在 Lync Server 2013 中的计算机、用户或 InetOrgPerson 容器上禁用权限继承Permissions inheritance Is disabled on computers, users, or InetOrgPerson containers in Lync Server 2013

 

上次修改的主题: 2014-12-19Topic Last Modified: 2014-12-19

在锁定的 Active Directory 域服务中,用户和计算机对象通常放在特定组织单位 (Ou 中) 并禁用权限继承以帮助保护管理委派,并允许使用组策略对象 (Gpo) 以强制实施安全策略。In a locked-down Active Directory Domain Services, Users and Computer objects are often placed in specific organizational units (OUs) with permissions inheritance disabled to help secure administrative delegation and to enable use of Group Policy objects (GPOs) to enforce security policies.

域准备和服务器激活将 (Ace) 的访问控制项设置为 Lync Server 2013 所需的 Ace。Domain preparation and server activation set the access control entries (ACEs) required by Lync Server 2013. 禁用权限继承后,Lync Server 安全组将无法继承这些 Ace。When permissions inheritance is disabled, the Lync Server security groups cannot inherit these ACEs. 如果不继承这些权限,Lync Server 安全组将无法访问设置,并且会出现以下两个问题:When these permissions are not inherited, Lync Server security groups cannot access settings, and the following two issues arise:

  • 若要管理用户、InetOrgPersons 和联系人以及操作服务器,Lync Server 安全组需要在每个用户的属性集上通过域准备过程设置的 Ace、实时通信 (RTC) 、RTC 用户搜索和公共信息。To administer Users, InetOrgPersons, and Contacts, and to operate servers, the Lync Server security groups require ACEs set by the domain preparation procedure on each user’s property sets, real-time communications (RTC), RTC User Search, and Public Information. 如果禁用了权限继承,安全组就不会继承这些 ACE,因此无法管理服务器或用户。When permissions inheritance is disabled, security groups do not inherit these ACEs and cannot manage servers or users.

  • 若要发现服务器和池,运行 Lync Server 的服务器依赖于在与计算机相关的对象(包括 Microsoft 容器和服务器对象)上激活时设置的 Ace。To discover servers and pools, servers running Lync Server rely on ACEs set by activation on computer-related objects, including the Microsoft Container and Server object. 如果禁用了权限继承,安全组、服务器和池将不会继承这些 ACE,因而也无法利用这些 ACE。When permissions inheritance is disabled, security groups, servers, and pools do not inherit these ACEs and cannot take advantage of these ACEs.

为解决这些问题,Lync Server 提供了 CsOuPermission cmdlet。To address these issues, Lync Server provides the Grant-CsOuPermission cmdlet. 此 cmdlet 直接在指定的容器和组织单位以及容器或组织单位中的对象上设置所需的 Lync Server Ace。This cmdlet sets required Lync Server ACEs directly on a specified container and organizational units and the objects within the container or organizational unit.

在运行域准备之后为用户、InetOrgPerson 和联系人对象设置权限Set Permissions for User, InetOrgPerson, and Contact Objects after Running Domain Preparation

在禁用了权限继承的锁定的 Active Directory 环境中,域准备无法对容纳域中用户或 InetOrgPerson 对象的容器或组织单位设置必要的 ACE。In a locked-down Active Directory environment where permissions inheritance is disabled, domain preparation does not set the necessary ACEs on the containers or organizational units holding Users or InetOrgPerson objects within the domain. 在这种情况下,必须对禁用了其权限继承的容纳用户或 InetOrgPerson 对象的每个容器或 OU 运行 Grant-CsOuPermission cmdlet。In this situation, you must run the Grant-CsOuPermission cmdlet on each container or OU that has User or InetOrgPerson objects for which permissions inheritance is disabled. 如果拥有中央林拓扑,则还必须对容纳联系人对象的容器或 OU 执行此过程。If you have a central forest topology, you must also perform this procedure on the containers or OUs that hold contact objects. 有关中央林拓扑的详细信息,请参阅可支持性文档中的 Lync Server 2013 中的受支持的 Active Directory 拓扑For details about central forest topologies, see Supported Active Directory topologies in Lync Server 2013 in the Supportability documentation. ObjectType 参数指定对象类型。The ObjectType parameter specifies the object type. OU 参数指定组织单位。The OU parameter specifies the organizational unit.

