Ilse Van Criekinge's Weblog

Addicted to Microsoft Unified Communications

RBAC in Lync: Who can do What on Which Objects?

RBAC in Lync: Who can do What on Which Objects?

  • Comments 5
  • Likes


I love Exchange, and I was pretty impressed when I was first introduced to Role Based Access Control in Exchange, since it finally made it possible for an administrator to delegate control as one would want to delegate control.

With the release of Lync, it’s time to see how Lync embraces Role Based Access Control :-)

RBAC = Who can do What on Which Objects


In Lync, you can only assign a role to a universal security group. the role you assign to that group will be assigned to every member of that universal security group. A user does not have to be Lync-enabled in order to be able to be assigned a Lync admin role.

When you have a universal security group, which is a member of another universal security group (the so-called nesting of groups), a user who’s a member of group 1, that belongs to group 2, will get the role assigned to both groups!


In Lync there are 9 built-in role, the so-called standard roles:

Get-CsAdminRole | Where {$_.IsStandardRole –eq “true” } | ft Identity


To know which cmdlets belong to any of these built-in roles, you can expand the cmdlets attribute:

Get-CsAdminRole | Where {$_.IsStandardRole –eq “true” } | ft Identity,cmdlets -wrap


To bypass the …, you can run the following line

Get-CsAdminRole CsUserAdministrator | Select-Object –ExpandProperty cmdlets


The Glue in Lync = Name of the Role and the SamAccountName of the Universal Security Group

Whereas in Exchange 2010 we use assignments, in Lync, the glue to connect the Who can do What, we use the name of the Role and the name of the Universal Security Group, meaning that in order to assign any of the existing roles to a user, you need to add the user to the built-in Universal security groups, which by default can be found in the Users container!


Creating Custom Roles

In order to create a custom role, you first need to create a universal security, and then you need to create a new CsAdminRole using the Lync server Mangement Shell and define a template CsAdminRole.

In case the universal security group doesn’t exist, you will get the following error message:


On Which Objects = Scopes (Config/User)?

With Lync you can scope to Site, and to Organizational Units! Here’s an example where we delegate the role CsUserAdministrator, to the universal security group ManagerEmployees, and we scope it to the Organizational Unit Employees.


In this example we create a new role DublinAdmins, based on the role CsServerAdministrator, and scope it to Site:2.



At this moment, it is not possible to remove cmdlets, and/or parameters when creating a custom role in Lync.


There are utilities out there that will provide help creating custom roles in Lync, check out for example the free Lync RBAC Administrator tool available here:


  • Ilse

    Is there any way to delegate permissions at a site level to one Role Group who then have permissions as a whole over everything within a site?  Or do we need to look to creating custom groups for all areas within a site (Server Admin, Voice Admin, User Admin, etc.) and obviously the associated USGs?



  • Paul, you could create a new Universal Security Group, then create a new role, and use the CsAdministrator role as a template, and scope it to a site. Thereby members of that group will have csAdministrator rights on all objects in that site! A CsAdministrator can perform all administrative tasks and modify all settings, including creating roles and assigning users to roles. They can also expand a deployment by adding new sites, pools, and services.

    For a detailed description of the built-in roles, here's a link to the TechNet article on it:


  • Ilse

    Further question on RBAC scoping.  As we cannot delegate with the CSAdminstator role, we will need to look to performing delegations at a site and domain level.  

    For user administration - how does this work for delegation for management for child domains?   Can I simply use the -UserScopes and use the DN of the domain and not specify an OU?   Or should we still restrict this at site level - and if so how will it know the users to manage?

    Basically we need to delegate management of users to child domains and server administration at a site level for sure.  Or can all be done to site level?



  • Hello Ilse,

    How can I remove cmdlets ? There is nothing written in Your artcile, just the last sentence : "At this moment, it is not possible to remove cmdlets, and/or parameters when creating a custom role in Lync.". Ok WHEN its then possible to remove / add cmdlets ?

    Thanks and bye,


  • As much I love RBAC, I think RBAC for Lync is still in its infancy. Delegating CSAdministrator for a site is just not possible. You delegate and Lync will glad accept the command. But the administrator will not be able to do anything. I.e create user based policies. I have a lync deployment spanning different countries and I found that bulk of what I need each country to do for themselves is not possible. Only server admins allows this.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment