I have created a PowerShell script that automates enabling users for Lync and setting policies based on group membership. I've successfully tested this script under my domain admin account and now I am working on getting it running as a scheduled task.
Since all the script really does related to Lync is run the commands Enable-CsUser, Set-CsUser, and Grant-Cs<policy name>Policy, I elected to create a service account that only has Lync user administration permissions. Initially, this user account was just a member of CSUserAdministration but this was not working so I added the user to RTCUniversalUserAdmins based on some other information I found.
This change got me by the various access denied errors I was getting in the script, but now I am getting the following error when I run the Enable-CsUser part:
Enable-CsUser : The EXECUTE permission was denied on the object 'XdsPublishItems', database 'xds', schema 'dbo'. At line:1 char:1+ Enable-CsUser -Identity <redacted> -RegistrarPool <redacted> - ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Enable-CsUser], SqlException+ FullyQualifiedErrorId : System.Data.SqlClient.SqlException,Microsoft.Rtc.Management.AD.Cmdlets.EnableOcsUserCmdl et
This seems to be some sort of permission error related to the permissions on the SQL database "xds". I checked, and RTCUniversalUserAdmins is a member of both CsUserAdministration and RTCUniversalReadOnlyAdmins. This latter group does have permissions on the xds database. It appears to be granted the "public" role on the database server. The User Mapping shows the following users mapped to the login:
- cpsdyn: public,ReadOnlyRole
- lis: public,ReadOnlyRole
- rgsconfig: public,ReadOnlyRole
- rgsdyn: public,ReadOnlyRole
- rtcxds: public,ConsumerRole
- xds: public,ConsumerRole
Even though I receive this error, the user is actually added to Lync. Follow-up Set-CsUser and Grant-Cs<policy name>Policy cmdlets succeed just fine.
What do I need to do to fix this error message?