You want to know what’s really nice about the fact that Windows PowerShell has been fully-integrated into Microsoft Lync Server 2010? Here’s what’s really nice about the fact that Windows PowerShell has been fully-integrated into Microsoft Lync Server 2010: you no longer have depend on people at Microsoft to solve all your problems. Did we forget to include a command , or did we include a command that doesn’t work the way you’d like it to work? That’s fine: with Windows PowerShell, you always have the option of doing it yourself.
What do we mean by all that? Well, take this example. Lync Server 2010 now features Role-Based Access Control (RBAC) as a key part of its manageability story. (You say you’ve never even
of RBAC? Then take a look at the article
A Brief Introduction to RBAC
.) We’ve also given you a cmdlet (
)that can tell you which RBAC roles have been assigned to a particular user. For example, you say you want to know which RBAC roles have been assigned to Ken Myer? Then all you have to do is run the following command from within the Lync Server Management Shell (with
representing Ken Myer’s SamAccountName:
Nice, huh? And it
nice: any time you want to check the RBAC role assignments for a given user, well, we’ve got you covered. But suppose you want to do something a little different: suppose you’d like to retrieve a list of all your RBAC roles and the users who have been assigned to each of those roles. You know something like this:
Is Get-CsAdminRoleAssignment going to help you return
kind of information? Unfortunately, no. In fact, none of the Lync Server cmdlets enable you to return that kind of information. Sorry. Maybe sometime in the future, but for now ….
But you know what they say: why buy the milk when you can have the cow for free? Admittedly, that has absolutely nothing to do with listing all the RBAC roles and the users who hold those roles. Fortunately, though, they also say this: if you want something done right, write a Windows PowerShell script to do it for you. Good advice:
What we have here is a script that does a couple of things. First, it uses the Get-CsAdminRole cmdlet to return the Identities of all the RBAC roles configured for use in your organization. By happy coincidence (which is actually
of an RBAC role is also the
given to the Active Directory security group associated with that role. That makes it a cinch for the script to search Active Directory for each of these security groups, bind to the group, then retrieve a list of all the users who are members of that group. (That list is stored in the oddly-named
attribute, oddly-named simply because groups typically have more than one member.) In turn, the script can then retrieve the display name for each user and then display information that looks something like this:
Nice. But, then again, you know what they say: when the going gets tough, the tough write scripts that can list all the RBAC roles and the users who hold those roles.
And, yes, if that’s the best they can come up with maybe they
stop saying things.