DS protected domain security group. This user account belongs to a Windows Server protected domain security group. Hence it is unable to keep the RTCUniversalUserAdmins and RTCUniversalUserReadOnlyGroup Lync Server Universal Security groups and their permissions as Access Control Entries.
2) The Lync Server Control Panel is not designed to delegate the permissions of RTCUniversalUserAdmins and RTCUniversalUserReadOnlyGroup Lync Server Universal Security groups that are needed to complete the user account move or enable operation.
In order to enable an account that has admin rights for Lync, you need to login with a Lync admin account that also has domain admin rights and enable the user using Lync Shell. Using the Lync control panel will not work.
Open the Lync Server Management Shell and type the command.
<span style="font-family: verdana, geneva, sans-serif;"><strong>Enable-CsUser -Identity "<em>Name</em>" -RegistrarPool "<em>Pool Name</em>" -SipAddressType <em>EmailAddress</em> -SipDomain <em>domain name</em></strong></span>
For example, in my case I used the below command.
<span style="font-family: verdana, geneva, sans-serif;"><strong>Enable-CsUser -Identity "Jason Tim" -RegistrarPool "fe.prajwal.local" -SipAddressType sip:firstname.lastname@example.org -SipDomain prajwal.local</strong></span>
After you run the above command, launch the Lync Server control panel. Provide the credentials in the windows security box. Click on Users.
Type name in search box and press Find. In the search results you can see a tick under Enabled.