此 cmdlet 会在指定的容器或 OU 上以及该容器内的用户或 InetOrgPerson 对象上直接添加所需的 ACE。This cmdlet adds the required ACEs directly on the specified containers or OUs and the User or InetOrgPerson objects within the container. 如果执行此命令的 OU 具有包含 User 或 InetOrgPerson 对象的子 Ou,则不会对这些对象应用这些权限。If the OU on which this command is executed has child OUs with User or InetOrgPerson objects, the permissions will not be applied on those. 您需要分别在每个子 OU 上运行此命令。You will need to run the command on each child OU individually. 这是 Lync 托管部署的常见方案,例如父 OU = OCS 租户、DC = CONTOSO、DC = 本地和子 OU = Tenant1、OU = OCS 租户、DC = CONTOSO、DC = LOCAL。This is a common scenario with Lync Hosting Deployments e.g. Parent OU=OCS Tenants, DC=CONTOSO,DC=LOCAL and child OU=Tenant1, OU=OCS Tenants ,DC=CONTOSO,DC=LOCAL.

您需要与 Domain Admins 组成员身份等效的用户权限来运行该 cmdlet。You need user rights equivalent to Domain Admins group membership to run this cmdlet. 如果已在锁定环境中删除经过身份验证的用户 Ace,则必须在林根域的相关容器或 Ou 中授予此帐户读取访问 Ace,如在 Lync Server 2013 中删除了已验证用户权限 中所述,或使用的帐户是 Enterprise Admins 组的成员。If the authenticated user ACEs have also been removed in the locked-down environment, you must grant this account read-access ACEs on the relevant containers or OUs in the forest root domain as described in Authenticated user permissions are removed in Lync Server 2013 or use an account that is a member of the Enterprise Admins group.

为用户、InetOrgPerson 和联系人对象设置所需的 ACETo set required ACEs for User, InetOrgPerson, and Contact objects

  1. 以 Domain Admins 组成员的帐户或具有同等用户权限的帐户登录到加入域的计算机。Log on to a computer joined to the domain with an account that is a member of the Domain Admins group or that has equivalent user rights.

  2. 启动 Lync Server 命令行管理程序:依次单击“开始”****、“所有程序”****、“Microsoft Lync Server 2013”**** 和“Lync Server 命令行管理程序”****。Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell.

  3. Run:

    Grant-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> 
    -OU <DN name for the OU container relative to the domain root container DN> [-Domain <Domain FQDN>]
    

    如果不指定 Domain 参数,则默认值为本地域。If you do not specify the Domain parameter, the default value is the local domain.

    例如:For example:

    Grant-CsOuPermission -ObjectType "User" -OU "cn=Redmond,dc=contoso,dc=net" -Domain "contoso.net"
    
  4. 在日志文件中,在 <Success> 每个任务的末尾查找 "执行结果",以验证是否设置了权限,然后关闭 "日志" 窗口。In the log file, look for <Success> Execution Result at the end of each task to verify that the permissions were set, and then close the log window. 或者,可以运行以下命令确定是否设置了权限:Or, you can run the following command to determine whether the permissions were set:

    Test-CsOuPermission -ObjectType <type of object> 
    -OU <DN name for the OU container relative to the domain root container DN> 
    [-Domain <Domain FQDN>] [-Report <fully qualified path and name of file to create>]
    

    例如:For example:

    Test-CsOuPermission -ObjectType "User" -OU "cn=Redmond,dc=contoso,dc=net" -Domain "contoso.net" -Report "C:\Log\OUPermissionsTest.html"
    

在运行域准备之后为计算机对象设置权限Set Permissions for Computer Objects after Running Domain Preparation

在禁用了权限继承的锁定的 Active Directory 环境中,域准备无法对容纳域中计算机对象的容器或 OU 设置必要的 ACE。In a locked-down Active Directory environment where permissions inheritance is disabled, domain preparation does not set the necessary ACEs on the containers or OUs that hold Computer objects within the domain. 在这种情况下,您必须在运行了禁用了权限继承的运行 Lync Server 的计算机的每个容器或 OU 上运行 CsOuPermission cmdlet。In this situation, you must run the Grant-CsOuPermission cmdlet on each container or OU that has computers running Lync Server where permissions inheritance is disabled. ObjectType 参数指定对象类型。The ObjectType parameter specifies the object type.

