One thing I see while doing Lync environmental health checks for some customers is some elevated accounts that are enabled for Lync. An example is members of the Domain Admins group. This can be somewhat problematic, especially for administration of those elevated accounts. For security reasons, it is not recommended to enable members of Domain Administrators group for Lync.

You cannot use Lync Server Control Panel to manage users who are members of the Domain Admins Active Directory group. For Domain Admins users, you can use Lync Server Control Panel only to perform read-only search operations. Attempting to perform write operations (such as enable or disable for Lync Server Control Panel, change pool or assigned policies, telephony settings, SIP address) on an elevated user will yield an “Access Denied” error. To perform write operations on a member of Domain Admins, you must use Lync Server Management Shell (PowerShell) cmdlets while logged on as a member of Domain Admins.

For more information please refer to this Microsoft page: User accounts enabled for Lync Server 2013

To query an elevated group, such as Domain Admins, for Lync enabled users, use the following:

(Get-ADGroupMember "Domain Admins").DistinguishedName | Get-CsUser -ErrorAction SilentlyContinue | Format-Table DisplayName,SipAddress

You can replace the “Domain Admins” with the name of any group, really. When you run it, you’ll end up with something like:

PS C:\> (Get-ADGroupMember "Domain Admins").DistinguishedName | Get-CsUser -ErrorAction SilentlyContinue | Format-Table DisplayName,SipAddress

DisplayName                                                 SipAddress
-----------                                                 ----------
Services                                                    sip:services@contoso.com
Dan Giles                                                   sip:dan.giles@contoso.com
Neil Armstrong                                              sip:neil.armstrong@contoso.com
Dawn Lopes                                                  sip:dawn.lopez@contoso.com
Bob Seger                                                   sip:bob.seger@contoso.com
Gail O'Grady                                                sip:gail.ogrady@contoso.com
Troy Dallas                                                 sip:Troy.Dallas@contoso.com
Steve Carrell                                               sip:steve.carrell@contoso.com

You can Lync disable these users for Lync, using the Disable-CsUser cmdlet. This can be done either individually using the -Identity parameter, or everyone at once by pipeline, with something like:

(Get-ADGroupMember "Domain Admins").DistinguishedName | Disable-CsUser -ErrorAction SilentlyContinue

If you have some accounts that were previously members of an elevated group like Domain Admins, but no longer are, then the AdminCount parameter on their account may still be set. This will cause the Access Denied issue to continue. You can manually change this on the user object using ADSIEDIT, or via a script such as Set-AdminUser.

Description

When deploying Microsoft Lync/Skype for Business Server, network health and configuration can be crucial.

The QoS Calculator allows you to pick and choose what components and clients will be used in your environment as well as which specific clients. You’re also able to pick a starting port number, port count, and DSCP value for each modality. The calculator will ensure that port ranges are consecutive, and that they don’t extend past 65535. The calculator will list all relevant Group Policy Object (GPO) settings, as well as the PowerShell commands needed to configure Lync/Skype for Business Server. Clients available for configuration include Lync 2010 and Lync 2013 full client, Lync 2010 Attendant and Landis Computer’s Attendant Pro attendant clients, Windows Store App client, Lync Phone Edition, and more. Server side options include A/V conferencing, application sharing, Response Group Service applications, Conference Announcement service, Call Park, UCMA apps, PSTN audio, A/V Edge services, Exchange UM, and the VDI client.

To start with, go to the INPUT tab. Any of the green cells can be changed. Reset buttons allow you to set port and port count settings back to their original values. Future releases will also reset the DSCP values as well (just need to figure out how to do that in Office VBA). Red cells indicate an error (missing or incorrect data).

Enter your Front End and Edge pool FQDNs. If you have a separate mediation pool, enter that name as well. The values defined here are used to compose the PowerShell commands needed to configure Lync/Skype for Business Server.

You can show/hide different policy types using the appropriate check boxes.

If your Mediation role is collocated with your Front End servers, check the box. This will combine the appropriate GPO policies together.

Changes to green cells are immediately reflected elsewhere in the calculator.

Once you have the values entered/verified, go to the POLICIES tab to see a list of GPO settings needed. Check out Elan Shudnow’s awesome Enabling QoS for Lync Server 2013 and Various Clients and Jeff Schertz’s Lync Quality of Service Behavior for a deep dive into setting up QoS.

Next, go to the POWERSHELL-SERVER tab, and you’ll see the relevant Lync/Skype for Business Management Shell commands to configure the server-side based on the info you supplied. Copy and paste each into Lync/Skype for Business Server Management Shell.

Now, go to the POWERSHELL-GPO tab, and you can copy and paste PowerShell code into a PowerShell console on a domain controller to automatically create and configure the Group Policy Objects for server and client machines.

Lastly, the Registry-Edge tab contains the PowerShell code that updates the local security policy on the edge servers is used to configure QoS, since GPOs aren’t used in non-domain joined machines. It’s important that these commands be run in an elevated PowerShell session.

