Issue: You need to enable permission inheritance on other Domain
Admins AD user accounts (or a specific group of accounts) while
administering users in the Lync (or Skype for Business) Control Panel.
Background: Enabling inheritance on AD accounts typically
required one to check the "include inheritable permissions…"
checkbox on the 'Security Tab > Advanced' screen in ADUC on every user
account one at a time.
Solution using Powershell:
1) Open a PowerShell
prompt (Run as administrator) on a Domain Controller. Then perform the
following PowerShell commands:
Import-Module
ActiveDirectory
$users = Get-ADUser -ldapfilter "(objectclass=user)"
-searchbase "ou=users,dc=company,dc=com"
ForEach ($user in
$users)
{
# Binding the users to DS
$ou = [ADSI]("LDAP://" + $user)
$sec = $ou.psbase.objectSecurity
if ($sec.get_AreAccessRulesProtected())
{
$isProtected = $false ## allows
inheritance
$preserveInheritance = $true ##
preserver inhreited rules
$sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
$ou.psbase.commitchanges()
Write-Host "$user is now
inherting permissions";
}
else
{
Write-Host "$User Inheritable
Permission already set"
}
}
REFERENCE: http://enterpriseit.co/microsoft-active-directory/enable-inheritance-ad-user-accounts/