You might have wondered exactly which Active Directory permissions the Microsoft Lync Server 2010 PowerShell cmdlets Grant-CsSetupPermission and Grant-CsOuPermission grants which Active Directory group? If so, I hope the following post will stop your wondering.

At the end of this post is a table showing the content of each Active Directory property set referenced in the tables below.

Grant-CsSetupPermission will give the RTCUniversalServerAdmins group the following permission on an OU after having run Grant-CsSetupPermission on the OU.

Permission

Applies To

Read servicePrincipalName

Write servicePrincipalName

Replicating Directory Changes

Special

Read DNS host name attributes

Read dNSHostName

Read public information

Create serviceConnectionPoint objects

Delete serviceConnectionPoint objects

Descendant Computer objects

Read all properties

Write all properties

Delete subtree

Descendant msRTCSIP-ConnectionPoint objects

Read all properties

Write all properties

Delete subtree

Descendant msRTCSIP-ApplicationServer objects

Read all properties

Write all properties

Delete subtree

Descendant msRTCSIP-MediationServer objects

Read all properties

Write all properties

Delete subtree

Descendant msRTCSIP-MCU objects

Read all properties

Write all properties

Delete subtree

Descendant msRTCSIP-WebComponents objects

Read all properties

Write all properties

Delete subtree

Descendant msRTCSIP-Server objects

List contens

Read all properties

Write all properties

Delete subtree

Read permissions

Modify permissions

Create all child objects

Delete all child objects

Create msRTCSIP-ApplicationServer objects

Delete msRTCSIP-ApplicationServer objects

Create msRTCSIP-ConnectionPoint objects

Delete msRTCSIP-ConnectionPoint objects

Create msRTCSIP-MCU objects

Delete msRTCSIP-MCU objects

Create msRTCSIP-MediationServer objects

Delete msRTCSIP-MediationServer objects

Create msRTCSIP-Server objects

Delete msRTCSIP-Server objects

Create msRTCSIP-WebComponents objects

Delete msRTCSIP-WebComponents objects

Create mS-SQL-OLAPServer objects

Delete mS-SQL-OLAPServer objects

Create mS-SQL-SQLServer objects

Delete mS-SQL-SQLServer objects

Descendant serviceConnectionPoint objects

Running Grant-CsOuPermission -ObjectType User on an OU will grant the following groups the permissions shown in the table below.

Group

Permission

Applies To

RTCHSUniversalServices

Replicating Directory Changes

This object only

RTCUniversalServerReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserAdmins

Write RTCUserSearchPropertySet

Write msExchUCVoiceMailSettings

Write RTCUserProvisioningPropertySet

Write RTCPropertySet

Write proxyAddresses

Descendant User objects

RTCUniversalUserReadOnlyGroup

Read RTCUserSearchPropertySet

Read RTCUserProvisioningPropertySet

Read RTCPropertySet

Read Public-Information

Read General-Information

Read User-Account-Restrictions

Descendant User objects

Running Grant-CsOuPermission -ObjectType Contact or AppContact on an OU will grant the following groups the permissions shown in the table below.

Group

Permission

Applies To

RTCHSUniversalServices

Replicating Directory Changes

This object only

RTCUniversalServerReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserAdmins

Write RTCUserSearchPropertySet

Write otherIpPhone

Write displayName

Write description

Write telephoneNumber

Write msExchUCVoiceMailSettings

Write RTCUserProvisioningPropertySet

Write RTCPropertySet

Write proxyAddresses

Descendant Contact objects

RTCUniversalUserReadOnlyGroup

Read RTCUserSearchPropertySet

Read RTCUserProvisioningPropertySet

Read RTCPropertySet

Read Public-Information

Read General-Information

Read Personal-Information

Read User-Account-Restrictions

Descendant Contact objects

Running Grant-CsOuPermission -ObjectType Computer on an OU will grant the following groups the permissions shown in the table below.

Group

Permission

Applies To

RTCHSUniversalServices

Replicating Directory Changes

This object only

RTCUniversalServerReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserAdmins

Read Public-Information

Read Validated-DNS-Host-Name

Descendant Computer objects

RTCUniversalUserReadOnlyGroup

Read Public-Information

Read Validated-DNS-Host-Name

Descendant Computer objects

Running Grant-CsOuPermission –ObjectType Device on an OU will grant the following groups the permissions shown in the table below.

Group

Permission

Applies To

RTCHSUniversalServices

Replicating Directory Changes

This object only

RTCUniversalServerReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserAdmins

Create child

Delete child

Delete tree

Contact

RTCUniversalUserAdmins

Write displayName

Write description

Write telephoneNumber

Descendant User objects

RTCUniversalUserAdmins

Write RTCUserSearchPropertySet

Write otherIpPhone

Write displayName

Write description

Write telephoneNumber

Write msExchUCVoiceMailSettings

Write RTCUserProvisioningPropertySet

Write RTCPropertySet

Write proxyAddresses

Descendant Contact objects

RTCUniversalUserReadOnlyGroup

Read RTCUserSearchPropertySet

Read RTCUserProvisioningPropertySet

Read RTCPropertySet

Read Public-Information

Read Personal-Information

Read General-Information

Read User-Account-Restrictions

Descendant Contact objects

Running Grant-CsOuPermission –ObjectType InetOrgPerson on an OU will grant the following groups the permissions shown in the table below.

