I love Exchange, and I was pretty impressed when I was first introduced to Role Based Access Control in Exchange, since it finally made it possible for an administrator to delegate control as one would want to delegate control.

With the release of Lync, it’s time to see how Lync embraces Role Based Access Control :-)

RBAC = Who can do What on Which Objects

Who?

In Lync, you can only assign a role to a universal security group. the role you assign to that group will be assigned to every member of that universal security group. A user does not have to be Lync-enabled in order to be able to be assigned a Lync admin role.

When you have a universal security group, which is a member of another universal security group (the so-called nesting of groups), a user who’s a member of group 1, that belongs to group 2, will get the role assigned to both groups!

What?

In Lync there are 9 built-in role, the so-called standard roles:

Get-CsAdminRole | Where {$_.IsStandardRole –eq “true” } | ft Identity

To know which cmdlets belong to any of these built-in roles, you can expand the cmdlets attribute:

Get-CsAdminRole | Where {$_.IsStandardRole –eq “true” } | ft Identity,cmdlets -wrap

To bypass the …, you can run the following line

Get-CsAdminRole CsUserAdministrator | Select-Object –ExpandProperty cmdlets

The Glue in Lync = Name of the Role and the SamAccountName of the Universal Security Group

Whereas in Exchange 2010 we use assignments, in Lync, the glue to connect the Who can do What, we use the name of the Role and the name of the Universal Security Group, meaning that in order to assign any of the existing roles to a user, you need to add the user to the built-in Universal security groups, which by default can be found in the Users container!

Creating Custom Roles

In order to create a custom role, you first need to create a universal security, and then you need to create a new CsAdminRole using the Lync server Mangement Shell and define a template CsAdminRole.

In case the universal security group doesn’t exist, you will get the following error message:

On Which Objects = Scopes (Config/User)?

With Lync you can scope to Site, and to Organizational Units! Here’s an example where we delegate the role CsUserAdministrator, to the universal security group ManagerEmployees, and we scope it to the Organizational Unit Employees.

In this example we create a new role DublinAdmins, based on the role CsServerAdministrator, and scope it to Site:2.

At this moment, it is not possible to remove cmdlets, and/or parameters when creating a custom role in Lync.

Utilities

There are utilities out there that will provide help creating custom roles in Lync, check out for example the free Lync RBAC Administrator tool available here:

http://lync-solutions.com/

Ilse

It is possible to manage Lync remotely using the wonderful world of Remote Powershell. Here’s a short overview of using Remote PowerShell to connect to Lync.

Prerequisites

Your client machine from where you want to connect to Lync, must have:

• Windows PowerShell v2.0
• NET Framework 2.0 Service Pack 1
• Windows Remote Management (WinRM) 2.0

Connecting from a domain-joined machine

Once you have launched Windows PowerShell, create a new persistent connection to your Lync server by using the cmdlet New-PSSession. In the following example I have created a variable $a which will create the new persistent connection, and then I will import it to enable it. I’m using the credentials prompted for by creating a new variable $credential = Get-Credential.

Connecting from a non-domain joined machine

Is perfectly possible :-) But when trying to do so, I always ended up with the following error message when creating my variable New-PSSession…

First setting the credentials…

Then creating a new persistent connection…

The error message indicates “Connecting to the remote server failed with the following error message : The server certificate on the destination computer has the following errors: The SSL certificate could not be checked for recovation. The server used to check for recovation might be unreachable.”

A quick search on the www, gave me an explanation from EdYoung, who states “Whenever you connect to an HTTPS URL, such as is used for remote PowerShell, the server needs to have a certificate 'proving' it matches the URL you entered, to prevent someone spoofing the website. To make sure the cert is valid, the client program needs to check with the certificate authority (CA) which issued the certificate to see if it's been revoked. This error indicates that it wasn't able to do so. This can happen if (for example) you used an internal CA within your company firewall to issue a cert, then try to connect from outside the firewall, though there are other posibilities”

Using his workaround (which is obviously not recommended from a security point of view) I was able to connect…

Ilse

Microsoft Lync Server 2010 ushers in a new connected user experience transforming every communication into an interaction that is more collaborative, engaging, and accessible from anywhere.

Join Annelies Bulkens, Johan Delimon, and Dirk Gullentops at one of the roadshow locations and explore what’s new in Lync 2010. During this half day event we will guide you through two main topics:

• What’s new in Clients, Devices, Architecture & Interoperability in Lync 2010

• Microsoft Lync promises to transform the way people communicate across the PC, Web and Phone, making traditional communications systems obsolete. In this session we will talk about Microsoft’s vision for transforming business communications and the key investments we are making in Microsoft Lync that will lead this industry transformation.

• How to manage, migrate and maintain your Lync 2010 Infrastructure & UC Applications

• Microsoft Lync Server 2010 features a new way of deploying and administering a Microsoft Lync infrastructure. This session will review these new administration tools, dive into the Lync Server Control Panel and the Lync Server Management Shell, and look at how Role Based Access Control can help you set granular permissions in your Microsoft Lync infrastructure. How to plan and move from Office Communications Server 2007/Office Communications Server 2007 R2, to Microsoft Lync Server 2010 for servers and clients. It addresses the implications of various migration and coexistence approaches, as well as covering Microsoft’s investments to support migration from prior versions of Microsoft Lync Server 2010. See what you can build with the Lync 2010 Application Platform: Building Communications Enabled Business Process Applications.

