When working on larger OCS deployments, you typically don’t get to have Domain Admin permissions for the actual installation of OCS. Yes, it would be nice if this could just be the case but often security practices dictate that a group be created that has been delegated the appropriate permissions to do this installation and activate the OCS servers. What this requires then is for a new group to be created and then specially permissioned. Thankfully, Microsoft allows for this scenario and this can be done a couple of ways. The first is by running the setup.exe and using the Delegate Setup and Administration wizard. While this might seem easy enough, in some environments, the AD team doesn’t want to be running application setups on their Domain Controllers. So in that case there is a second option. This is to use the LCSCmd.exe tool that comes with OCS.
The LCSCmd.exe utility can be found by default at “C:\Program Files\Common Files\Microsoft Office Communications Server 2007 R2” The syntax needed is as follows and must be run by a member of the Domain Administrators group:
LCSCmd.exe /Domain[:<domain FQDN>]
/Action:CreateDelegation /Delegation:SetupAdmin
/TrusteeGroup:<name of the universal group or global group that you will delegate to – can’t be domain local group>
/TrusteeDomain:<FQDN of the domain where the trustee group resides>
/ServiceAccount:<RTC service account name>
/ComponentServiceAccount:<RTC component service account name>
/ComputerOU:<DN of the OU or container where the computer objects that will run Office Communications Server reside>
/PoolName:<Name of OCS Pool>
As an example here is the command using real terms:
LCSCmd.exe /Domain:Domain123.org/Action:CreateDelegation
/Delegation:SetupAdmin
/TrusteeGroup:OCSAdmin /TrusteeDomain:Domain123.org
/ServiceAccount:RTCComponentService
/ComputerOU:"OU=OCS,OU=Servers,DC=Domain123,DC=org" /poolname:OCSPool1
Once this has been completed, any member of the group TrusteeGroup “OCSAdmin” can then install OCS servers and activate them in Active Directory.
For more information about this please see the full documentation located here.