Cannot grant AccessRights for RTCUniversalServerAdmins/RTCComponentUniversalServices of SfB to read Exchange UM AD objects using ExchUCUtil.ps1

Scenario

Per Microsoft guide you try to integrate Exchange Server (2013/2016) with Skype for Business (or Lync Server 2013) for UM. You run ExchUCUtil.ps1 integration script with required permissions (Exchange Organization administrator, Exchange Recipient administrator)

C:\Program Files\Microsoft\Exchange Server\V15\Scripts> .\ExchUCUtil.ps1

at the end you get something like:

Grants Skype for Business Server 2015 permission to read Exchange UM Active Directory Domain Services objects

Configuring UM IP Gateway objects...

Pool: pool.domain.com

A UMIPGateway already exists in Active Directory for the Lync Server pool. A new UM IP gateway wasn't created for the po

ol.

IsBranchRegistrar: False

MessageWaitingIndicatorAllowed: True

OutcallsAllowed: True

WARNING: The command completed successfully but no settings of 'pool' have been modified.

Dial plans: Contoso Dial Plan

Permissions for group domain.com\RTCUniversalServerAdmins

ObjectName                              AccessRights                            Configured

----------                              ------------                            ----------

First Organization                      ListChildren                            True

UM DialPlan Container                   ListChildren, ReadProperty              True

UM AutoAttendant Container              ListChildren, ReadProperty              True

Administrative Groups                   ListChildren, ReadProperty              False

Permissions for group domain.com\RTCComponentUniversalServices

ObjectName                              AccessRights                            Configured

----------                              ------------                            ----------

First Organization                      ListChildren                            True

UM DialPlan Container                   ListChildren, ReadProperty              True

UM AutoAttendant Container              ListChildren, ReadProperty              True

Administrative Groups                   ListChildren, ReadProperty              False

PoolFqdn                                UMIPGateway                             DialPlans

--------                                -----------                             ---------

pool.domain.com                         pool                                    {Contoso Dial Plan}

You may notice that some ObjectNames have "Configured" status as "False".

The following event could be logged (Applications and Service Logs - "MSExchange Management") after running this script:

Log Name:      MSExchange Management

Source:        MSExchange CmdletLogs

Date:          10/03/2017 10:38:07

Event ID:      6

Task Category: (1)

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      computer1.domain.com

The following information was included with the event:

Add-ADPermission -InheritanceType "All" -AccessRights ("ListChildren, ReadProperty") -Identity "Administrative Groups" -Debug "True" -User "domain.com\RTCUniversalServerAdmins" -ErrorVariable "ErrorList"

domain.com/UMAdmin

Local-ConsoleHost-Unknown

12164 powershell.exe

00:00:53.5386187

View Entire Forest: 'True',

Microsoft.Exchange.Configuration.Tasks.ManagementObjectAmbiguousException: There are multiple objects matching the identity "Administrative Groups". Please specify a unique value.

The same error occurs if to run script commands manually (obviously):

Add-ADPermission -InheritanceType "All" -AccessRights ("ListChildren, ReadProperty") -Identity "Administrative Groups" -User "domain.com\RTCUniversalServerAdmins"  

Add-ADPermission -InheritanceType "All" -AccessRights ("ListChildren, ReadProperty") -Identity "Administrative Groups" -User "domain.com\RTCComponentUniversalServices"  

Cause

In my case my domain.com forest had custom Organization Unit (OU) named like "Administrative Groups" and created manually by accident.  As you probably know "Administrative Groups" AD container with the same exact name is used for Exchange AD objects by Microsoft design. I guess the same issue occurs if you have custom OU named like: "First Organization", "UM DialPlan Container", "UM AutoAttendant Container". Don't name custom OUs with "system container" names and you'd never get this issue.

Solution

Just rename custom OU "Administrative Groups" to something else (ex. "Admin Groups") and run ExchUCUtil.ps1 script again.

How to determine where this custom OU (with the same name as system container) is located?

Get-ADPermission -Identity "Administrative Groups" | Select-Object Identity | Sort-Object Identity | Get-Unique -AsString

I my case I got something like:

Identity
--------
Administrative Groups
contoso.com/HelpDesk Groups/Administrative groups

where "contoso.com/HelpDesk Groups/Administrative groups" is a path to the custom OU which creates Exchange UM integration issues.

References

• Deployment process overview for integrating on-premises Unified Messaging and Skype for Business
• Configure Unified Messaging on Microsoft Exchange for Lync Server 2013