I tried both of the following:

1)

I tried to turn Advanced Features on in AD Users and Computers, locate the user who im using as a csadmin, select the security tab, click advanced and select "Include Inheritable Permissions from this object's parent" on the user object you then be able to add them for Lync, but that had no affect for the Lync Control Panel.

The user i made is NOT a member of domain admins, but IS a CSarchiver, and CSAdmin... and same error message.

.... I believe the problem is that IIS (which runs the Lync Control Panel) is running as a weird user problem?

2)

Enable-CsUser works, but the Control Panel does not work. Could not figure out how to do: "Get-AdUser | Enable-CsUser", so powershell will not work for me.

• Edited by martKyu 17 hours 15 minutes ago

1) Have you give it enough time for replication to complete if there are multiple domain controller and sites?  Have you tried the control panel logged in directly to a FE as a user who's a domain admin and a CSAdministrator?  Or are you attempting to run from your desktop?

2) Please let us know what you'd like the PowerShell command to do exactly and maybe we can help.

Yes, Ive uninstalled and removed Lync and Reinstalled it into the domain and it still has the same problems (using the MS uninstallation procedures).

All of my Users are in a specific OU:

MyDomainUsersOU\MynorthernSiteUsers\usera dc=apple,dc=local

Usera will not be enabled via the GUI

But if I move UserA into:

cn=users,dc=apple,dc=local  (the default OU), then he can be enabled... I am completely stumped why the OU does not work..

Oh... perhaps that OU is locked down: http://www.skypeadmin.com/2015/01/29/insufficient-access-enable-lync-skype-user/

Try this:

Grant-CsOUPermission -OU "ou=mynorthernsiteusers,ou=mydomainusersou,dc=apple,dc=local" -ObjectType "user"

Thanks for your help.

I ran: grant-csoupermission -ou "ou=appleuser,dc=apple,dc=local" -objecttype "user"

and there was no output meaning i think it wokred, however when trying the lync 2010 gui again > enable user in that OU it didnt work.... hmmm..

Give it a few minutes (15 or so) and try again just to be sure.  If enable inheritance is on for that user, and the OU has permissions, you should be fine.  Especially considering it works if you move them to the users container, that suggests there's nothing specifically wrong with the user account itself.

Still nothing =(

I noticed that these OUs cannot be dragged arround even via ADUsers and Computers, even the ADDS Gui when you drag a OU says "Access is denied", only when you drag a User it is ok...

If you create a new OU and move the user to that, can you enable them?

Users can move into new OUs and Existing OUs.

None of the new OUs or Existing OUs can be moved to other locations.

• Edited by martKyu 13 hours 47 minutes ago

But can you enable a user in a new OU created at the top level of Active Directory?

No it is not working anymore. It did for 1 user earlier but not for the user moved into the new top level OU made. Weird... hmm..

• Edited by martKyu 13 hours 32 minutes ago

I got more information:

When using the Lync Server 2010 Control Panel and selecting a user to delete it says:

1 error

active directory operation failed on "dc01.apple.com". you cannot retry this operation: "insufficient access rights to perform the operation"

00002098: SecErr: DSID-03150bb9, problem 4003 (insuff access rights) data 0

you do not have the appropriate permissions to perform this operation in active directory. one possible cause is that the lync server control panel and remote windows powershell cannot modify users who belong to protected security groups (for example the domain admins group), to manague users in the domain admins group, use the lync server management shell and log on using a domain admins account

If you right click the first OU giving you trouble and look at the security tab, which RTC groups do you see in there?  And to confirm, what groups are you a member of?

I am using Administrator (member of Domain Admins, and a bunch of other things)

The Highest OU with the users has Security Permissions of:

Allow   RTCHUniversalServices   Permission: Special   <--- only once

Allow   RTCUniversalServerReadOnlyGroup   Permission: Special   <--- only once

Allow   RTCUniversalUserAdmins   Permission: Special
..about 20 times

Allow   RTCUniversalUserReadOnlyGroup   Permission: Blank
Allow   RTCUniversalUserReadOnlyGroup   Permission: Blank
Allow   RTCUniversalUserReadOnlyGroup   Permission: Blank
Allow   RTCUniversalUserReadOnlyGroup   Permission: Blank
..about 20 times

• Edited by martKyu 13 hours 10 minutes ago

Please make sure that domain involved here is prepared completely for Lync Server.

Use the command:

Get-CsAdDomain -Domain domain.local -verbose

If in the output does not appear as: LC_DOMAINSETTINGS_STATE_READY

Then will be necessary to run: 

Enable-CsAdDomain -Domain domain.local -verbose

 Wait for to complete the replication and test again.

Finally please make sure that steps provided in this article were followed: ( Lync Server 2010 Control Panel Insufficient access rights to perform the operation ) - http://www.msdigest.net/2011/11/lync-server-2010-control-panel-insufficient-access-rights-to-perform-the-operation/

Waited and now it is at that state. Those options were performed, but the GUI has same behaviour. For fun I did this, and it works, but Im not sure why the Lcontrol panel does not work:

Get-CsADUser -OU ou=appleusers,dc=apple,dc=com | enable-csuser -registrarpool applepool.apple.com -sipaddresstype emailaddress

Ahhhhhhhhhhhhhhh!!! It works now! You have to enable the checkmark on the user object one at a time in active directory, then the control panel works... Wow. Thank you so much, I appreciate your patience with me and my problems. I am actually doing 2 simultaneous installs so if you would like to continue with my perils, please check my other thread and see if you have guidance

 https://social.technet.microsoft.com/Forums/lync/en-US/77cb5259-491e-46ad-8e5a-cc84e338cc38/lync2010multiforest-how-can-we-allow-the-client-users-of-applecom-search-for-usernamebananacom?forum=ocsplanningdeployment   

I owe you big time! Thank  youuuuuuuuuuuuuu