Lync Error Insufficient access rights to perform the operation. I recently installed Lync 2013 on my lab setup. When I launched the Lync Server Control Panel to enable Lync account for a user, I saw an error “Active Directory operation failed on “fe.prajwal.local”. You cannot retry this operation: “Insufficient access rights to perform the operation”. This error is seen when you use Lync Server Control Panel to enable or move an Active Directory domain user for use with Lync Server. Although you may have full Enterprise access, you will still fail to add new users. Let’s see why this error comes up and what are the steps to fix this error.
The above error that is described in the post is caused by the combination of the following two reasons:
1) The user account that is part of the Lync Server move or enable operation is a member of an Active Directory, directory service protected domain security group. As the user account belongs to a Windows Server protected domain security group, it is unable to keep the RTCUniversalUserAdmins and RTCUniversalUserReadOnlyGroup Lync Server Universal Security groups and their permissions as Access Control Entries.
2) The Lync Server Control Panel is not designed to delegate the permissions of RTCUniversalUserAdmins and RTCUniversalUserReadOnlyGroup Lync Server Universal Security groups that are needed to complete the user account move or enable operation.
In order to enable an account that has admin rights for Lync, you need to login with a Lync admin account that also has domain admin rights and enable the user using Lync Shell. Using the Lync control panel will not work. The errors is seen in the below screenshot.
Open the Lync Server Management Shell and type the command.
Enable-CsUser -Identity “Name” -RegistrarPool “Pool Name” -SipAddressType EmailAddress -SipDomain domain name
For example, in my case I used the below command.
Enable-CsUser -Identity “Jason Tim” -RegistrarPool “fe.prajwal.local” -SipAddressType sip:firstname.lastname@example.org -SipDomain prajwal.local
After you run the above command, launch the Lync Server control panel. Provide the credentials in the windows security box. Click on Users. In the search box type the first name of the user for whom Lync is to be enabled and click Find. In the search results you can see a tick under Enabled.