A Lync Administrator Access Refresher

Much of what is in this post is already documented in various places, but I have had to search for it enough times to warrant a concise reference. Specifically this post summarizes:

  1. What Built-In Lync Administrator Roles Exist?
  2. How do I Determine who has Lync Administrator Access?
  3. How do I Remove or Add a Lync Administrator?
  4. What Active Directory rights are required to Install Lync?
  5. What’s New in Lync Server 2013 for Role-Based Access?

What Built-In Lync Administrator Roles Exist?

Lync Server 2010 introduced role-based access control (aka RBAC) – meaning there are several Administrator roles that each have a specific set of functionality that any AD user assigned to that role is allowed to perform. In the Lync world, this specific set of functionality boils down to allowing only a specific set of Lync cmdlets that can be run for members of that Lync role. The membership of Lync Administrator Roles (aka Lync RBAC roles) is controlled through membership in the associated underlying AD security group.

The Microsoft TechNet article Planning for Role-Based Access Control summarizes the various predefined Administrator groups that ship with Lync Server. In my experience, these are the 5 most commonly used Lync RBAC roles:

Role Capability Associated AD Security Group
CsAdministrator All Lync administrative tasks including creating roles and assigning users to roles. Can make changed to the Topology. CS Administrators
CsUserAdministrator Can enable and disable users for Lync Server, move users and assign existing policies to users. Cannot modify policies. CS User Administrators
CsServerAdministrator Can manage, monitor, and troubleshoot servers and services. Can stop and start services, and apply software updates. Cannot make global configuration changes. CS Server Administrators
CsViewOnlyAdministrator Can view the deployment, including user and server information, in order to monitor deployment health. CS View-Only Administrators
CsHelpDesk Can view the deployment, including user’s properties and policies. Can run specific troubleshooting tasks. Cannot change user properties or policies. CS HelpDesk

Some immediate questions come to mind such as:

1] How do I know what Cmdlets a Member of a Specific Lync RBAC role can run?

Get-CsAdminRole -Identity “CsVoiceAdministrator” | Select-Object -ExpandProperty Cmdlets

2] How do I know what Lync RBAC roles can run a Specific Cmdlet?

For example, what Lync RBAC roles can run the Set-CsUser cmdlet?

Get-CsAdminRole | Where-Object {$_.Cmdlets -match “Set-CsUser”} |  Select-Object Identity

How do I Determine who has Lync Administrator Access?

A common Lync Administrator task is to get a quick report of who currently has Lync Administrator access.

Unfortunately there is no single Lync PowerShell cmdlet that can do that. We can use the Get-CsAdminRoleAssignement “domaincsuser \user” cmdlet to see what Lync administrator RBAC roles a particular user is a member of, but we cannot easily get a report of all the users that have been assigned a Lync Administrator role.

Instead we will need a small script which enumerates the membership of each Lync Admin role. Full credit for this script goes to CSPShell team at the Lync PowerShell blog.  It is included below with some small formatting changes. The script uses the Get-CsAdminRole to return the Lync Administrator roles and then loops through each Lync Administrator role to report who is a member of the corresponding AD security group.

To use this script, follow these steps:

  1. Cut-and-paste the script into a PowerShell .ps1 file (e.g. LyncAdminAccess.ps1).
  2. Set the PowerShell execution policy to UnRestricted (i.e. Set-ExecutionPolicy Unrestricted) if you copied the script from somewhere instead of created it on the spot. Warning – you are granting the ability for any script to be run in this PowerShell session – so close it when you are done with this script.
  3. Run the script (e.g. .\LyncAdminAccess.ps1)

$rbacGroups = Get-CsAdminRole | Select-Object Identity

Write-Host

foreach ($group in $rbacGroups)
{
$strFilter = “(&(objectCategory=Group)(SamAccountName=” + $group.Identity +”))”
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = “Subtree”

$colProplist = “distinguishedName”

foreach ($i in $colPropList)
{[void] $objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
{$groupDN = $objResult.Path}

$group = [ADSI] $groupDN
$group.Name

foreach ($i in $group.member)
{
$user = [ADSI] “LDAP://$i”
Write-Host “  “ $user.displayName
}

Write-Host

}

Here is a sample output from the script:

> PS C:\Users\user1> .\LyncAdminAccess.ps1

CSAdministrator
svc-Administrator
Bob Smith
Ken Myers

CSVoiceAdministrator

CSUserAdministrator

CSResponseGroupAdministrator

CSLocationAdministrator

CSArchivingAdministrator

CSViewOnlyAdministrator
Lync Support

CSServerAdministrator
svc-LyncServerAdmins

CSHelpDesk
Boston Regional-svc
Toronto Regional-svc

How do I Remove or Add a Lync Administrator?

To add a user to a Lync Administrator RBAC role you simply make that user a member of the security group associated with the RBAC role using your favorite Active Directory tool such as Active Directory Users and Computers. There are no Lync server cmdlets to assign a user to a security group, however you can refer to this article if you need to programmatically do it through PowerShell: Lync Server Admin Guide: Delegating Control of Microsoft Lync Server 2010.

You can remove an RBAC role from a particular user, remove them from the AD security group associated with the Lync RBAC role.

What Active Directory rights are required to Install Lync?

The AD account that installs Lync generally requires the following rights in AD:

  • A member of Schema Admins to Prep Active Directory for Lync.
  • A member of Enterprise Admins to install the first Lync server.  After that you can use the normal Domain Admins.
  • A member of the Lync CsAdministrator RBAC role (i.e. a member of the AD CS Administrators group).
  • A member of the RTCUniversalServersAdmins AD group.
  • To enable the Topology (run Enable-CsTopology) the account needs to either be a member of the Domain Admins group for the AD domain, or you can setup Delegate Permissions (as explained here: http://technet.microsoft.com/en-us/library/gg412735.aspx).

What’s New in Lync Server 2013 for Role-Based Access?

Lync Server 2013 has the ability to create a custom RBAC group by using an existing predefined Lync RBAC group as a template. This is useful if a predefined RBAC role meets most of your needs, but is missing the ability to run one or two cmdlet’s.

In a nutshell you use the New-CsAdminRole cmdlet with the new -Template parameter which accepts the existing predefined RBAC role that you are using as a template, and the –Cmdlets parameter to specify the cmdlets that will be available to users who are members of the new RBAC role.

Note: you must create the underlying AD security group before you use the New-CsAdminRole cmdlet to create the new Lync RBAC role.

You can also use the UserScopes parameter of the New-CsADminRole cmdlet to limit the Administrative access to only users in a particular AD Organizational Unit, or the the ConfigScopes parameter to limit the Administrative access to only Lync users in a particular Lync site.

See the TechNet documentation for the New-CsAdminRole for all the parameters.

Be Sociable, Share!

You must be logged in to post a comment.