20336a_03-configuring users and rights
TRANSCRIPT
MVA Jump Start
Module 3
Configuring Users and Rights
Module Overview
• Managing Lync Server 2013
• Introduction to Role Based Access Control (RBAC)
Lesson 1: Managing Lync Server 2013
• Lync Server Control Panel
• Lync Server Management Shell
• Using PowerShell 3.0
Lync Server Control Panel
Lync Server Management Shell
Lync Server Management Shell
• Built on Microsoft Windows PowerShell™ 2.0
• Contains more than 550 product-specific cmdlets
Example cmdlet:
New-CsUserReplicatorConfiguration
Using PowerShell 3.0
PowerShell syntax
Verb-dash-noun
Get-Help
Parameters
Limit scope of cmdlet
Get-Service –DisplayName Windows
Wildcards
* and ?
Get-Service -DisplayName windows*
Lesson 2: Introduction to Role Based Access Control
• Overview of Role Based Access Control (RBAC)
• Predefined Role Based Access Control roles
• What’s new in Lync Server 2013 RBAC
Overview of Role Based Access Control (RBAC)
• Role Based Access Control is a method of granting a specific group
of users the ability to execute specific management tasks
• Administrative privilege are granted by assigning users to
administrative roles
• Managed exclusively via PowerShell
• a role is enabled to use a list of cmdlets, designed to be useful for a
certain type of administrator or technician
• A scope is the set of objects which the cmdlets defined in a role can
operate on.
• The objects that scope affects can be either user accounts (grouped
by organizational unit) or servers (grouped by site).
Predefined Role Based Access Control roles
Role Tasks allowed
CsAdministrator Can perform all administrative tasks and modify all settings, including creating roles and assigning users
to roles. Can expand a deployment by adding new sites, pools, and services.
CsUserAdministrator Can enable and disable users for Lync Server, move users and assign existing policies to users. Cannot
modify policies.
CsVoiceAdministrator Can create, configure, and manage voice-related settings and policies.
CsServerAdministrator Can manage, monitor, and troubleshoot servers and services. Can prevent new connections to servers,
stop and start services, and apply software updates. Cannot make changes with global configuration
impact.
CsViewOnlyAdministrator Can view the deployment, including user and server information, in order to monitor deployment health.
CsHelpDesk Can view the deployment, including user's properties and policies. Can run specific troubleshooting tasks.
Cannot change user properties or policies, server configuration, or services.
CsArchivingAdministrator Can modify archiving configuration and policies.
CsResponseGroupAdministrator Can manage the configuration of the Response Group application within a site.
CsLocationAdministrator Lowest level of rights for Enhanced 9-1-1 (E9-1-1) management, including creating E9-1-1 locations and
network identifiers, and associating these with each other. This role is always assigned with a global
scope.
CsResponseGroupManager Can manage specific response groups.
CsPersistentChatAdministrator Can manage the Persistent Chat feature and specific Persistent Chat rooms.
Creating/Modify Custom RBAC roles
•A new custom role can be created using PowerShell cmdlets
•A predefined role can be used as a starting template
• To make a new role, you use the New-CsAdminRole cmdlet. Before
running New-CsAdminRole, you must first create the underlying
security group that will be associated with this role.
• You can modify the list of cmdlets and scripts that a role can run
RBAC Scope
• Template – Use a predefined administrative template to create a
new CSAdminRole
•User Scope – Limit the scope of users that can be managed via
organizational unit
•ConfigScope – Limit the scope of servers that can be managed via
Lync “site”
•Cmdlets – Specific cmdlet(s) available to a user role
• ScriptModules – Ability to create and specify custom scripts
available to the user role (C:\Program Files\Common Files\Microsoft Lync Server
2013\AdminScripts)
Custom RBAC Examples/Demo
•Create AD Universal Security Group named CsOnpremAdmin
•New-CsAdminRole -Identity “CsOnpremAdmin" -Template
"CsUserAdministrator" -UserScopes
"OU:ou=Accounts,DC=onprem,DC=local“
•Add User to Group
What’s new in Lync Server 2013 RBAC
1. New custom role creation
2. New Predefined Roles:
• Response Group Manager role
• Persistent Chat Manager role
Module Review and Takeaways
•Review Question(s)
•Real-world Issues and Scenarios
• Tools
©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.