Error enabling users in sub-domain via LSCP

A customer recently reported that they were getting an error when trying to enable a user in a sub-domain when trying to import a user via Lync Server Control Panel (LSCP). The resolution is really simple and I thought that I will post it our there for anyone having the same problem. Here is the offending error :


1 Error(s)

Active Directory operation failed on “”. You cannot retry this operation: “Insufficient access rights to perform the operation
00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync
Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for
example, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and
log on using a Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.

As the error message suggests the problem is either because the user has Admin privileges in Active Directory (See for resolution) or because you do not have appropriate permissions in active directory. In this scenario there were two domains:

Whenever we tried to activate a user in the domain they will get the error above. If we tried to enable the user in the sub-domain via Power Shell it will succeed, for eg :

PS C:\> Enable-CsUser -Identity -RegistarPool -SipAddressType UserPrincipalName

I started by checking the state of the Forest

PS C:\> Get-CsAdForest

I then checked the state of the parent domain

PS C:\> Get-CsAdDomain

Then, I looked at the problematic sub-domain

PS C:\> Get-CsAdDomain -Domain

WARNING: “get-csaddomain” processing has completed with warnings. "10" warnings were recorded during this run.
WARNING: Detailed results can be found at ‘C:\Users\Akshat\AppData\Local\Temp\2\get—csaddomain—1ab612e0—d6lf—4672—a4f4—fea5555l5b6c .html”.

The error log mentioned in the warning reported several warnings about ACEs in the sub-domain


To fix this we simply run the following in Lync Power-Shell (

Enable-CsAdDomain -Domain

The domain preparation step adds the necessary access control entries (ACEs) to universal groups that grant permissions to host and manage users within the domain. Domain preparation creates ACEs on the domain root and three built-in containers: User, Computers, and Domain Controllers.

Additional Links: