I had a requirement to give other administrators the ability to manage the Lync users in their department. Our departments are contained in separate OUs which lends itself to using the Lync RBAC roles.
Role-Based Access Control
For this task I granted CSUserAdministrator rights to an administrator over a specific OU. The CSUserAdministrator role “can enable and disable users for Lync Server, move users and assign existing policies to users. Cannot modify policies.”. Following are the steps I followed to get this setup.
- Create a new Active Directory universal security group. Its possible other groups types will work; I’m just following suit of the existing CSUserAdministrator AD group. I used similar naming by appending the group name to the group name. e.g. CSUserAdministrator_HR
- Run New-CsAdminRole cmdlet to create a new Lync role using the CSUserAdministrator role as a template and also set the scope of the role to that department’s OU.
New-CsAdminRole -Identity CSUserAdministrator_HR -Template CSUserAdministrator -UserScopes “OU:ou=HR,dc=domain,dc=com”
- Populate the AD group with Administrators from that group.