Custom Lync Admin Roles

Out of the box, Lync comes pre-shipped with 11 admin roles.  They come in the form of Universal Security Groups and can be found in the Users container.

These groups are similar to the built-in groups that come with installing Active directory, that is, each group comes with a pre-defined set of abilities.  Simply add your account to these groups and you will get the cmdlets assigned to them.  If you don’t have access to ADUC you could run the following command which would give you a list of all the Admin Roles in your current environment.

Hitting enter will show you the full list of Admin Roles in your environment.  Play special note to the “IsStandardRole” value.  If the value is True, then the Admin Role is one of the 11 that came with Lync.  If the value is False, that means an administrator created a new role for your organization (we’ll get to these in a moment).
If you were curious as to what cmdlets the user CSHelpDesk has by default you can find this by opening up Lync Management Shell and typing the below (note the same can be done for all the groups above).
Once you hit enter you will see a list of all cmdlets the group is allowed to run.  I find it easier to pipe them out to a text file.
So now we see the 11 default Admin Roles, well what if you wanted to get specific.  It’s actually pretty easy.   The 11 default admin roles can be used as a template.  Basically we’re going to start out by copying the roles of one of the 11 default roles to a different security groups.
To create a new Admin Role, you will need to create a new Universal Security Group in Active Directory and be a member of the rtcuniversalserveradmins.  With an account in the rtcuniversalserveradmins launch the Lync Management Shell
Assuming there is a Universal Security Group called Lync HelpDesk the command will complete.  Essentialy at this point the CSHelpDesk and Lync HelpDesk roles are exactly the same.  So now lets get more specific.  If you run the following command the group will only be allowed to manage site 2 and site 3 and even then only users in specific OU and sub OU
By executing this command you will define a group that can manage users on site 2 and site 3 and those in the Users OU and sub OU.  We could have just ran the below but wanted to show how to add scope to an existing group.
So lets say you want to see what cmdlets a given admin role has….easy

Get-CsAdminRole -Identity “Lync Admins” | Select -ExpandProperty cmdlets

What about where the AdminRole has rights to preform actions agains

Also easy…

Get-CsAdminRole -Identity “Lync Admins” | select -ExpandProperty configscopes

Get-CsAdminRole -Identity “Lync Admins” | select -ExpandProperty userscopes

What about adding cmdlets to the role?

simply run this:

Set-CsAdminRole -Identity “Lync Admins” -Cmdlets @{Add=”Remove-CsConferencingPolicy”}

and now that adminRole can now remove conferencing policies.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s