此过程将在指定的容器上直接添加所需的 ACE。This procedure adds the required ACEs directly on the specified containers.

您需要与 Domain Admins 组成员身份等效的用户权限来运行该 cmdlet。You need user rights equivalent to Domain Admins group membership to run this cmdlet. 如果已删除经过身份验证的用户 Ace,则必须在林根域的相关容器上授予此帐户读取访问 Ace,如在 Lync Server 2013 中删除了已验证用户权限 中所述,或使用的帐户是 Enterprise Admins 组的成员。If the authenticated user ACEs have also been removed, you must grant this account read-access ACEs on the relevant containers in the forest root domain as described in Authenticated user permissions are removed in Lync Server 2013 or use an account that is a member of the Enterprise Admins group.

为计算机对象设置所需的 ACETo set required ACEs for computer objects

  1. 以 Domain Admins 组成员的帐户或具有同等用户权限的帐户登录到域计算机。Log on to the domain computer with an account that is a member of the Domain Admins group or that has equivalent user rights.

  2. 启动 Lync Server 命令行管理程序:依次单击“开始”****、“所有程序”****、“Microsoft Lync Server 2013”**** 和“Lync Server 命令行管理程序”****。Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell.

  3. Run:

    Grant-CsOuPermission -ObjectType <Computer> 
    -OU <DN name for the computer OU container relative to the domain root container DN> 
    [-Domain <Domain FQDN>][-Report <fully qualified path and name of output report>]
    

    如果不指定 Domain 参数,则默认值为本地域。If you do not specify the Domain parameter, the default value is the local domain.

    例如:For example:

    Grant-CsOuPermission -ObjectType "Computer" -OU "ou=Lync Servers,dc=litwareinc,dc=com" -Report "C:\Logs\OUPermissions.xml"
    
  4. 在示例日志文件 C: \ 日志 \OUPermissions.xml 中,您将 <Success> 在每个任务的末尾查找执行结果,并验证没有任何错误,然后关闭日志。In the example log file C:\Logs\OUPermissions.xml, you would look for <Success> Execution Result at the end of each task and verify that there are no errors, and then close the log. 您可以运行以下 cmdlet 来测试权限:You can run the following cmdlet to test permissions:

    Test-CsOuPermission -ObjectType <type of object> 
    -OU <DN name for the OU container relative to the domain root container DN> [-Domain <Domain FQDN>]
    

    例如:For example:

    Test-CsOuPermission -ObjectType "user","contact" -OU "cn=Bellevue,dc=contoso,dc=net" -Domain "contoso.net"
    

    备注

    如果在锁定的 Active Directory 环境中对林根域运行域准备,请注意,Lync Server 需要访问 Active Directory 架构和配置容器。If you run domain preparation on the forest root domain in a locked-down Active Directory environment, be aware that Lync Server requires access to the Active Directory Schema and Configuration containers.
    如果从 AD DS 中的架构或配置容器中删除了默认的经过身份验证的用户权限   ,则只有 Schema admins 组的成员 (架构容器) 或 Enterprise admins 组 (为) 允许访问给定容器的配置容器。If the default authenticated user permission is removed from the Schema or the Configuration containers in AD DS, only members of the Schema Admins group (for Schema container) or Enterprise Admins group (for Configuration container) are permitted to access the given container. 由于 Setup.exe、Lync Server 命令行管理程序 cmdlet 和 Lync Server 控制面板需要访问这些容器,因此,除非运行安装的用户具有与 Schema Admins 和 Enterprise Admins 组成员身份等效的用户权限,否则管理工具的安装将会失败。Because Setup.exe, Lync Server Management Shell cmdlets, and Lync Server Control Panel require access to these containers, Setup and installation of the administrative tools will fail unless the user running the installation has user rights equivalent to Schema Admins and Enterprise Admins group membership.
    要解决此问题,必须向 RTCUniversalGlobalWriteGroup 组授予对“架构”和“配置”容器的读取和写入访问权限。To remedy this situation, you must grant RTCUniversalGlobalWriteGroup group Read, Write access to the Schema and Configuration containers.