Don’t miss this opportunity and register for free.

More information is available here: http://technet.microsoft.com/nl-be/gg455944.aspx

Ilse

It’s been a while since I have been able to blog…but now TechEd is done, and we have launched Lync here in Belgium, so time to blog what I have shown in Berlin for TechEd, and during the Launch.

First thing I want to blog about, is the enhancements that have been done to the Response Groups in Lync. The following TechNet article lists the New Response Group Application Features (http://technet.microsoft.com/en-us/library/gg398373.aspx):

• Anonymous calls
  You can configure a response group so that agents can accept incoming calls and make outgoing calls on behalf of the response group without revealing their identity. When anonymous calling is enabled, callers cannot call agents directly unless the agent expressly offers a direct number. During an anonymous call, the agent can see that the call is anonymous. The agent can put the call on hold, make both blind and consultative transfers, and park and retrieve the call. Anonymous calls cannot start from an instant messaging (IM) or audio/video session, but the agent or the caller can add IM and video after the call is established.
  Anonymous calls do not support conferencing, application sharing, desktop sharing, file transfer, whiteboarding and data collaboration, or call recording.
• Attendant routing method
  With the new attendant routing method, all agents who are signed into Lync Server 2010 and the Response Group application are called at the same time for every incoming call, regardless of their current presence status. With attendant routing, Microsoft Lync 2010 Attendant users who are designated as agents can see all the calls that are waiting and answer waiting calls in any order. When a call is answered, the other Microsoft Lync 2010 Attendant users no longer see the call.
• Integrated manageability
  In Lync Server 2010, Response Group manageability is integrated with Lync Server 2010 manageability: Lync Server Management Shell cmdlets support all Response Group management tasks, and Microsoft Lync Server 2010 Control Panel supports common Response Group management tasks.
• Caller experience improvements
  In Lync Server 2010, Response Group supports more flexible interactive voice response (IVR) configurations and prompts, such as for invalid or no response to IVR questions and messages before music on hold or queue timeouts.
• Web service
  In Lync Server 2010, the Response Group application provides a more robust web service that supports customized agent consoles. You can use the web service to retrieve information about agents, agent group membership, agent sign-in status, call status for groups, and the response groups that support anonymous calls.

In addition, it is now very easy to create a Response Group, be it a Hunt Group, or a real IVR one. I’ll show you the last ones in a few simple steps.

Step 1. Create your Lync agents

Make sure you have create some Lync users, that you can include in your Response Group. In my example, I will use my own demo account of Ilse Van Criekinge, that I want to add to a simple IVR Response Group, called Info.

Step 2. Create your Response Group

Use the Lync Control Panel, select Response Groups in the left pane, and click on Group. I have already created the Info Group, click on Edit to be able to select Show Details.

I’ve chosen as Participation Policy, Informal, meaning that every agent will be a member of that group once logged in into Lync. If you set it to Formal, the user will need to check into the response group seperately, using a web interface, as I will show later on, since Ilse is a member of the Helpdesk group as well, were the Participation policy is set to Formal.

I have chosen in my example to define a custom group of agents, but now it is also possible to use an existing email distribution list!

Another new thing is the routing method Attendant, which means in short that all agents who are signed into Lync Server 2010 and the Response Group application are called at the same time for every incoming call, regardless of their current presence status. With attendant routing, Microsoft Lync 2010 Attendant users who are designated as agents can see all the calls that are waiting and answer waiting calls in any order. When a call is answered, the other Microsoft Lync 2010 Attendant users no longer see the call.

Step 3. Create the Response Group Queue

Use the Lync Control Panel to create the needed Queue..

Step 4. Create the Workflow

To create the workflow, you need to select the tab Workflow, and you will be guided to the Response Group Configuration Tool.

I choose to edit the existing Interactive Response Group, called Info.

First I need to Activate and Name the Workflow! (For those of you that have been playing around with Response Groups in OCS R2, you don’t need to create a contact anymore using command line utilities as LCSCMD and so on )

Then you can select a language, configure a welcome message, and specify your business hours.

You can even specify your holidays if wanted.

And then it’s time to configure the Interactive Voice Responses. I have chosen to create 2 valid responses (you can define up to 4), and for the second option, I defined two additional choices.

Step 5. Check Membership of Agent Groups

Once logged into Lync, you can easily go to Tools, Response Group Settings, and use the Lync Web portal to sign into formal agent groups, and see to which agent groups you belong. Since Info has been configured with an Informal Participation Policy, the option to clear membership is greyed out

Step 6. Time to Test

Patrick Van Asch calls Info…

Ilse will receive the call as follows, I can see it’s a Call for Info.

When I accept the call, this is the info provided to me…thereby I know without any word being said, that the call will probably be about a question on the product Link

Lync + Response Groups = Rocking

Ilse