Create RBAC Role for Account Administrators

I had a requirement to give other administrators the ability to manage the Lync users in their department.  Our departments are contained in separate OUs which lends itself to using the Lync RBAC roles.

Role-Based Access Control

For this task I granted CSUserAdministrator rights to an administrator over a specific OU.  The CSUserAdministrator role “can enable and disable users for Lync Server, move users and assign existing policies to users. Cannot modify policies.”.  Following are the steps I followed to get this setup.

  • Create a new Active Directory universal security group.  Its possible other groups types will work; I’m just following suit of the existing CSUserAdministrator AD group.  I used similar naming by appending the group name to the group name.  e.g. CSUserAdministrator_HR
  • Run New-CsAdminRole cmdlet to create a new Lync role using the CSUserAdministrator role as a template and also set the scope of the role to that department’s OU.

New-CsAdminRole -Identity CSUserAdministrator_HR -Template CSUserAdministrator -UserScopes “OU:ou=HR,dc=domain,dc=com”

  • Populate the AD group with Administrators from that group.
  • Complete.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s