none
Automating the "Lync-Enabling" of new users added to AD (via Powershell) RRS feed

  • Question

  • Hi All,

    Don't know if this is in the right area, so I apologize if it is not.

    I have a Single Standard Edition FE Server only running IM/Presence and Application/Desktop Sharing....and I am looking for a way to automate the process of Lync-Enabling new AD users in my organization by using a powershell script and scheduling a daily task to run to do just that.

    I've come up with a script that works and will send me an email when completed, but not being familiar with powershell, I don't know how to setup the conditions that should decide to send or NOT send an email to me. 

    Ideally...I'd like it to send me an email only if the script has a problem and does not run.  Here is what my script looks like:

    powershell set-executionpolicy RemoteSigned

    Import-Module 'C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1'

    Get-CsAdUser -OU "ou=lynctest,ou=computers,DC=domain,DC=com" | Where-Object {$_.UserAccountControl -eq "NormalAccount" -and $_.Enabled -ne $True} | Enable-CsUser -RegistrarPool "pool.domain.com" -SipAddressType EmailAddress -SipDomain domain.com

    Start-Sleep -s 30

    Get-CsUser -OU "ou=lynctest,ou=computers,DC=domain,DC=local" | Where-Object {$_.AudioVideoDisabled -eq $False}  | Set-CsUser -AudioVideoDisabled $True

    Send-MailMessage -To 'admin@domain.com' -From 'LyncServer@domain.com' -SmtpServer 'smtp.domain.com' -Subject "Lync Enabling Script" -Body "The Automatic Lync-Enabling of New Users Script has COMPLETED"

     

    I came up with this to 1) search our main employee's OU for all ACTIVE AD accounts that are not lync enabled...and then enable them with our pool/sip/etc settings.  2) it then searches that same OU for all lync enabled users that currently have their AudioVideodisabled set to false...and then set it to true (because we are not using any of that functionality currently and do not want to confuse users with buttons that won't work).

    I currently have a scheduled task that runs this script, calling a .bat file that contains this:

    "Powershell -command "& {C:\script\lyncenabletest.ps1 }"

    This works, but I will still get an email even if there is a "problem" with the script (like an OU name changing)...which is a problem because I don't want to just "assume" that it is running correctly just because I receive an email.

    Can anyone shed some light on how I can go about setting this script to only send me an email if there is a problem?  I know that the commands don't change, but I would like to know if there was an error because..... say....someone mistakenly changed the name of an OU effecting the destination path of the script commands.

    Thanks in advance,

    B

    Tuesday, June 21, 2011 3:07 PM

Answers

  • You could try this which checks for errors after a command

    function restartFoo {
     $oldErrCount = $error.Count
     $procList = get-process foo -ea SilentlyContinue
     if ($error.Count -eq $oldErrCount) { $procList | stop-process }
     c:\bin\foo.exe
    }
    

    So it checks the count of errors before and after you run a command. If they are the same it knows everything went ok. If the count has changed, something went wrong.


    Mike


    If a post is helpful, please take a second to hit the green arrow on the left, or mark as answer, thanks

    MCITP: Lync, Exchange 2010 & Server Administrator

    Blog
    • Marked as answer by BeWel Thursday, June 23, 2011 6:51 PM
    Tuesday, June 21, 2011 3:24 PM

All replies

  • You could try this which checks for errors after a command

    function restartFoo {
     $oldErrCount = $error.Count
     $procList = get-process foo -ea SilentlyContinue
     if ($error.Count -eq $oldErrCount) { $procList | stop-process }
     c:\bin\foo.exe
    }
    

    So it checks the count of errors before and after you run a command. If they are the same it knows everything went ok. If the count has changed, something went wrong.


    Mike


    If a post is helpful, please take a second to hit the green arrow on the left, or mark as answer, thanks

    MCITP: Lync, Exchange 2010 & Server Administrator

    Blog
    • Marked as answer by BeWel Thursday, June 23, 2011 6:51 PM
    Tuesday, June 21, 2011 3:24 PM
  • I guess one question I have is how do you know what value is returned from a powershell command that is pointing to an OU that doesn't exist....or one that doesn't have an AD connection?

     

    I have no idea what to check at the end of my piped commands for looking up users based on their properties...if there were to be an error...

    Tuesday, June 21, 2011 4:45 PM
  • I suggest the best approach is to check if the OU exists rather than assuming it exists and trying to catch the error. This code will check if the OU exists

     

    $ou = Get-QADObject -name $ouName -Type 'organizationalUnit'
    
    
     if ( -not $ou){
     # $ou is null, then the OU didn't exist
    OU is invalid... send email alerting error
     }
     else{
      Go on with the rest of the script
     }

    This is based on having assigned the OU to the varibale $ouName


    Mike


    If a post is helpful, please take a second to hit the green arrow on the left, or mark as answer, thanks

    MCITP: Lync, Exchange 2010 & Server Administrator

    Blog
    Tuesday, June 21, 2011 10:02 PM
  • Hi, BeWel,

    Any update?

