Creating a Custom RBAC Role with the Lync Server Management Shell

Home > Blogs > Exchange Server > Creating a Custom RBAC Role with the Lync Server Management Shell

Creating a Custom RBAC Role with the Lync Server Management Shell

Like This Blog 1 Mike Pfeiffer
Added by April 23, 2012

Lync 2010 comes with several pre-defined RBAC roles. The thing is, they’re all globally scoped. For example, if I add your account to the CSUserAdministrator USG in Active Directory, you now have the ability to modify, disable, or move users (to name a few) anywhere in the organization. Let’s take a look at a few ways you can customize this.

User Scopes

First, let’s say that we have a globally dispersed topology, and administrators in the respective regions should only be able to manage the users in the same location. What we would want to do is create a custom role based off of the existing CSUserAdministrator. We would then scope this role to a specific OU, such as the “North America” OU, where the users are located.

The first thing you need to do is come up with a name for your custom RBAC role. In this case, we’ll use NA_Lync_Admins. Next, you’ll need to create a new Active Directory Universal Security Group named NA_Lync_Admins. Finally, fire up the Lync Management Shell and use the New-CSAdminRole cmdlet to create your custom role:

New-CsAdminRole -Identity NA_Lync_Admins -Template CsUserAdministrator -UserScopes “OU:OU=North America,DC=pfeiffer,DC=ms”

Notice that in this example, the distinguished name for the North America OU is used, and prefixed with the tag “OU:”. This is the piece that creates a user based scope connected to that OU. Anyone added to the NA_Lync_Admins group in AD will be able to manage users in that location in AD.

Server Scopes

Now, in our geographically dispersed deployment, we also need to control modifications to server settings. This is where config scopes come into play. For example, the CSServerAdministrator provides admins with the ability to modify settings on specific servers. Since we have locations all over the globe, our Lync topology probably has several sites. We can use these site definitions to act as a configuration scope for our custom role.

Just as before, we’ll create a new Active Directory Universal Security Group for each regional group of server administrators. This time, we’ll create one called Phx_Lync_Server_Admins for our site in Phoenix. First, we need to run Get-CSSite to determine the site id:

Next, we can use the New-CSAdminRole cmdlet to create the custom role:

New-CsAdminRole -Identity Phx_Lync_Server_Admins -Template CsServerAdministrator -ConfigScopes site:1

Again, its important that the custom role match the name of our group in AD. Also, notice that this time we’ve used the -ConfigScopes parameter to define the site scope. Ensure that, just as above, you’ve used the “site:” tag, followed by the site id for that particular site. Just as before, when an administrator is added to the Phx_Lync_Server_Admins, he’ll be able to make configuration changes on servers that are only part of that site in the Lync topology.


Mike Pfeiffer – Microsoft MVP
Director of Unified Communications
Interface Technical Training

Videos You May Like

Agile Methodology in Project Management

0 171 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

Creating Users and Managing Passwords in Microsoft Office 365

0 741 4

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.   For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365    

Windows 10 Features and Navigation – December 1, 2015

0 128 1

In this recorded Windows 10 webinar from December 1,2015, Windows Instructor Steve Fullmer presents the navigation and some of the new features associated with Windows 10 including Sysinternals Tools for Windows Client, Windows core concepts, exploring Process Explorer as well as some of the features that are not yet ready for prime time but will … Continue reading Windows 10 Features and Navigation – December 1, 2015

Write a Comment

See what people are saying...

    Share your thoughts...

    Please fill out the comment form below to post a reply.