MVA Jump Start

Module 3

Configuring Users and Rights

Module Overview

• Managing Lync Server 2013

• Introduction to Role Based Access Control (RBAC)

Lesson 1: Managing Lync Server 2013

• Lync Server Control Panel

• Lync Server Management Shell

• Using PowerShell 3.0

Lync Server Control Panel

Lync Server Management Shell

Lync Server Management Shell

• Built on Microsoft Windows PowerShell™ 2.0

• Contains more than 550 product-specific cmdlets

Example cmdlet:

New-CsUserReplicatorConfiguration

Using PowerShell 3.0

PowerShell syntax

Verb-dash-noun

Get-Help

Parameters

Limit scope of cmdlet

Get-Service –DisplayName Windows

Wildcards

* and ?

Get-Service -DisplayName windows*

Lesson 2: Introduction to Role Based Access Control

• Overview of Role Based Access Control (RBAC)

• Predefined Role Based Access Control roles

• What’s new in Lync Server 2013 RBAC

Overview of Role Based Access Control (RBAC)

• Role Based Access Control is a method of granting a specific group

of users the ability to execute specific management tasks

• Administrative privilege are granted by assigning users to

administrative roles

• Managed exclusively via PowerShell

• a role is enabled to use a list of cmdlets, designed to be useful for a

certain type of administrator or technician

• A scope is the set of objects which the cmdlets defined in a role can

operate on.

• The objects that scope affects can be either user accounts (grouped

by organizational unit) or servers (grouped by site).

Predefined Role Based Access Control roles

Role Tasks allowed

CsAdministrator Can perform all administrative tasks and modify all settings, including creating roles and assigning users

to roles. Can expand a deployment by adding new sites, pools, and services.

CsUserAdministrator Can enable and disable users for Lync Server, move users and assign existing policies to users. Cannot

modify policies.

CsVoiceAdministrator Can create, configure, and manage voice-related settings and policies.

CsServerAdministrator Can manage, monitor, and troubleshoot servers and services. Can prevent new connections to servers,

stop and start services, and apply software updates. Cannot make changes with global configuration

impact.

CsViewOnlyAdministrator Can view the deployment, including user and server information, in order to monitor deployment health.

CsHelpDesk Can view the deployment, including user's properties and policies. Can run specific troubleshooting tasks.

Cannot change user properties or policies, server configuration, or services.

CsArchivingAdministrator Can modify archiving configuration and policies.

CsResponseGroupAdministrator Can manage the configuration of the Response Group application within a site.

CsLocationAdministrator Lowest level of rights for Enhanced 9-1-1 (E9-1-1) management, including creating E9-1-1 locations and

network identifiers, and associating these with each other. This role is always assigned with a global

scope.

CsResponseGroupManager Can manage specific response groups.

CsPersistentChatAdministrator Can manage the Persistent Chat feature and specific Persistent Chat rooms.

Creating/Modify Custom RBAC roles

•A new custom role can be created using PowerShell cmdlets

•A predefined role can be used as a starting template

• To make a new role, you use the New-CsAdminRole cmdlet. Before

running New-CsAdminRole, you must first create the underlying

security group that will be associated with this role.

• You can modify the list of cmdlets and scripts that a role can run

RBAC Scope

• Template – Use a predefined administrative template to create a

new CSAdminRole

•User Scope – Limit the scope of users that can be managed via

organizational unit

•ConfigScope – Limit the scope of servers that can be managed via

Lync “site”

•Cmdlets – Specific cmdlet(s) available to a user role

• ScriptModules – Ability to create and specify custom scripts

available to the user role (C:\Program Files\Common Files\Microsoft Lync Server

2013\AdminScripts)

Custom RBAC Examples/Demo

•Create AD Universal Security Group named CsOnpremAdmin

•New-CsAdminRole -Identity “CsOnpremAdmin" -Template

"CsUserAdministrator" -UserScopes

"OU:ou=Accounts,DC=onprem,DC=local“

•Add User to Group

What’s new in Lync Server 2013 RBAC

1. New custom role creation

2. New Predefined Roles:

• Response Group Manager role

• Persistent Chat Manager role

Module Review and Takeaways

•Review Question(s)

•Real-world Issues and Scenarios

• Tools

©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.