When I see administrators manually enabling all of their Lync / Skype for Business users it makes me cringe. With just a few lines of PowerShell and a scheduled task you can have users enabled for Lync / Skype for Business automatically. Simply copy the script examples and modify them with your infrastructure details and make a scheduled task on your Lync / Skype For Business Server or non Lync / Skype for Business server through remoting.
The first thing to determine is who should be enabled for Lync / Skype for Business and the required settings to be given to those users. I will provide examples of different scenarios both enabling or disabling users. (All examples only search for Lync / Skype for Business users that are not currently enabled and assume that the Email Address would be the enabled SIP Address.)
Example #1: Enable all users in the company with an e-mail account matching @yourdomain.com for normal Lync use.
Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like '*@yourdomain.com' } |
Enable-CsUser -RegistrarPool 'yourpool' -SipAddressType emailaddress
Example #2: Enable all users in the company within a specific Active Directory OU and an e-mail account matching @yourdomain.com for normal Lync use.
Get-CsAdUser -OU 'your.domain.com/OU' -Filter { Enabled -ne $True -and WindowsEmailAddress -like '*@yourdomain.com' } |
Enable-CsUser -RegistrarPool 'yourpool' -SipAddressType emailaddress
Example #3: Enable all users in the company with a specific City attribute for normal Lync use with an appropriate registrar pool.
Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like '*@yourdomain.com' -and City -eq 'YourCityName' } |
Enable-CsUser -RegistrarPool 'yourlocationdependantpool' -SipAddressType emailaddress
Example #4: Enable all users in the company with a specific City attribute for normal Lync use with an appropriate registrar pool and a specific Location Policy.
$users = Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like '*@yourdomain.com' -and City -eq 'YourCityName' }
ForEach ($user in $users)
{
Enable-CsUser $user.Identity -RegistrarPool 'yourlocationdependantpool' -SipAddressType emailaddress
Grant-CsLocationPolicy -Identity $user.Identity -PolicyName 'yourlocationpolicy' -Confirm:$False
}
Example #5: Enable all users in the company with a specific City attribute for Enterprise Voice with a specific Voice Policy, Dial Plan, Conferencing Policy, Location Policy. (Don’t forget a unique Line URI when you run the Set-CsUser command if one is required.)
$users = Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like '*@yourdomain.com' }
ForEach ($user in $users)
{
Enable-CsUser -Identity $user.Identity -RegistrarPool 'yourlocationdependantpool' -SipAddressType emailaddress
Set-CsUser -Identity $user.Identity -EnterpriseVoiceEnabled $True -Confirm:$False
Grant-CsConferencingPolicy -Identity $user.Identity 'yourconferencingpolicy' -Confirm:$False
Grant-CsDialPlan -Identity $user.Identity -PolicyName 'yourdialplan' -Confirm:$False
Grant-CsLocationPolicy -Identity $user.Identity -PolicyName 'yourlocationpolicy' -Confirm:$False
Grant-CsVoicePolicy -Identity $user.Identity -PolicyName 'yourvoicepolicy' -Confirm:$False
}
Example #6: The following example highlights PowerShell Remoting to remotely execute the enabling of user accounts from a separate computer.
$serviceuser = 'serviceuser'
$servicepassword = 'servicepassword' | ConvertTo-SecureString -AsPlainText -Force
$servicecredential = New-Object system.Management.Automation.PSCredential($serviceuser, $servicepassword)
$lyncsession = New-PSSession -ConnectionUri 'https://yourpoolname/ocspowershell' -Credential $servicecredential
$emailaddress = '*@yourdomain.com'
Invoke-Command -Session $lyncsession -ScriptBlock {
param ($emailaddress) Get-CsUser -Filter "WindowsEmailAddress -like '$emailaddress'" |
Enable-CsUser -RegistrarPool 'yourpool' -SipAddressType emailaddress
} -ArgumentList $emailaddress
Remove-PSSession $lyncsession
Example #7: The following example highlights looping through multiple cities and setting the proper pool and policies according to that city. This example uses a .CSV file that contains all the cities and their respective settings. You could accomplish the same thing through code by adding a custom object and then adding each city. Using a .CSV file is preferred as it will allow you to add/remove cities in the future without changing the script.
<#
Contents of an example cities.csv
Name,RegistrarPool,DialPlan,ConferencingPolicy,LocationPolicy,VoicePolicy
London,LondonPool,LondonDialPlan,LondonConferencingPolicy,LondonLocationPolicy,LondonVoicePolicy
Chicago,ChicagoPool,ChicagoDialPlan,ChicagoConferencingPolicy,ChicagoLocationPolicy,ChicagoVoicePolicy
Toronto,TorontoPool,TorontoDialPlan,TorontoConferencingPolicy,TorontoLocationPolicy,TorontoVoicePolicy
Sydney,SydneyPool,SydneyDialPlan,SydneyConferencingPolicy,SydneyLocationPolicy,SydneyVoicePolicy
#>
$cities = Import-Csv cities.csv
ForEach ($city in $cities) {
$users = Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like ‘*@yourdomain.com’ -and City -eq $city.Name }
ForEach ($user in $users)
{
Enable-CsUser -Identity $user.Identity -RegistrarPool $city.RegistrarPool -SipAddressType emailaddress
Set-CsUser -Identity $user.Identity -EnterpriseVoiceEnabled $True -Confirm:$False
Grant-CsConferencingPolicy -Identity $user.Identity $city.ConferencingPolicy -Confirm:$False
Grant-CsDialPlan -Identity $user.Identity -PolicyName $city.DialPlan -Confirm:$False
Grant-CsLocationPolicy -Identity $user.Identity -PolicyName $city.LocationPolicy -Confirm:$False
Grant-CsVoicePolicy -Identity $user.Identity -PolicyName $city.VoicePolicy -Confirm:$False
}
}
The following are some examples of automatically disabling users from Lync if their Active Directory account is disabled.
Example #1: Disabling Lync / Skype for Business from all users in Active Directory that are disabled.
Get-CsAdUser -LDAPFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=2)(msRTCSIP-UserEnabled=TRUE))" | Disable-CsUser
Example #2: Remotely disabling Lync / Skype for Business from all users in Active Directory that are disabled.
$serviceuser = 'serviceuser'
$servicepassword = 'servicepassword' | ConvertTo-SecureString -AsPlainText -Force
$servicecredential = New-Object system.Management.Automation.PSCredential($serviceuser, $servicepassword)
$lyncsession = New-PSSession -ConnectionUri 'https://yourpoolname/ocspowershell' -Credential $servicecredential
Invoke-Command -Session $lyncsession -ScriptBlock {
Get-CsAdUser -LDAPFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=2)(msRTCSIP-UserEnabled=TRUE))" |
Disable-CsUser
}
Remove-PSSession $lyncsession
Example #3: As requested, here is the solution to remotely disabling Lync / Skype for Business from all users in an Active Directory group. The key here is adjusting the LDAP Filter to only include members of a particular group.
$serviceuser = 'serviceuser'
$servicepassword = 'servicepassword' | ConvertTo-SecureString -AsPlainText -Force
$servicecredential = New-Object system.Management.Automation.PSCredential($serviceuser, $servicepassword)
$lyncsession = New-PSSession -ConnectionUri 'https://yourpoolname/ocspowershell' -Credential $servicecredential
Invoke-Command -Session $lyncsession -ScriptBlock {
Get-CsAdUser -LDAPFilter "(&(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com)(msRTCSIP-UserEnabled=TRUE))" |
Disable-CsUser
}
Remove-PSSession $lyncsession