Creating a Custom RBAC Role with the Lync Server Management Shell

Home > Blogs > Exchange Server > Creating a Custom RBAC Role with the Lync Server Management Shell

Creating a Custom RBAC Role with the Lync Server Management Shell

Like This Blog 1 Mike Pfeiffer
Added by April 23, 2012

Lync 2010 comes with several pre-defined RBAC roles. The thing is, they’re all globally scoped. For example, if I add your account to the CSUserAdministrator USG in Active Directory, you now have the ability to modify, disable, or move users (to name a few) anywhere in the organization. Let’s take a look at a few ways you can customize this.

User Scopes

First, let’s say that we have a globally dispersed topology, and administrators in the respective regions should only be able to manage the users in the same location. What we would want to do is create a custom role based off of the existing CSUserAdministrator. We would then scope this role to a specific OU, such as the “North America” OU, where the users are located.

The first thing you need to do is come up with a name for your custom RBAC role. In this case, we’ll use NA_Lync_Admins. Next, you’ll need to create a new Active Directory Universal Security Group named NA_Lync_Admins. Finally, fire up the Lync Management Shell and use the New-CSAdminRole cmdlet to create your custom role:

New-CsAdminRole -Identity NA_Lync_Admins -Template CsUserAdministrator -UserScopes “OU:OU=North America,DC=pfeiffer,DC=ms”

Notice that in this example, the distinguished name for the North America OU is used, and prefixed with the tag “OU:”. This is the piece that creates a user based scope connected to that OU. Anyone added to the NA_Lync_Admins group in AD will be able to manage users in that location in AD.

Server Scopes

Now, in our geographically dispersed deployment, we also need to control modifications to server settings. This is where config scopes come into play. For example, the CSServerAdministrator provides admins with the ability to modify settings on specific servers. Since we have locations all over the globe, our Lync topology probably has several sites. We can use these site definitions to act as a configuration scope for our custom role.

Just as before, we’ll create a new Active Directory Universal Security Group for each regional group of server administrators. This time, we’ll create one called Phx_Lync_Server_Admins for our site in Phoenix. First, we need to run Get-CSSite to determine the site id:

Next, we can use the New-CSAdminRole cmdlet to create the custom role:

New-CsAdminRole -Identity Phx_Lync_Server_Admins -Template CsServerAdministrator -ConfigScopes site:1

Again, its important that the custom role match the name of our group in AD. Also, notice that this time we’ve used the -ConfigScopes parameter to define the site scope. Ensure that, just as above, you’ve used the “site:” tag, followed by the site id for that particular site. Just as before, when an administrator is added to the Phx_Lync_Server_Admins, he’ll be able to make configuration changes on servers that are only part of that site in the Lync topology.


Mike Pfeiffer – Microsoft MVP
Director of Unified Communications
Interface Technical Training

Videos You May Like

A Simple Introduction to Cisco CML2

0 3794 0

Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2

Configuring Windows Mobility Center and How to Turn it On and Off

1 1434 1

Video transcription Steve Fullmer: In our Windows training courses, we often share information about the Windows 8.1 Mobility Center. Mobility Center was introduced for mobile and laptop devices in Windows 7. It’s present and somewhat enhanced in Windows 8. Since we don’t have mobile devices in our classrooms, I decided to take a little bit … Continue reading Configuring Windows Mobility Center and How to Turn it On and Off

How to create a Cisco IOS Banner – Login and MOTD Message of the Day

0 4289 4

In this video, Cisco CCNA instructor Mark Jacob shows how to create a Login and Message of the Day (MOTD) banners in Cisco IOS. The Banner is an interesting feature of the Cisco IOS. You could probably get by without it, but in a commercial environment you want to have it.

Write a Comment

See what people are saying...

    Share your thoughts...

    Please fill out the comment form below to post a reply.