This idea is from a LinkedIn post that I responded to. The original poster wanted to know if there was a way to manage Lync external access policies based on AD group membership. Absolutely!
This is a fairly simple script that uses a scheduled task that runs every 4 hours, looks at the members of a given AD security group, including nested groups, and applies a Lync policy to each member. The name of the AD security group and the type and name of the policy are all configurable. The ActiveDirectory and Lync PowerShell modules are used to complete this. The actual moving parts are pretty simple – really just two lines of code. But some extra error catching, installation code, and safeguards make it a tad bigger.
Caveat – users get policies when they launch the Lync client. So even though a policy might be assigned to a user, they won’t see any change until the client is restarted.
Caveat #2 – if you configure this script with several scheduled tasks to handle different policies and different AD groups, make sure users don’t end up in multiple groups, or you could have unintended results. Also removing a user from a group does NOT revert their policy back. The reason I didn’t add that is because moving a user from one group to another could cause problems if the script set them back to a default policy, yet another group needed to change it to a different policy.
Execution Policy: Third-party PowerShell scripts may require that the PowerShell Execution Policy be set to either AllSigned, RemoteSigned, or Unrestricted. The default is Restricted, which prevents scripts – even code signed scripts – from running. For more information about setting your Execution Policy, see Using the Set-ExecutionPolicy Cmdlet.
Download the script from the DOWNLOAD section below. Open it in your favorite text editor.
Find the line that reads
[string]$GroupDN = "",
and put the Distinguished Name of the group in between the quotes. For example
[string]$GroupDN = "CN=Lync Policy Group,DC=contoso,DC=com",
Next, define the policy that will be granted to members of the group. Find the line that reads
[string]$PolicyName = "",
and put the name of the Lync policy in between those quotes, such as
[string]$PolicyName = "Executives External Access Policy",
The last thing we need to do in the script file is define what KIND of policy we’re going to grant.
Find the line that reads
[string]$PolicyType = "ExternalAccess",
And adjust accordingly. The allowed values are Archiving,Client,ClientVersion,Conferencing,ExternalAccess,HostedVoicemail,Location,Mobility,Pin,Presence,Voice to represent the various types of policies you can apply to a user. The default is ExternalAccess.
Next, ensure that the server where the script will run has both the ActiveDirectory and Lync PowerShell modules installed. Domain controllers typically have the ActiveDirectory module, and Lync servers have the Lync module. Install the appropriate ones using these steps.
To install the ActiveDirectory module, open PowerShell and type the following:
Add-WindowsFeature -name AD-Domain-Services -IncludeManagementTools
To install the Lync Server Management Tools, which includes the PowerShell module, install the core components. See Install Lync Server Administrative Tools for details.
This will ensure that both modules are available. The ActiveDirectory module is used to get the members of the AD security group, and the Lync module is used to actually grant the policy.
The script must run as a member of the CsUserAdministrator or CsAdministrator groups, as those have the rights to assign policies.
Next, open PowerShell and run the script with the -install switch. The script will prompt for the password of the currently logged on user, and then create the scheduled task to run the script every 4 hours.
The scheduled task will run every 4 hours, with a start time of when you ran the -install option. You can open the scheduled task in Task Manager and adjust as needed.
You can run the script manually as well. Just run
Note that it may take a while before the policy is visible on the user account due to AD replication.
I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.
v1.7 – 02-03-2017 – Grant-CsPolicyByADGroup.v1.7.zip
v1.6 – 09-23-2014 – Grant-CsPolicyByADGroup.v1.6.zip
v1.5 – 02-08-2014 – Grant-CsPolicyByADGroup.v1.5.zip
v1.4 – 01-27-2014 – Grant-CsPolicyByADGroup.v1.4.zip
v1.2 – 10-16-2012 – Grant-CsPolicyByADGroup.v1.2.zip
v1.1 – 09-19-2012 – Grant-CsPolicyByADGroup.v1.1.zip
v1.0 – 09-10-2012 – Grant-CsPolicyByADGroup.v1.0.zip
See the changelog for this script for a description of changes with each release.