Group

Permission

Applies To

RTCHSUniversalServices

Replicating Directory Changes

This object only

RTCUniversalServerReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserReadOnlyGroup

List contents

Read all properties

Read permissions

This object only

RTCUniversalUserAdmins

Write RTCUserSearchPropertySet

Write RTCUserProvisioningPropertySet

Write RTCPropertySet

Write proxyAddresses

Descendant inetOrgPerson objects

RTCUniversalUserReadOnlyGroup

Read RTCUserSearchPropertySet

Read RTCUserProvisioningPropertySet

Read RTCPropertySet

Read Personal-Information

Read Public-Information

Read General-Information

Read User-Account-Restrictions

Descendant inetOrgPerson objects

Relevant PropertySets and their content are shown below.

PropertySet

Attributes

RTCUserSearchPropertySet

ms-RTC-SIP-PrimaryUserAddress

ms-RTC-SIP-OwnerUrn

RTCPropertySet

ms-DS-Source-Object-DN

ms-RTC-SIP-AcpInfo

ms-RTC-SIP-ApplicationDestination

ms-RTC-SIP-ApplicationOptions

ms-RTC-SIP-ApplicationPrimaryLanguage

ms-RTC-SIP-ApplicationSecondaryLanguages

ms-RTC-SIP-ArchivingEnabled

ms-RTC-SIP-DeploymentLocator

ms-RTC-SIP-FederationEnabled

ms-RTC-SIP-GroupingID

ms-RTC-SIP-InternetAccessEnabled

ms-RTC-SIP-Line

ms-RTC-SIP-LineServer

ms-RTC-SIP-OptionFlags

ms-RTC-SIP-OriginatorSid

ms-RTC-SIP-PrimaryHomeServer

ms-RTC-SIP-PrivateLine

ms-RTC-SIP-SourceObjectType

ms-RTC-SIP-TargetHomeServer

ms-RTC-SIP-TargetUserPolicies

ms-RTC-SIP-TenantId

ms-RTC-SIP-UserEnabled

ms-RTC-SIP-UserExtension

ms-RTC-SIP-UserLocationProfile

ms-RTC-SIP-UserPolicies

ms-RTC-SIP-UserPolicy

RTCUserProvisioningPropertySet

Empty

Personal-Information

Address

Address-Home

Assistant

Comment

Country-Name

Facsimile-Telephone-Number

International-ISDN-Number

Locality-Name

ms-DS-Supported-Encryption-Types

ms-DS-Last-Successful-Interactive-Logon-Time

ms-DS-Last-Failed-Interactive-Logon-Time

ms-DS-Failed-Interactive-Logon-Count

ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon

MSMQ-Digests

MSMQ-Sign-Certificates

Personal-Title

Phone-Fax-Other

Phone-Home-Other

Phone-Home-Primary

Phone-Ip-Other

Phone-Ip-Primary

Phone-ISDN-Primary

Phone-Mobile-Other

Phone-Mobile-Primary

Phone-Office-Other

Phone-Pager-Other

Phone-Pager-Primary

Physical-Delivery-Office-Name

Picture

Post-Office-Box

Postal-Address

Postal-Code

Preferred-Delivery-Method

Registered-Address

State-Or-Province-Name

Street-Address

Telephone-Number

Teletex-Terminal-Identifier

Telex-Number

Telex-Primary

User-Cert

User-Shared-Folder

User-Shared-Folder-Other

User-SMIME-Certificate

X121-Address

X509-Cert

ms-Exch-Public-Delegates

Public-Information

Additional-Information

Allowed-Attributes

Allowed-Attributes-Effective

Allowed-Child-Classes

Allowed-Child-Classes-Effective

Alt-Security-Identities

Common-Name

Company

Department

Description

Display-Name-Printable

Division

E-mail-Addresses

Given-Name

Initials

Legacy-Exchange-DN

Manager

ms-DS-Allowed-To-Delegate-To

ms-DS-Auxiliary-Classes

ms-DS-Approx-Immed-Subordinates

ms-DS-Phonetic-First-Name

ms-DS-Phonetic-Last-Name

ms-DS-Phonetic-Department

ms-DS-Phonetic-Company-Name

ms-DS-Phonetic-Display-Name

ms-DS-HAB-Seniority-Index

Obj-Dist-Name

Object-Category

Object-Class

Object-Guid

Organization-Name

Organizational-Unit-Name

Other-Mailbox

Proxy-Addresses

RDN

Reports

Service-Principal-Name

Show-In-Address-Book

Surname

System-Flags

Text-Country

Text-Encoded-OR-Address

Title

User-Principal-Name

ms-Exch-UC-Voice-Mail-Settings

General-Information

Admin-Description

Code-Page

Country-Code

Display-Name

Object-Sid

Primary-Group-ID

SAM-Account-Name

SAM-Account-Type

SD-Rights-Effective

Show-In-Advanced-View-Only

SID-History

uid

User-Comment

User-Account-Restrictions

Account-Expires

ms-DS-User-Account-Control-Computed

ms-DS-User-Password-Expiry-Time-Computed

Pwd-Last-Set

User-Account-Control

User-Parameters

Validated-DNS-Host-Name

DNS-Host-Name

ms-DS-Additional-Dns-Host-Name