Cannot move Lync 2010 user to new pool

Sunday, November 7, 2010
You may find that you are unable to move certain users to a new Lync Server 2010 registrar pool.  When you select the user and then choose Move selected users to pool from the Action menu, you enter the Destination Registrar Pool and then receive the error, "Failed while updating the destination pool".


If you select the "Force" check box, you receive a slightly different error, Active Directory operation failed on "dc.domain.com". You cannot retry this operation: "Insufficient access rights to perform the operation


This happens when the user you are trying to move is a member of a Windows Builtin group, such as Domain Admins.  When a user is a member of one of the special Windows built-in groups, Windows will automatically remove security inheritance on that user.  To complete the move, you must reapply inheritance.
  • Open Active Directory Users and Computers and locate the user object
  • Right-click the user and select Properties
  • Click the Security tab and then the Advanced button
  • Check the Include inheritable permissions from this object's parent check box
  • Click OK twice and try moving the user to the new Lync pool again
Be aware that Windows will automatically remove the inheritance setting again within a few minutes as long as the user remains a member of the Windows built-in group.

5 comments:

  1. Champion! My issue exactly!

    ReplyDelete
  2. Hey Jeff,
    So I followed the directions and updated inheritance on my user in AD, and was able to move a user a few days ago, coming back from holiday no changes made and now I can't. I did go back in and make sure I had the inheritance selected. Any other ideas? Don't see anything in event viewer either.... :(

    -A

    ReplyDelete
  3. SO! I mis-read this, it's the user you want to move who needs inheritable permissions checked, not the admin doing the move. :) It just so happened that the two users I was moving were my own accounts who were domain admins. Funny....

    Great article Jeff, really good.

    -A

    ReplyDelete
  4. also ensure that you have properly prepared the domain in which you are trying to enable users. I ran into the same error message which turned out to be that the domain prep had failed on that domain.
    I have an empty root domain with several domains under the root and it was driving me crazy until I ran the get-csadforest and recieved an error. The following is what you should get.
    PS C:\> Get-CsAdForest
    LC_FORESTSETTINGS_STATE_READY

    What was troubling is that I ran the gui install from an properly delegated account in the forest/domain and it had the forest prep identified as prepared.

    ReplyDelete
  5. or you can just use the Management shell:

    At the command line, type the following:

    Get-CsUser -OnOfficeCommunicationServer
    Using a legacy user’s sip address as a parameter, run the Move-CsLegacyUsercmdlet.
    Move-CsLegacyUser -Identity "sip address" -Target "pool_FQDN"


    For example, to move one of the legacy users to the Lync 2010 pilot pool, run:

    Move-CsLegacyUser -Identity "sip:kate@domain.net"-Target "lync-se.domain.net"

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.