locked
Lync user provisioning via Powershell and permissions RRS feed

  • Question

  • I'm trying to automate the enabling of an AD account for Lync via a low-rights account and Powershell. I have created an AD account, domain\enlyncuser, which is a member of Domain Users and CSUserAdministrator.

    My command looks like this:

    get-csaduser -ou "ou=users,dc=company,dc=com" -filter {WindowsEmailAddress -like "*@somewhere.com"} | Where-Object {$_.Enabled -ne $True} | enable-csuser -RegistrarPool lync.somewhere.com -SipAddressType emailaddress

    The command is failing with the following error:

    Enable-CsUser : Login failed for user 'DOMAIN\enlyncuser'. At line:1 char:127 + get-csaduser -ou "ou=users,dc=comewhere,dc=com" -filter {WindowsEmail Address -like "*@somewhere.com"} | enable-csuser <<<< -RegistrarPool lync.somewhere.com -SipAddressType emailaddress + CategoryInfo : NotSpecified: (:) [Enable-CsUser], SqlConnection Exception + FullyQualifiedErrorId : Microsoft.Rtc.Common.Data.SqlConnectionException ,Microsoft.Rtc.Management.AD.Cmdlets.EnableOcsUserCmdlet

    This command works fine when run by a domain admin.

    Another user with the same group membership has no problem enabling a user through the Control Panel.

    So my question is: Are there additional permissions required for a user to enable a user for Lync via Powershell versus the LCP?

    Thanks



    • Edited by JayScovill Wednesday, December 7, 2011 8:05 PM
    Wednesday, December 7, 2011 6:59 PM

Answers

  • Hi Jay,

    I have a test and I find that if you want to use powershell to enable the user, your account must be a member of RTCUniversalUserAdmins group. Csuseradministrator and Domain admins user has not permission to do it.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Sean_Xiao Monday, December 12, 2011 2:02 AM
    • Marked as answer by Sean_Xiao Thursday, December 15, 2011 1:59 AM
    Friday, December 9, 2011 6:30 AM

All replies

  • It looks like I found the solution in this post: http://social.technet.microsoft.com/Forums/en-US/ocsmanagement/thread/9bfb8276-07ba-4dd8-985c-99cd5ed32c97

    As suspected the permissions for Powershell are different than those required for the Control Panel.

    In this case the low-rights user has to be a member of the RTCUniversalUserAdmins group.

     

    Wednesday, December 7, 2011 9:00 PM
  • Hi Jay,

    I have a test and I find that if you want to use powershell to enable the user, your account must be a member of RTCUniversalUserAdmins group. Csuseradministrator and Domain admins user has not permission to do it.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Sean_Xiao Monday, December 12, 2011 2:02 AM
    • Marked as answer by Sean_Xiao Thursday, December 15, 2011 1:59 AM
    Friday, December 9, 2011 6:30 AM