Here are some field notes from a recent Lync 2010 issue.
The Lync administrator encountered this this error: “Insufficient access rights to perform the operation” when trying to open the Lync Server 2010 Control Panel.
It is a fairly known issue and relates to the AdminSDHolder Elevation Issue as we known on Exchange 2010, see blog post: Exchange 2010 and Resolution of the AdminSDHolder Elevation Issue.
The Lync administrator tried to update the phone attribute of the Lync user and receive the following error:
Active Directory operations failed on "lyncfe.server.local". You cannot retry this operation: "Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0"
The resolution is to open the user account using Active Directory Users and Computers.
Remember to turn on Advanced Features in AD Users and Computers.
Locate the user and select the security tab, click advanced and select "Include Inheritable Permissions from this object's parent" on the user object:
Now you should be able to change the Lync settings for this user.