You’re likely here because you’re trying to enable a user but are receiving the dreaded error “Active Directory operation failed on [servername]. You cannot retry this operation: “Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0.
Nooooo problem, you’ve seen this before. The user must be a member of a privileged group like Domain Admins or something, something that would block inheritance. Only in this case, they’re not. Did you check inheritance in the security tab of the users account? That’s enabled already. Are you a member of the CSAdministrator group or CSUserAdministrator, yes?
If all of the above is true, it’s likely you’re dealing with locked down Active Directory. Check the individual OU and all OUs above to determine if security inheritance has been disabled at the OU level. If inheritance is disabled, there’s either a very good reason for it, or you’ve been visited by an overzealous domain admin.
Option 1 for those with an overzealous admin: Enable inheritance and wait for it to replicate. Once this has propagated, you should be able to enable users from the Control Panel once again.
Option 2, for those who have security policies dictating that inheritance is disabled, the answer can be found in Grant-CSOuPermission. This command specifically grants rights to individual containers in Active Directory, removing the need to enable inheritance.
Grant-CsOUPermission -OU "ou=rockstars,dc=skypeadmin,dc=com" -ObjectType "user"
There are a few different ObjectTypes available, user will be the most common one you’d use, but be aware there are others such as Contact and Device (which would be used for common area phones).
More detail can be found in the Microsoft article Preparing Active Directory Domain Services for Lync Server 2013: https://technet.microsoft.com/en-us/library/gg398492.aspx