Enabling Users for Lync Inside ADU&C

Why do things manually when there’s fast and automated ways of achieving things? In this blog I look at how to automate the enablement of users for Microsoft Lync - specifically, I add the ability to enable users to the Active Directory Users & Computers Console therefore simplifying the work-flow for user-enablement.

====
I was chatting to a friend who does a lot of user administration and a common moan came through - setting up users in our organisation takes an age as I have to go configure them for ‘x’ different systems. One of these systems was of course Microsoft Lync Server - a product very close to my heart.

I find this whole approach interesting - if you’re doing something manually, repeatedly...well quite frankly you’re doing it wrong! There’s nearly always a better way.

One of the areas you can improve this user management process is by extending the Active Directory Users & Computers console (DSA.MSC). It’s not difficult to do, and you can automate a lot of work that you would previously have had to do manually. In fact, I’ve written about it before, here:

Extending Active Directory Users and Computers

In the above example I was using the extension to ease the setting of site/company addresses - again, avoiding repetitive manual tasks. In this example here, I’m using it to automate the enabling of users for Lync Server.

So, what have I done? Well, quite simply I have extended ADU&C to include an enable user for Lync option:

1

Selecting this takes the user and enables it for basic Lync operation. How is it done? Well, fairly easily. Before we look at how however, have a quick look at the video - it will explain exactly what I mean:



Enablement Script
Firstly, you need the script that enables the user. In my example, I’ve called this ‘EnableLyncUser.VBS’. Yes, I could have done it directly in PowerShell, but this was to show how it was done, rather than to write something full with error checking and the like.

When you right-click on a user, and select an option, the user’s fully qualified LDAP name is passed to the script as a command line. I use this command line parameter to connect to the user, get it’s email address, and then build a small PowerShell script that uses the Enable-csUser cmdlet to enable the user. Doddle.

You can download the script from here:

EnableLyncUser.RAR

In addition, the script produces a log file (love log files...) called ‘ADUC_EmableLync.TXT’ located in the TEMP directory that shows you exactly what the script is doing - here’s an example:

2

The process is:

Script reads in the passed LDAP location of the user
Finds the user’s email address by connecting to the location identified above
Builds a script called ‘EnableUser.PS1’ in the Temp directory containing the relevant extensions for Lync, and the configured ‘Enable-CSUser’ command.
Calls the PS1 script.

Simple isn’t it?

Anything to watch out for? Well, there’s two elements you will need to adjust for your own use - and these are:

3

So that’s:

PoolPath: Set this to the name of the pool that you want the users assigning to. If you’re not sure of the names use Get-csPool to list your pool identities.
Path to Lync.psd1: This file contains a number of extensions for Lync - we need to import them when PowerShell starts. Make sure this path is correct for your system.

Any Cool Bits in the Script?
Well, the way you call PowerShell is vaguely interesting - here’s the command:

Powershell.exe -WindowStyle minimized -Command C:\Users\ADMINI~1.CON\AppData\Local\Temp\EnableUser.PS1

(Wrapped for readability).

Notice the ‘-WindowStyle’ qualifier? You can change how PowerShell opens.

Extending ADU&C
Fire up ADSIEdit and hunt out the following CN:

CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=,DC=

(Wrapped for readability)

Now, if you don’t know what the above is you really shouldn’t be messing with the Schema.

So, once you’ve found it, have a look at the attribute list. In it, there will be one called ‘AdminContextMenu’. This attribute contains a list of attributes displayed when you right click on a user-object. Have a look at the one on my demo system below:

4

You can see that I’ve added in the second one - you do this by hitting ‘Add’ and entering the value like so:

5

The format is:

Number, NAME, path to script

So in the above example it’s:

2,ENABLE for Lync 2010,Y:\EnableLyncUser.VBS

As this is a schema modification, any machine that has the above script on will be able to use the extension. Note that you must have the Lync Management Shell installed on the machine that you’re using it on though.

Summary
It absolutely makes sense to automate stuff that you end up doing repeatedly, manually. Why not? By using the flexibility of Active Directory you really can make the life of your administrators easier, while at the same time cutting down on errors in the administration cycle.



blog comments powered by Disqus