Configuring Users and Rights in Microsoft Lync Server 2013

To configure and manage users in Microsoft® Lync® Server 2013, you can use a variety of methods. Lync Server 2013 provides configuration management options, including Lync Server Control Panel and Lync Server Management Shell. You can use basic syntax for working in Windows PowerShell because it has powerful scripting capabilities. You can also use the administrative model of the new role-based access control (RBAC) in Lync Server 2013. The administrative model provides predefined roles, which you can assign to administrators, and you can create new custom roles.

Lync Server Control Panel
The Lync Server Control Panel is a web-based user interface that replaces the Microsoft Management Console (MMC) interface from previous releases. The Lync Server Control
Panel extends the management functionality to any Microsoft Silverlight®–capable browser. Youcan use the Lync Server Control Panel to perform the following tasks:
• Search for and configure users. You can search for users by display name, first name, last
name, Security Accounts Manager (SAM) account name, Session Initiation Protocol (SIP)
address, or line Uniform Resource Identifier (URI). You can then use the results of your search query to configure users for Lync Server 2013, and perform other related tasks such as assigning policies, and changing or removing personal identification numbers (PINs).
• Enable or disable users. After you create a user account in Active Directory® Users and Computers, you can enable or disable a user account in Lync Server 2013. When you disable a previously enabled user account, you do not lose the Lync Server 2013 settings that you configured for that user account. Therefore, you can choose to re-enable the user without reconfiguring the user account.
• Assign policies to users. You can assign specific policies to a user or a group of users, such as
conferencing policies, supported client version policies, archiving policies, or remote user access policies.
• Assign users to a server or pool. You can assign users to a server or move them to a specific pool under the Edit or move users link in the Lync Server Control Panel.
• Set a user’s dial-in conferencing PIN. You can configure global PIN policies, such as the required minimum length. In addition, you can configure PIN policies for individual users or sites. You can choose to generate the PIN automatically, or create one manually.
Lync Server Control Panel is automatically installed on every front-end server or Standard Edition server in your deployment. In Lync Server 2013, Edge Servers are managed remotely by using the Lync Server Control Panel, which is not exposed externally to the web.

Note: You cannot use Lync Server Control Panel to manage users who are members of the Active Directory Domain Admins group. For Domain Admin users, you can use Lync Server Control Panel to perform read-only search operations. To perform write operations on Domain Admin users, such as enabling or disabling Lync Server 2013, or changing pool or policy assignments, telephony settings, SIP address, and so on, you must use Windows PowerShell cmdlets while logged on as a Domain Administrator with appropriate RBAC credentials.

Lync Server Management Shell 
The Lync Server Management Shell is another method of administration for a Lync Server 2013
communications system. The decision to use Lync Server Control Panel or Lync Server
Management Shell is up to you—you can perform all Lync Server 2013 management tasks by using either tool. One advantage of the Lync Server Management Shell is that it is useful for running scripts to automate common administrative tasks. Lync Server Management Shell is automatically installed on every Lync Server Enterprise Edition front-end server or Standard Edition server in your deployment. The Management Shell is built on the Windows PowerShell 3.0 command-line interface, and it includes more than 550 product-specific cmdlets for administering Lync Server 2013.
Lync Server Cmdlet Syntax
Each PowerShell cmdlet (pronounced “command-let”) consists of a term (typically a verb) followed by a dash, and then followed by a noun as shown in the following example.
Typing “new” conveys to PowerShell what you want to do. The dash-noun combination signifies a parameter. In this example, PowerShell creates a new collection of user replicator configuration settings.
The user replicator periodically retrieves up-to-date user account information from Active Directory and then synchronizes the new information with the current user data stored by Lync Server 2013.

Using PowerShell 3.0
Because both the Lync Server Management Shell and the Lync Server Control Panel are built on the Windows PowerShell 3.0 command-line interface, being comfortable in working with the syntax and capabilities of PowerShell is important. If you are new to PowerShell, but familiar with scripting, an overview of how to use PowerShell 3.0 with Lync Server 2013 will be helpful.
Why Use PowerShell?
PowerShell is built on the Microsoft .NET Framework common language
runtime (CLR), and PowerShell accepts and returns .NET Framework objects. By using product-specific commands, PowerShell gives you access to the file system on the computer and enables you to access other data stores, such as the registry and the digital signature certificate stores, just as easily as you can access the file system. It is designed specifically for systems administrators to make configuration and management tasks easier.
Using PowerShell Cmdlets
As previously mentioned, each PowerShell cmdlet consists of a verb followed by a dash, and then followed by a noun as shown in the following example.
If you want to receive help on a specific cmdlet, type the following.
Get-Help New-CsVoicePolicy
This command returns the most commonly-sought help for creating a new voice policy.
For more detailed help on a topic, you can add a parameter, preceded by a dash, as shown in the following example.
Get-Help New-CsVoicePolicy -Examples
For all available help on a topic, use the parameter –Full.
Note: You can get help on each cmdlet directly from the command line and from the
Lync Server 2013 Help file. There are two specific Help files available for cmdlets—RTCCmdlets.chm and RGSCmdlets.chm.
Using Cmdlet Parameters
A parameter is a way of adding additional information to a cmdlet, and limiting the amount of
information that is returned. For example, if you want to find all the services running on a particular server, type the following command.
If you want to return only the Lync Server 2013 services and their active status, type the following command.  Get-CsWindowsServic

Overview of Role-Based Access Control (RBAC)
To enable you to delegate administrative tasks while maintaining high standards for security, Lync Server 2013 offers role-based access control (RBAC). With RBAC, administrative privilege is
granted to users by assigning administrative roles to them. Lync Server 2013 includes a rich set of built-in administrative roles. You can also create new roles and specify a custom list of cmdlets for each new role, and you can add scripts of cmdlets to the allowed tasks of both predefined and custom RBAC roles.

Predefined Role-Based Access Control Roles In RBAC, a role is enabled to use a list of cmdlets, designed to be useful for a certain type of administrator or technician. A scope is the set of objects that the cmdlets, defined in a role, can operate on. The objects that scope affects can be either user accounts (grouped by organizational unit) or servers (grouped by site). Predefined roles are set up during the initial Lync installation process. All predefined roles shipped in Lync Server have a global scope and cannot be modified. To follow least privilege practices, you should not assign users to roles with global scope if they are going to administer only a limited set of servers or users. To follow least privilege practices, you can create roles that are based on an existing role, but with a more limited scope.

Predefined Role-Based Access Control Roles