Revoke-CsOUPermission
Topic Last Modified: 2012-03-26
Revokes the Microsoft Lync Server 2010 management permissions that have been granted on an Active Directory organizational unit (OU).
Syntax
Revoke-CsOUPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <String> [-Confirm [<SwitchParameter>]] [-Domain <Fqdn>] [-DomainController <Fqdn>] [-Force <SwitchParameter>] [-GlobalCatalog <Fqdn>] [-Report <String>] [-WhatIf [<SwitchParameter>]]
Detailed Description
If you have locked down your Active Directory domain (that is, if you have disabled permission inheritance) then the domain preparation that takes place when you install Lync Server 2010 will not be able to add the permissions needed to manage users, computers, contacts, application contacts, and InetOrg persons. (Enterprise administrators and domain administrators will still be able to manage these objects, but no one else, including members of the RTCUniversalServerAdmins group, will have management permissions.) In that case, you will need to use the Grant-CsOUPermission cmdlet to grant the required security groups the required permissions. This must be done on a container-by-container basis for each Active Directory container that includes Lync Server 2010 user accounts..
Permissions granted by using Grant-CsOUPermission can later be removed by using Revoke-CsOUPermission. If you run Revoke-CsOUPermission against an OU you will then need to be an enterprise administrator or a domain administrator in order to manage Lync Server users in that OU.
Who can run this cmdlet: You must be a domain administrator in order to run the Revoke-CsOUPermission cmdlet locally. To return a list of all the role-based access control (RBAC) roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself) run the following command from the Windows PowerShell prompt:
Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Revoke-CsOUPermission"}
Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
ObjectType |
Required |
String |
Type of object covered by these permissions. Valid values are: User Computer Contact AppContact InetOrgPerson To revoke permissions to multiple object types in the same command, separate the object types by using commas: -ObjectType "user","computer","contact". |
OU |
Required |
Active Directory distinguished name |
Distinguished name of the OU where permissions are to be removed. For example: -OU "ou=Redmond,dc=litwareinc,dc=com".You can only remove permissions from a single OU per command. |
Domain |
Optional |
String |
Name of the domain where the OU is located. If this parameter is not included Revoke-CsOUPermission will look for the OU in the current domain. |
DomainController |
Optional |
String |
Enables administrators to specify the fully qualified domain name (FQDN) of the domain controller to be used when running Revoke-CsOUPermission. If not specified, the cmdlet will use the first available domain controller. |
GlobalCatalog |
Optional |
String |
Fully qualified domain name of a global catalog server in your domain. This parameter is not required if you are running Revoke-CsOUPermission on a computer with an account in your domain. |
Force |
Optional |
SwitchParameter |
Suppresses the display of any non-fatal error message that might occur when running the command. |
Report |
Optional |
String |
Enables you to specify a file path for the log file created when the cmdlet runs. For example: -Report "C:\Logs\OUPermissions.html" |
WhatIf |
Switch Parameter |
Describes what would happen if you executed the command without actually executing the command. |
|
Confirm |
Optional |
Switch Parameter |
Prompts you for confirmation before executing the command. |
Input Types
None. Revoke-CsOUPermission does not accept pipelined input.
Return Types
Revoke-CsOUPermission does not return any objects or values.
Example
-------------------------- Example 1 ------------------------
Revoke-CsOUPermission -OU "ou=Redmond,dc=litwareinc,dc=com" -ObjectType "user"
The command shown in Example 1 revokes user management permissions (-ObjectType "user") for the Redmond OU in the domain litwareinc.com.
-------------------------- Example 2 ------------------------
Revoke-CsOUPermission -OU "ou=Redmond,dc=litwareinc,dc=com" -ObjectType "user","contact","inetOrgPerson"
In Example 2, three different management permissions (user, contact, and inetOrgPerson objects) are removed from the Redmond OU in the domain litwareinc.com.