List All the RBAC Roles and the Users that Hold Those Roles

First published on TECHNET on Jun 06, 2010

You want to know what’s really nice about the fact that Windows PowerShell has been fully-integrated into Microsoft Lync Server 2010? Here’s what’s really nice about the fact that Windows PowerShell has been fully-integrated into Microsoft Lync Server 2010: you no longer have depend on people at Microsoft to solve all your problems. Did we forget to include a command , or did we include a command that doesn’t work the way you’d like it to work? That’s fine: with Windows PowerShell, you always have the option of doing it yourself.

What do we mean by all that? Well, take this example. Lync Server 2010 now features Role-Based Access Control (RBAC) as a key part of its manageability story. (You say you’ve never even heard of RBAC? Then take a look at the article A Brief Introduction to RBAC .) We’ve also given you a cmdlet ( Get-CsAdminRoleAssignment )that can tell you which RBAC roles have been assigned to a particular user. For example, you say you want to know which RBAC roles have been assigned to Ken Myer? Then all you have to do is run the following command from within the Lync Server Management Shell (with kenmyer representing Ken Myer’s SamAccountName:

Get-CsAdminRoleAssignment "kenmyer"

Nice, huh? And it is nice: any time you want to check the RBAC role assignments for a given user, well, we’ve got you covered. But suppose you want to do something a little different: suppose you’d like to retrieve a list of all your RBAC roles and the users who have been assigned to each of those roles. You know something like this:

CsAdministrator
Ken Myer
Jonathan Haas

CsVoiceAdministrator
Jonathan Haas
Kim Abercrombie
Dag Rovik

Is Get-CsAdminRoleAssignment going to help you return that kind of information? Unfortunately, no. In fact, none of the Lync Server cmdlets enable you to return that kind of information. Sorry. Maybe sometime in the future, but for now ….

But you know what they say: why buy the milk when you can have the cow for free? Admittedly, that has absolutely nothing to do with listing all the RBAC roles and the users who hold those roles. Fortunately, though, they also say this: if you want something done right, write a Windows PowerShell script to do it for you. Good advice:

$rbacGroups = Get-CsAdminRole | Select-Object Identity

foreach ($group in $rbacGroups)
{
$strFilter = "(&(objectCategory=Group)(SamAccountName=" + $group.Identity +"))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colProplist = "distinguishedName"
foreach ($i in $colPropList)
{[void] $objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
{$groupDN = $objResult.Path}

$group = [ADSI] $groupDN
$group.Name

foreach ($i in $group.member)
{
$user = [ADSI] "LDAP://$i"
$user.displayName
}
Write-Host
}

What we have here is a script that does a couple of things. First, it uses the Get-CsAdminRole cmdlet to return the Identities of all the RBAC roles configured for use in your organization. By happy coincidence (which is actually no coincidence), the Identity of an RBAC role is also the SamAccountName given to the Active Directory security group associated with that role. That makes it a cinch for the script to search Active Directory for each of these security groups, bind to the group, then retrieve a list of all the users who are members of that group. (That list is stored in the oddly-named Member attribute, oddly-named simply because groups typically have more than one member.) In turn, the script can then retrieve the display name for each user and then display information that looks something like this:

CsAdministrator
Ken Myer
Jonathan Haas

CsVoiceAdministrator
Jonathan Haas
Kim Abercrombie
Dag Rovik

Nice. But, then again, you know what they say: when the going gets tough, the tough write scripts that can list all the RBAC roles and the users who hold those roles.

And, yes, if that’s the best they can come up with maybe they should stop saying things.