Quickie: Lync Server 2010 has same problem Exchange does
When I wanted to Enable AD users in Lync Server 2010 which were members of Domain Administrators and Enterprise Administrators I received error:
Active Directory operations failed on “DC_server”. You cannot retry this operation: “Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0”
It’s same problem as Exchange has. You cannot be member of those two groups, because periodically all accounts in this groups have cleared Include inheritable permissions from this object’s parent and set explicit permissions by AD. But if you want to add members of those administrative groups into Lync you can check checkbox Include inheritable permissions from this object’s parent, enable user in Lync and uncheck checkbox Include inheritable permissions from this object’s parent after you are done.
Exchange fixed this issue after couple year in Exchange 2010 SP3. Hopefully we will have some fix also for Lync Server.

Viac info prečo je tomu tak a čo sa deje vo vnútri AD http://technet.microsoft.com/sk-sk/magazine/2009.09.sdadminholder(en-us).aspx
Vdaka Runco 🙂