I have tons of ideas for more features and functionality. Feel free to comment below on things you’d like to see in future versions.

Syntax

None

Installation

None. Just open the file in Excel. As this is a macro based file, you’ll need to enable content when prompted.

Assumptions

None

Download

v1.7 – 02/28/2017 – QoS-Calculator-v1.7.xlsm

v1.6 – 12-19-2016 – QoS Calculator v1.6.xlsm

v1.5 – 11-04-2016 – QoS-Calculator-v1.5.xlsm

v1.4 – 09-13-2016 – QOS Calculator v1.4.xlsm

v1.3 – 04-26-2016 – Lync 2013 QoS Calculator v1.3.xlsm

v1.2 – 02-27-2015 – Lync 2013 QoS Calculator v1.2.xlsm

v1.1 – 01-26-2015 – Lync 2013 QoS Calculator v1.1.xslm

v1.0 – 11-5-2014 – Lync 2013 QoS Calculator v1.0.xlsm

Changelog

See the changelog for information on what’s changes/included in each version.

This is the changelog page for QoS Calculator. You will find a complete list of released versions, their dates, and the features and issues addressed in each. Please refer to the script’s main page for more information including download links, installation details, and more.

v1.7 – 02/28/2017

1. Fixed a typo on the Registry Edge tab. The line that sets “Do not use NLA” had a typo. It mistakenly said “No not use NLA”.

v1.6 – 12-19-2016

1. Minor tweak to PowerShell code for servers.
2. Fixed an issue with some rows not being hidden or becoming visible on the PowerShell-GPO tab. Thanks to @GreigInSydney for pointing it out.
3. Fixed an issue where changing the server audio DSCP value on the Input tab would not get reflected on the Registry-Edge tab
4. Added Server Audio and Server App Sharing config to the Registry-Edge tab. Thanks to Brad for pointing it out.
5. Fixed an issue where the wrong video ports could be set for the Skype for Business client. Thanks to Tim for pointing it.

v1.5 – 11-04-2016

1. Updated URLs to new website (although going to old URLs will auto redirect to new ones)
2. Fixed a couple of missing references to Skype for Business in the GPO code. No functionality change – just visual.
3. Fixed an issue where deselecting some check boxes would hide the wrong line or no line on the PowerShell-GPO tab. Thanks to @GreigInSydney for pointing these out.
4. Fixed an issue where changing the server audio port for Edge servers didn’t update the “Registry-Edge” tab code. Thanks to @GreigInSydney for pointing these out.
5. Fixed an issue where deselecting all client policies would still output code for a client GPO (albeit empty)

v1.4 – 09-13-2016

1. Fixed an issue with PowerShell code throwing an error when attempting to configure the registry on Edge servers.
2. Fixed an issue where selecting/deselecting certain check boxes didn’t show/hide all of the related lines in the PowerShell-GPO worksheet.
3. Added the executable name for VDI clients running Citrix HDX RealTime Optimization Pack 2.0 – Thanks to Ari for the info.

v1.3 – 04-26-2016

1. Now generates the PowerShell code to create GPO for domain joined edge servers
2. Now generates the PowerShell code to create local security policy for non-domain joined edge servers
3. Now generates the PowerShell code to create GPO for Exchange UM
4. Fixed issue with first trusted application port not processing correctly
5. Disabled the UserConfiguration branch of GPOs for faster evaluation/processing
6. Added buttons to copy policy code, config code, etc.
7. Clarified polices required between Edge & Exchange UM based on executable info from Tony Smith @ Microsoft.
8. Corrected Exchange UM DSCP value to match client audio value – was mistakenly set to match client video value. Thanks to @bricomp.
9. Fixed two typos on PowerShell-Server tab in the verification code column. Thanks to @UCMadeEasy for pointing them out.
10. Updated some naming to include both Lync and Skype for Business names”

v1.2 – 2-27-2015

1. “PowerShell code for creating and configuring GPOs has been added. Note that since edge servers are not joined, GPOs have no effect on them. You must create the edge policies manually using the Local Security Policy on each edge server.
2. SDN control port value (which is 9333 by default) can now be included, and a button checks to make sure the entered port is not within the defined port ranges.
3. Up to 3 trusted app ports can also be defined, with the same button verifying there is no conflict. Examples of trusted apps include sefautil (port 7489).”

v1.1 – 01-26-2015

1. Fixed server app sharing end port calculation. It was incorrectly showing an end port that was 1 higher than the correct amount.
2. Moved edge server port definitions to destination instead of source
3. Added fields to define trusted app ports, and SDN port. This will be used in the future to ensure there is no conflict in port assignments.
4. Added configuration verification commands to PowerShell tab
5. Fixed typo in PowerShell code for mediation server. Thanks to Andy.

v1.0 – 11-05-2014

1. Initial version