Share via

Automatically enable users in a particular OU for Lync 2010

  • Article

In Lync 2010 we now have to use either the Lync Server Management Shell or the web-based Lync Control Panel most of the administrators now have to use two different interfaces for creating users and enabling them for Lync. This is too cumbersome for many admins, especially in situations where almost everyone in an organization has to be enabled for Lync. I have received various requests for automating the process and I thought I will document it here for all. The idea is to schedule a task which will automatically Lync-enable any users in an OU who has not been enabled yet by running a PowerShell commandlet. Here is a quick and dirty way to get it ‘done’.

First we create the script which will enable the users for a specific OU, copy and paste the following two lines in a notepad and save it as “'C:\Program Files\Common Files\Microsoft Lync Server 2010\EnableUsersForLync.PS1” (you can chose any other suitable location):

import-module 'C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1'
get-csaduser -filter {Enabled -ne $True} -OU "ou=Employees,dc=treyresearch,dc=net" | Enable-CsUser -RegistrarPool lyncpool.treyresearch.net -SipAddressType EmailAddress

Let’s break it down line-by-line (since there is just two of them, and I have time to kill), in the first-line we are basically importing the Lync Module into PowerShell, since the Module does not sit in the usual location for PS modules you have to specify the complete path to the file.

The second line is made up of two separate commands, the first part get-csaduser -filter {Enabled -ne $True} -OU "ou=Employees,dc=treyresearch,dc=net" is to search for all users in a particular OU who have note yet been enabled for Lync 2010, the second half enables that user for a particular Pool using Email-Address of the user as their SIP Address.

Now that we have a script, we need to make sure that we can run it on the server. To do so, you need to either “Sign” the script or disable script signing on the server, since this is a “get-it-done” post I chose the easy way by disabling script signing. Just head over to PowerShell and type in the following command:

Set-ExecutionPolicy RemoteSigned

Next, go to Task Scheduler ( Start > Run > taskschd.msc ) and “Create Basic Task…”
image

And assign a Name and Description and then click on Next.

image

Choose how often you would like to run the task and Click next (I chose a Daily task)

image

Choose when you would like to run the task and click on Next.

image

Select “Start a program” and then click on Next again

image

Browse to the powershell.exe on your system and provide the script created earlier as an argument (-File “C:\Program Files\Common Files\Microsoft Lync Server 2010\EnableUsersForLync.ps1”)

image

Click on Finish to complete the wizard.

image

Links:
Running PowerShell Scripts https://technet.microsoft.com/en-us/library/ee176949.aspx
Configuring Scheduled Tasks https://technet.microsoft.com/en-us/library/dd851678.aspx

Comments

  • Anonymous
    November 29, 2011
    Hi, I have used your script in my deployment and created a scheduled task.  The task is set to run  every night using a service account to run the task (service account has RTCUniversalUserAdmins rights). However, on checking AD the next day new users are not enabled for Lync (no SIP address).  If I manually run the .PS1 file in powershell on the server, it enables users fine, so I know it's not the script ;-) If I run the task manually from the server, it does not work- but the task scheduler history reports the task as being completed succesfully (manual or scheduled). Have you any ideas where I may be going wrong? A cheeky additional question too if I may!  Is there also a way to exclude accounts that have been disabled in AD? Thanks in advance

  • Anonymous
    December 12, 2011
    I'm having the exact same issue as @D Clayton.

  • Anonymous
    December 13, 2011
    Oh I found the problem I was having.  I had copied and pasted “C:Program FilesCommon FilesMicrosoft Lync Server 2010EnableUsersForLync.ps1” from above and edited the text for my script.  The quote marks have to be replaced in scheduler or the script won't run.  Thanks for the article!

  • Anonymous
    December 14, 2011
    @Anthony : Thanks for posting the solution! @D Clayton: Hope you have figured out the automatic scheduling issue by now. To exclude disabled AD accounts use the following script: import-module 'C:Program FilesCommon FilesMicrosoft Lync Server 2010ModulesLyncLync.psd1' get-csaduser -LdapFilter "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(msRTCSIP-UserEnabled=TRUE)))" | Enable-CsUser -RegistrarPool lyncpool.treyresearch.net -SipAddressType EmailAddress PS: There may be a better way to write this query

  • Anonymous
    January 12, 2012
    Hi there, what if I woul'd like to enable users that are member of a group instead? How should that script look like?

  • Anonymous
    January 14, 2012
    @Stefan : You can use the buit-in ActiveDirectory  module in powershell or Quest Active-directory Cmdlets (www.quest.com/.../activeroles-server.aspx) to evaluate groups and then pass it to  Enable-csuser. The script will look something as follows (I have not tested it) : Import-Module Lync Import-Module ActiveDirectory Get-ADGroupMember -Identity <ADGroup> | Enable-CsUser -RegistrarPool lyncpool.treyresearch.net -SipAddressType EmailAddress For Quest module: Get-QADGroupMember -Identity <ADGroup> | Enable-CsUser -RegistrarPool lyncpool.treyresearch.net -SipAddressType EmailAddress Let me know if this doesn't help, I can probably do a more detailed blog post for this.

  • Anonymous
    January 19, 2012
    how do you use this to also enable for enterprise voice?

  • Anonymous
    April 02, 2012
    I need to enable all users in AD not just a single OU. I cannot seem to get the proper code for that... any help would be greatly appreciated.

  • Anonymous
    April 04, 2012
    Replaced the quote marks and it's working a treat!  Can't believe it was that simple! Thanks

  • Anonymous
    June 22, 2012
    Here is the Lync Group Enable script I came up with. (Pretty quick and dirty.) import-module "<your path here>Lync.psd1" import-module activedirectory $ad_lync_name = Get-ADGroupMember -Identity LyncEnabled foreach ($objitem in $ad_lync_name){ $lync_user = Get-CSAdUser -Identity $objitem.name If ($lync_user.Enabled -eq $False){ Enable-CsUser -Identity $objitem.name -RegistrarPool LyncPool.contoso.com -SipAddressType EmailAddress Grant-CsClientPolicy -Identity $objitem.name -PolicyName YourClientPolicy } }

  • Anonymous
    August 23, 2012
    When you skip -OU parameter at Get-CsAdUser, you get all users in the Forest! Mbe someone will find this useful: $OUUsers = &{Get-CsAdUser -Filter {Enabled -ne $True} | Where-Object {$.UserAccountControl -notlike "AccountDisabled"} | Where-Object {$.WindowsEmailAddress -ne ""} | Where-Object {$.SIPAddress -eq ""} }; $OUUsers | Foreach-Object {Enable-CsUser -Identity $.UserPrincipalName -RegistrarPool $LyncServer -SipAddressType EmailAddress}

  • Anonymous
    December 13, 2012
    This script was much easier and simpler that the one my customer had. This was indeed helpful. Thank you Akshat for your good work!