Automatically enable users in a particular OU for Lync 2010

Automatically enable users in a particular OU for Lync 2010

  • Comments 12
  • Likes

In Lync 2010 we now have to use either the Lync Server Management Shell  or the web-based Lync Control Panel most of the administrators now have to use two different interfaces for creating users and enabling them for Lync. This is too cumbersome for many admins, especially in situations where almost everyone in an organization has to be enabled for Lync. I have received various requests for automating the process and I thought I will document it here for all. The idea is to schedule a task which will automatically Lync-enable any users in an OU who has not been enabled yet by running a PowerShell commandlet. Here is a quick and dirty way to get it ‘done’.

First we create the script which will enable the users for a specific OU, copy and paste the following two lines in a notepad and save it as “'C:\Program Files\Common Files\Microsoft Lync Server 2010\EnableUsersForLync.PS1” (you can chose any other suitable location):

import-module 'C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1'
get-csaduser -filter {Enabled -ne $True} -OU "ou=Employees,dc=treyresearch,dc=net" | Enable-CsUser -RegistrarPool lyncpool.treyresearch.net -SipAddressType EmailAddress

Let’s break it down line-by-line (since there is just two of them, and I have time to kill), in the first-line we are basically importing the Lync Module into PowerShell, since the Module does not sit in the usual location for PS modules you have to specify the complete path to the file.

The second line is made up of two separate commands, the first part get-csaduser -filter {Enabled -ne $True} -OU "ou=Employees,dc=treyresearch,dc=net" is to search for all users in a particular OU who have note yet been enabled for Lync 2010, the second half enables that user for a particular Pool using Email-Address of the user as their SIP Address.

Now that we have a script, we need to make sure that we can run it on the server. To do so, you need to either “Sign” the script or disable script signing on the server, since this is a “get-it-done” post I chose the easy way by disabling script signing. Just head over to PowerShell and type in the following command:

Set-ExecutionPolicy RemoteSigned

Next, go to Task Scheduler ( Start > Run > taskschd.msc ) and “Create Basic Task…”
image

And assign a Name and Description and then click on Next.

image

Choose how often you would like to run the task and Click next (I chose a Daily task)

image

Choose when you would like to run the task and click on Next.

image

Select “Start a program” and then click on Next again

image

Browse to the powershell.exe on your system and provide the script created earlier as an argument (-File “C:\Program Files\Common Files\Microsoft Lync Server 2010\EnableUsersForLync.ps1”)

image

Click on Finish to complete the wizard.

image

Links:
Running PowerShell Scripts
http://technet.microsoft.com/en-us/library/ee176949.aspx
Configuring Scheduled Tasks http://technet.microsoft.com/en-us/library/dd851678.aspx

Comments
  • Hi,

    I have used your script in my deployment and created a scheduled task.  The task is set to run  every night using a service account to run the task (service account has RTCUniversalUserAdmins rights).

    However, on checking AD the next day new users are not enabled for Lync (no SIP address).  If I manually run the .PS1 file in powershell on the server, it enables users fine, so I know it's not the script ;-)

    If I run the task manually from the server, it does not work- but the task scheduler history reports the task as being completed succesfully (manual or scheduled).

    Have you any ideas where I may be going wrong?

    A cheeky additional question too if I may!  Is there also a way to exclude accounts that have been disabled in AD?

    Thanks in advance

  • I'm having the exact same issue as @D Clayton.

  • Oh I found the problem I was having.  I had copied and pasted “C:\Program Files\Common Files\Microsoft Lync Server 2010\EnableUsersForLync.ps1” from above and edited the text for my script.  The quote marks have to be replaced in scheduler or the script won't run.  Thanks for the article!

  • @Anthony : Thanks for posting the solution!

    @D Clayton: Hope you have figured out the automatic scheduling issue by now.

    To exclude disabled AD accounts use the following script:

    import-module 'C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1'

    get-csaduser -LdapFilter "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(msRTCSIP-UserEnabled=TRUE)))" | Enable-CsUser -RegistrarPool lyncpool.treyresearch.net -SipAddressType EmailAddress

    PS: There may be a better way to write this query

  • Hi there, what if I woul'd like to enable users that are member of a group instead? How should that script look like?

  • @Stefan : You can use the buit-in ActiveDirectory  module in powershell or Quest Active-directory Cmdlets (www.quest.com/.../activeroles-server.aspx) to evaluate groups and then pass it to  Enable-csuser.

    The script will look something as follows (I have not tested it) :

    Import-Module Lync

    Import-Module ActiveDirectory

    Get-ADGroupMember -Identity <ADGroup> | Enable-CsUser -RegistrarPool lyncpool.treyresearch.net -SipAddressType EmailAddress

    For Quest module:

    Get-QADGroupMember -Identity <ADGroup> | Enable-CsUser -RegistrarPool lyncpool.treyresearch.net -SipAddressType EmailAddress

    Let me know if this doesn't help, I can probably do a more detailed blog post for this.

  • how do you use this to also enable for enterprise voice?

  • I need to enable all users in AD not just a single OU. I cannot seem to get the proper code for that... any help would be greatly appreciated.

  • Replaced the quote marks and it's working a treat!  Can't believe it was that simple!

    Thanks

  • Here is the Lync Group Enable script I came up with. (Pretty quick and dirty.)

    import-module "<your path here>\Lync.psd1"

    import-module activedirectory

    $ad_lync_name = Get-ADGroupMember -Identity LyncEnabled

    foreach ($objitem in $ad_lync_name){

    $lync_user = Get-CSAdUser -Identity $objitem.name

    If ($lync_user.Enabled -eq $False){

    Enable-CsUser -Identity $objitem.name -RegistrarPool LyncPool.contoso.com -SipAddressType EmailAddress

    Grant-CsClientPolicy -Identity $objitem.name -PolicyName YourClientPolicy

    }

    }

  • When you skip -OU parameter at Get-CsAdUser, you get all users in the Forest!

    Mbe someone will find this useful:

    $OUUsers = &{Get-CsAdUser -Filter {Enabled -ne $True} | Where-Object {$_.UserAccountControl -notlike "*AccountDisabled*"} | Where-Object {$_.WindowsEmailAddress -ne ""} | Where-Object {$_.SIPAddress -eq ""} };

    $OUUsers | Foreach-Object {Enable-CsUser -Identity $_.UserPrincipalName -RegistrarPool $LyncServer -SipAddressType EmailAddress}

  • This script was much easier and simpler that the one my customer had.

    This was indeed helpful. Thank you Akshat for your good work!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment