Filters:

  • Technologies

  • Instructors

  • Creating a Custom RBAC Role with the Lync Server Management Shell

    Lync 2010 comes with several pre-defined RBAC roles. The thing is, they're all globally scoped. For example, if I add your account to the CSUserAdministrator USG in Active Directory, you now have the ability to modify, disable, or move users (to name a few) anywhere in the organization. Let's take a look at a few ways you can customize this.

    User Scopes

    First, let's say that we have a globally dispersed topology, and administrators in the respective regions should only be able to manage the users in the same location. What we would want to do is create a custom role based off of the existing CSUserAdministrator. We would then scope this role to a specific OU, such as the "North America" OU, where the users are located.

    The first thing you need to do is come up with a name for your custom RBAC role. In this case, we'll use NA_Lync_Admins. Next, you'll need to create a new Active Directory Universal Security Group named NA_Lync_Admins. Finally, fire up the Lync Management Shell and use the New-CSAdminRole cmdlet to create your custom role:

    You may also like:  Windows 10 Introduction

    New-CsAdminRole -Identity NA_Lync_Admins -Template CsUserAdministrator -UserScopes “OU:OU=North America,DC=pfeiffer,DC=ms"

    Notice that in this example, the distinguished name for the North America OU is used, and prefixed with the tag "OU:". This is the piece that creates a user based scope connected to that OU. Anyone added to the NA_Lync_Admins group in AD will be able to manage users in that location in AD.

    Server Scopes

    Now, in our geographically dispersed deployment, we also need to control modifications to server settings. This is where config scopes come into play. For example, the CSServerAdministrator provides admins with the ability to modify settings on specific servers. Since we have locations all over the globe, our Lync topology probably has several sites. We can use these site definitions to act as a configuration scope for our custom role.

    Just as before, we'll create a new Active Directory Universal Security Group for each regional group of server administrators. This time, we'll create one called Phx_Lync_Server_Admins for our site in Phoenix. First, we need to run Get-CSSite to determine the site id:

    You may also like:  Windows 10 Introduction

    Next, we can use the New-CSAdminRole cmdlet to create the custom role:

    New-CsAdminRole -Identity Phx_Lync_Server_Admins -Template CsServerAdministrator -ConfigScopes site:1

    Again, its important that the custom role match the name of our group in AD. Also, notice that this time we've used the -ConfigScopes parameter to define the site scope. Ensure that, just as above, you've used the "site:" tag, followed by the site id for that particular site. Just as before, when an administrator is added to the Phx_Lync_Server_Admins, he'll be able to make configuration changes on servers that are only part of that site in the Lync topology.

    Enjoy!

    Mike Pfeiffer – Microsoft MVP
    Director of Unified Communications
    Interface Technical Training

    See what people are saying...

    1. eman

      Hi Mike,

       

      I'm so glad I ran into your site. This is exactly what I'm trying to find out how. Question though, what permission do I need to be able to make a new CS admin role. When I run the commands, i get this error

       

      New-CsAdminRole : cannot open database "xds" requested by login. The login failed.

       

      Login failed for user 'domain\admin'

       

      Hope you can help me out with this too. Again thanks so much for sharing Mike. This is really great. Thank you.

       

      Regards,

      Eman

      Just an another this, when you build the lync for the other child domains, do you create new topology? or use the same first topology and then create a new central site. its what i did. It works but i just want to make sure i did it right. Thanks a lot Mike.

    Share your thoughts...

    Please fill out the comment form below to post a reply.