For testing purposes I wanted to Lync Enable the (default) administrator account in Active Directory using the Lync Control Panel. This failed with the following error:
Active Directory operation failed on “wes-dc02.wesselius.local”. You cannot retry this operation: “Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150BB9, problem 4005 (INSUFF_ACCESS_RIGHTS), data 0”. You do not have the appropriate permissions to perform this operation in Active Directory.
The error is shown, but it also gives a possible solution. The domain administrator is part of a protected group (Domain Admins) and these can only be Lync Enabled using the Lync Management Shell, you can use the Enable-CSUser cmdlet to achieve this:
Enable-CsUser -Identity administrator -RegistrarPool Lync01.wesselius.local –SipAddress sip:firstname.lastname@example.org
Running the cmdlet doesn’t give any results, but when running a query in the Lync Control Panel you can see the administrator is now actually Lync enabled.
More information on the Enable-CSUser can be found in the Lync Server 2010 Help file or on the Microsoft Technet site: http://technet.microsoft.com/en-us/library/gg398711.aspx