locked
RBAC configuration of skype for business RRS feed

  • Question

  • Hi All,

    We have an on-perm Skype for business 2015 and we want to IT help desk user has the right to enable the existing users for Skype for business, therefore, we have created a custom role (ABC_Cs-admin) and assigned the following templates to the custom Cs Admin role. After assigning the users to the custom Cs-admin role (ABC_Cs-admin) then when the IT Help desk user trying to enable the users for Skype for business then the Registrar pool is not visible. Which rights are required to assign to the Custom Role (ABC_Cs-admin) so that the IT Help desk users are able to enable the users?

    • Name : Get-CsAdContact
    • Name : Get-CsAdUser
    • Name : Get-CSPool
    • Name : Get-CsUser
    • Name : Get-CsUserAcp
    • Name : Get-CsUserPoolInfo
    • Name : Enable-CsUser
    • Name : set-CsUser
    • Name : Get-CsTrustedApplicationPool
    • Name : Set-CsTrustedApplicationPool
    • Name : Set-CsRegistrar
    • Name : New-CsRegistrarConfiguration
    • Name : Set-CsUserServer

    As shown in the below image

    looking for prompt response

    Wednesday, December 4, 2019 12:16 PM

Answers

  • Hi NajeebUIlah!
    What is your custom role based on? CsUserAdministrator or others?
    In my research, CsUserAdministrator is a predefined Administrative Roles can enable and disable users for Lync Server, move users and assign existing policies to users.
    I did a test in my environment and there is no such problem. Please refer to the steps as follow:
    1)Creating a new RBAC Role. In my example, I created a custom AD security group called “CsAdminUserEnable”.Note that this must be a Universal Security Group.


    2)Add users in your Group.


    3)We will use the default CsUserAdministrator role as the template for the creation of our new role with the following PowerShell command.


    4)Use "@{Add=" to supplement the role with additional cmdlets. 

    5)Now user “a1” can enable or disable users in Control Panel.


    For more details about RBAC for Skype for Business, you can refer to:

    https://docs.microsoft.com/en-us/lyncserver/lync-server-2013-planning-for-role-based-access-control

    For more details about Creating Custom RBAC Roles, you can refer to:

    http://blog.masteringmsuc.com/2012/11/creating-custom-rbac-roles-in-lync-2013.html

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
     


    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Thursday, December 5, 2019 9:15 AM

All replies

  • Hi NajeebUIlah!
    What is your custom role based on? CsUserAdministrator or others?
    In my research, CsUserAdministrator is a predefined Administrative Roles can enable and disable users for Lync Server, move users and assign existing policies to users.
    I did a test in my environment and there is no such problem. Please refer to the steps as follow:
    1)Creating a new RBAC Role. In my example, I created a custom AD security group called “CsAdminUserEnable”.Note that this must be a Universal Security Group.


    2)Add users in your Group.


    3)We will use the default CsUserAdministrator role as the template for the creation of our new role with the following PowerShell command.


    4)Use "@{Add=" to supplement the role with additional cmdlets. 

    5)Now user “a1” can enable or disable users in Control Panel.


    For more details about RBAC for Skype for Business, you can refer to:

    https://docs.microsoft.com/en-us/lyncserver/lync-server-2013-planning-for-role-based-access-control

    For more details about Creating Custom RBAC Roles, you can refer to:

    http://blog.masteringmsuc.com/2012/11/creating-custom-rbac-roles-in-lync-2013.html

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
     


    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Thursday, December 5, 2019 9:15 AM
  • Hi,
    Is there any update on this case?
    Please feel free to drop us a note if there is any update.
    Have a nice day!

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com
    Thursday, December 12, 2019 11:10 AM
  • Hi all,

    Sorry for late reply.

    Skype for Business RBAC

    1-Create a security universal group (SL_S4b_HelpDesk or with any name there is no necessary to remain the security and admin role group same) in Domain Controller

    2-Run the below command in S4B PowerShell

    New-CsAdminrole -Identity "Sl_S4B_HelpDesk" -Template CSHelpDesk

    3-Rune the below command in s4b Powershell

    Set-CsAdminRole -Identity "Sl_S4B_HelpDesk" -Cmdlets @{Add="Get-CsAdContact","Get-CsAdUser","Get-CSPool","Get-CsUser","Get-CsUserAcp","Get-CsUserPoolInfo","Enable-CsUser","set-CsUser","Get-CsTrustedApplicationPool","Set-CsTrustedApplicationPool","Set-CsRegistrar","New-CsRegistrarConfiguration","Set-CsUserServer","Get-CSAllowedDomain","Get-CSService"}

    4-Get-CsAdminRole Sl_S4B_HelpDesk | Select-Object –ExpandProperty cmdlets | fl

    5-Add the user in the Sl_S4B_HelpDesk group in domain controller for RBAC access

    6-Now the RBAC user have just right to see the USER tab.

     

     

     


    • Edited by NajeebUllah Thursday, December 26, 2019 1:03 PM b
    Thursday, December 26, 2019 1:00 PM
  • Hi NajeebUIIah!

    Thanks for your sharing about it!

    Have a nice day!

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Friday, December 27, 2019 1:17 AM