I’d to run an Enterprise Voice Planning Workshop for a customer, and to work out the envisioning document, I would need to use the Virtual Machines that has been lying in my DELL Optiplex 980 for a couple of months – untouched.

Upon booting the images, Windows states that my software may be conterfeit. Well, I’ve never been a fan to activated my lab machines, so I went ahead to extend the evaluation period – How to extend Windows Server 2008 Evaluation Period and launched the Lync Control Panel and an error was shown:

Unauthorized: Access is denied due to a role-based access control (RBAC) authorization failure.

You do not have permission to view this application using the credentials that you provided.

Contact your support team to add your account into appropriate security group(s) for Lync Server Administrators. Wait until the new role assingments take effect, and then try again.

OK, seems that my account had went missing from the neccessary group, however, giving my resolution, let’s understand the Security Groups in Lync Server 2010.

Security groups are created during the process of Forest Preperation during the first installation of Lync Server 2010:

Service Groups: 

  1. RTCHSUniversalServices – Service accounts used to start/run the Front-End Server & allows servers read/write access to Lync Global Settings and Active Directory User Objects
  2. RTCComponentUniversalServices – Service accounts used to run conferencing servers, webservices, Mediation Server, Archiving Server and Monitoring Server
  3. RTCProxyUniversalServices – Service accounts used to run Edge Servers

Administration Groups:

  1. RTCUniversalServerAdmins – Manage server and pool settings
  2. RTCUniversalUserAdmin – Manage user settings and move users from server or pool to another
  3. RTCUniversalReadOnlyAdmins – Only allows read permissions on Server, Pool and user settings

Infrastructure Groups:

  1. RTCUniversalGlobalWriteGroup – Grants write access to global settings objects
  2. RTCUniversalGlobalReadOnlyGroup – Permits read-only access to global settings objects
  3. RTCUniversalUserReadOnlyGroup – Permits read-only access to User settings
  4. RTCUniversalServerReadOnlyGroup – Permits read-only access to individual settings of a Lync Server, however, it does not have access to pool level settings

RBAC Group:

  1. CSAdministrator – Highest level of Lync Server administration account that allows administrative tasks, modify  settings, creating and assign user roles, adding new site, pools and services
  2. CSArchiving Administrator – Modify archiving configuration and policies
  3. CSBranchOfficeTechnician – Manage Survival Branch Appliance*
  4. CSHelpDesk – Read-only rights on user properties & policies
  5. CSLocationAdministrator – Lowest level of rights for Enhanced 9-1-1 (E9-1-1) management, including creating E9-1-1 locations and network identifiers, and associating these with each other
  6. CSResponseGroupAdministrator – Manage configuration for Response Group application within a specific site
  7. CSRoleAdministrator – Manage & assign roles to users*
  8. CSServerAdministrator – Manage, monitor, and troubleshoot servers and services. Has rights to prevent new connections to servers, stop and start services, and apply software updates
  9. CSUserAdministrator – Enable, Disable, and move (between servers/pools) and assign existing policies to users
  10. CSViewOnlyAdministrator – Read-only access of configuration at server, pool, and user information
  11. CSVoiceAdministrator – Create, configure, and manage voice-related settings and policies

*Required further research

For a ‘hygiene’ configuration, I’ve put my default Administrator account under the CSAdministrator role as is best not to intefere with any of the Administrative Groups, Infrastructure Groups or even Service Groups.

So I closed the Lync Control Panel ‘browser’, relaunch, type in the appropriate username and password – Walla! Lync Control Panel is back ‘online’ to my view 🙂