    Please refer to this blog, hope that can give you some inspiration.


    Please remember to click “Mark As Answer” on the post that helps you, and to click “Unmark As Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, June 23, 2011 8:41 AM
    Moderator
  • I've found that you need to make sure "AccountDisabled" doesn't match in UserAccountControl other than checking for "NormalAccount".

     

    Also, what I've done is an LDAP filter to get all users who's msRTCSIP-Enabled field is nothing, and the AD account is not disabled. Then, in the foreach loop, filter out users in OUs that I don't want. This process has allowed me to enabled well over 1000 users in under a minute. Here's a common LDAP filter I use:

     

    $strQueryDc = "mydc.mydomain.com"
    $objDomain = new-object DirectoryServices.DirectoryEntry("LDAP://$strQueryDC")
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain
    $Searcher.PageSize = 50000
    $Searcher.filter = "(&(objectCategory=person)(objectClass=user)(!targetAddress=*)(homeMDB=*)(mailNickname=*)(!msRTCSIP-userEnabled=*)(displayName=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
    $Searcher.SearchScope = "Subtree"
    $SearchPropList = "sAMAccountName","userPrincipalName","mail","distinguishedName","proxyAddresses"
    foreach ($i in $SearchPropList){$Searcher.PropertiesToLoad.Add($i) | Out-null}
    $users = $Searcher.findAll()
    $intTotal = $users.count
    
    

    Thursday, June 23, 2011 2:17 PM
  • There are some good points here...which I'll have to go try.

    What i did do so far was set the $erroractionpreference to "Stop" so that if the script encounters an error anywhere...it won't complete, therefore not sending me an email.

    Thanks for the help!

    B

    Thursday, June 23, 2011 6:51 PM
  • Hi Be,

     

    can you also let me know the script and process on this, i wanted to do the same thing but only one change.. i need to get the success and Failure or emails once the script  execution   is completed.  


    Krishna
    Thursday, June 23, 2011 7:00 PM
  • Hi Krishna,

    My script and process are in the top post, with my original question.

    The only change I have made was I added the line:

    $ErrorActionPreference = "Stop"

    after my Import-Module.... line

     

    But here it is again:

     

    powershell set-executionpolicy RemoteSigned

    Import-Module 'C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1'

    $ErrorActionPreference = "Stop"

    Get-CsAdUser -OU "ou=lynctest,ou=computers,DC=domain,DC=com" | Where-Object {$_.UserAccountControl -eq "NormalAccount" -and $_.Enabled -ne $True} | Enable-CsUser -RegistrarPool "pool.domain.com" -SipAddressType EmailAddress -SipDomain domain.com

    Start-Sleep -s 30

    Get-CsUser -OU "ou=lynctest,ou=computers,DC=domain,DC=local" | Where-Object {$_.AudioVideoDisabled -eq $False}  | Set-CsUser -AudioVideoDisabled $True

    Send-MailMessage -To 'admin@domain.com' -From 'LyncServer@domain.com' -SmtpServer 'smtp.domain.com' -Subject "Lync Enabling Script" -Body "The Automatic Lync-Enabling of New Users Script has COMPLETED"

     

    I also created a scheduled task that runs this script, calling a .bat file that contains this:

    "Powershell -command "& {C:\script\lyncenabletest.ps1 }"

     

    Doing this will cause the script to terminate immediately and it doesn't get to the "Send-Mailmessage" part....This way if I get an email...everything presumably ran OK.  If I don't get an email...then there was a problem.

     

    B

    Thursday, June 23, 2011 7:55 PM
  • Good point Pat.

    The -notmatch "AccountDisabled" is definitely the way to go...

    Thx!

    Thursday, June 23, 2011 8:19 PM
  • Hi bewl,

    Your script is working ?

    im also looking for similar script with a small change in query..i think you can help on this with my requirements. im not a script guy..

    Find below my AD query i used with my OCS to find the users and enable for OCS. this query is working wih lync powershell but it scans all the domain and displays more users. I i have generic, temp users OU outside of ORG OU.just need to search particular OU and its sub OUs.for eg Ou=ORG,OU=mydomain,ou=com", because we have generic, temp users OU outside of ORG OU .

    (&(&(&(objectCategory=user)(homeMDB=*)(msExchHomeServerName=*)(extensionAttribute7=*)(extensionAttribute1=*)(extensionAttribute2=*)(extensionAttribute10=*)(!msRTCSIP-UserEnabled=TRUE)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))))

    Our company policy doesnt allow me to enable all users for IM, they want to enable users for IM only after entering their personal details using a internal web page.for. ex their ID no,team code etc.

    Is it possible to run this query against an OU and its child OUs ?

    i also woud like to schedule this script same like like you did on a daily basis and send mail. pls let me knw the steps..

    Thanx in advance.

    Thomas

     

     

     

     

     

     

     

     

     

    Monday, September 12, 2011 9:25 AM