Getting Lync PowerShell to use RBAC


You may find that some things will work in the Lync GUI that will not work in PowerShell (Access Denied), the reason for this is that RBAC only applies to remote PowerShell and local PowerShell uses the AD permissions and not RBAC.

To resolve this you can login to PowerShell using the following script: (Copy the contents to a file and name it Connect-Lync.ps1)

$usercredential = get-credential
$pso = new-pssessionoption -skipcacheck -SkipCNCheck -SkipRevocationCheck
$session= New-PSSession -ConnectionUri https://localhost/ocspowershell -credential $usercredential -sessionoption $pso
import-pssession $session

Note: 1. This script ignores the certificate (so it will work if your using a self signed cert)
          2. You may need to modify the execution policy to run this unsigned script in PowerShell “set-executionpolicy remote”

References:

http://technet.microsoft.com/en-us/library/gg399050.aspx
“Note
that RBAC applies only to remote management. If you are logged on to a computer running Lync Server 2010 and you open Lync Server Management Shell, RBAC roles will not be enforced. Instead, security is enforced primarily through the security groups RTCUniversalServerAdmins; RTCUniversalUserAdmins; and RTCUniversalReadOnlyAdmins.”

Advertisements

Troubleshooting RBAC


(or determining RBAC Permissions)

  • Get-ManagementScope – displays defined scopes, or details of a individual scope.
  • Get-ManagementRole
    • GetChildren – enumerate roles of immediate children
    • Recurse – enumerate roles of children and the children of those roles
    • Cmdlet – enumerate roles include this specific cmdlet
    • CmdletParameters – enumerate roles include this specific parameter
    • RoleType
  • Get-ManagementRoleEntry – shows all the role entries in a Management role (Ex: Get-ManagementRoleentry “Recipient Policies\*”)
  • Get-RoleGroup – shows all the groups or if you specify one with –ID will give you details on that group
  • Get-RoleGroupMember – shows all the group’s members (ex: Get-RoleGroupMember “Organization Management”)
  • Get-RoleAssignmentPolicy – Shows the role assignment policies
  • Get-ManagementRoleAssignment
    • http://technet.microsoft.com/en-us/library/dd351024.aspx
    • Examples: 
      • Get-ManagementRoleAssignment –Role “Organization Configuration” –GetEffectiveUser –Delegating $False | FL Name, RoleAssigneeName, EffectiveUserName, AssignmentChain (shows the users and groups that have Org Config RBAC permissions)
      • Get-ManagementRoleAssignment -WritableRecipient administrator –GetEffectiveUsers (shows the users that can make changes to administrator)
    •  

Note: As with all powershell commands you can use help cmdlet –examples to get more info (ex: help Get-ManagementRoleAssignment –Examples)

 

RBAC YAY!!!


OK not yay ….. its all good until you have to go outside of the built in groups 😉
In case you don’t know “Role Based Access Control” is the new permission model for exchange 2010, it allows you to be granular and specific in your delegation of permissions, which is a great thing but takes a good deal of forethought to get properly configured.  image
Not for the feint of heart, in fact wouldn’t recommend it unless you have a REAL need it. For most people the defaults(listed on the right) are good enough

The good news is once you do you can simply put your admins into the applicable groups.

So as I’m trying to figure this out here is what I came up with for syntax to give “Site 1 Mail Admins” management permission for users in OU “Site 1”

New-RoleGroup -name “OKC MAIL ADMINS” -Members “Site1 MAIL ADMINS” -Roles “Mail Recipients”, “User options”, “Mail Recipient Creation”, “Mail Enabled Public Folders”, “Distribution Groups”,” –RecipientOrganizationalUnitScope “ex2010/Lab Users/Site 1”

here is the break down

So now I can add my admins to that group and they can Manage users and distro groups in that OU.
I do want to point out this is specific to exchange and is not the same as AD permissions.