How do you assign an RBAC (Role-Based Access Control) role to a user? Practice, practice, practice.
See, because there’s this old joke where the one guy asks, “How do I get to Carnegie Hall?” and the other guys says, “Practice, practice, prac – “ Well, never mind. How do you
really
assign an RBAC role to a user? Why, by running a script like this one, of course:
$strFilter = "(&(objectCategory=Group)(SamAccountName=" + $args[0] +"))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$colProplist = "distinguishedName"
foreach ($i in $colPropList)
{[void] $objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
{$groupDN = $objResult.Path}
$userDN = (Get-CsUser -Identity $args[1]).DistinguishedName
$user = [ADSI] "LDAP://$userDN"
$group = [ADSI] $groupDN
$group.Add($user.PsBase.Path)
As you probably know, there’s a very intimate bond between RBAC roles and Active Directory security groups; in fact, each RBAC role is associated with one (and only one) Active Directory security group. (If you
didn’t
know that, then you might want to glance through the article
A Brief Introduction to RBAC
–
Part 1
before going much further.) If you want to assign a user an RBAC role (say,
CsHelpDesk
) all you have to do is add that user to the corresponding Active Directory security group. (Which, in a feat of common sense practically unprecedented in the computer world, is also named CsHelpDesk.)
That means that, yes, you
can
assign someone an RBAC role simply by using Active Directory Users and Computers to add that person to the appropriate security group. If you like doing everything from within the Lync Server Command Shell, however, the script shown above will perform the exact same task. Simply copy the code, paste it into a text editor, and then save the file using a .ps1 file extension (for example, C:ScriptsAssign-RBACRole.ps1). From there all you have to do is run the script, taking care to supply the RBAC role name (e.g., CsHelpDesk) and the Identity of the user being assigned the role (e.g., Ken Myer):
C:ScriptsAssign-RBACRole.ps1 "CsHelpDesk" "Ken Myer"
In turn, the script will search Active Directory in order to locate, and then bind to, the appropriate security group. The script will connect to the specified user account, then use this odd-looking little snippet of code to add the user to the group:
$group.Add($user.PsBase.Path)
Assignment complete!
Incidentally, (and as we noted in
How Do I Unassign an RBAC Role?
) this script is perhaps a bit more complicated than it needs to be. That’s because we had the script go ahead and search Active Directory for the RBAC-related security groups. We did this
even though (at the moment, at least) RBAC requires that these groups all be in the Users container. So why didn’t we just hard-code the script to grab the group directly from the Users container? Three reasons:
-
Future versions of Lync Server might allow you to put these security groups anywhere you want.
-
The less we hardwire the less you have to do in order to make this script work in your organization.
-
We already had some code for searching Active Directory, and it seemed a shame to let it go to waste.
That’s our story, and we’re sticking to it.