Planning for Management
Lync Server 2010 follows the currently popular model of role based access control (RBAC). The concept is that one defines a role, typically based around common tasks, and then delegates the capability to perform these tasks to the role group. Existing security groups or individuals are then populated into that role group to grant them the necessary rights to perform the tasks.
Lync Server 2010 predefines nine RBAC groups that cover most of the commonly delegated tasks within Lync Server 2010. These groups and their allowed tasks are as follows:
• CsAdministrator—This group can perform all administrative tasks and modify all settings within Lync Server 2010. This includes creating and assigning roles, and modification or creation of new sites, pools, and services.
• CsUserAdministrator—This group can enable or disable users for Lync Server 2010. They can also move users and assign existing policies to users. They can neither create new policies nor modify existing policies.
• CsVoiceAdministrator—This group can manage, monitor, and troubleshoot servers and services. They can prevent new connections to servers, apply software updates, as well as start and stop services. They cannot, however, make changes that affect global configuration.
• CsViewOnlyAdministrator—This group can view the deployment, including server and user information, in order to monitor deployment health.
• CsHelpDesk—This group can view the deployment, including user’s properties and policies. They can also run specific troubleshooting tasks. They can neither change user properties or policies nor server configuration or services.
• CsArchivingAdministrator—This group can modify archiving configuration and policies.
• CsResponseGroupAdministrator—This group can manage the configuration of the Response Group application within a site.
• CsLocationAdministrator—This group offers the lowest level of rights for Enhanced 911 (E911) management. This includes creating E911 locations and network identifiers and network identifiers and enables associating these with each other. This role is assigned with a global scope as opposed to a site-specific scope.
To comply with RBAC best practices, do not assign users to roles with global scopes if they are supposed to administer only a limited set of servers or users. This means creating additional role-based groups with similar rights to previous groups, but applied to a more limited scope because all default role groups in Lync Server 2010 have a global scope. That is to say, the rights apply to all users and to servers in all sites.
These scoped role groups can be created through the PowerShell commandlets provided with Lync Server 2010 by using an existing global group as a template and by assigning the rights to a precreated group in Active Directory. For example:
New-CsAdminRole –Identity "Site01 Server Administrators" –Template
CsServerAdministrator –ConfigScopes "site:Site01"
This commandlet gives the Site01 Server Administrators group the same rights as the predefined CsServerAdministrator role, but rather than giving the rights globally, the rights apply only to servers in Site01.
A similar process can be used to create a role that is scoped based on users rather than on sites:
New-CsAdminRole –Identity "Finance Users Administrators" –Template
CsUserAdministrator –UserScopes "OU:OU=Finance, OU=Corporate Users,
DC=CompanyABC, DC=com"
This grants a group called Finance Users Administrators rights similar to the predefined CsUserAdministrator group but rather than getting the rights across all user objects, they will be limited to user objects in the Finance OU as defined in the commandlet.
After the necessary role groups have been defined, simply add users or other groups to the role groups through Active Directory Users and Computers.
Note
When users are placed into either a new security group or into a role group, they need to log out and then log on for the Kerberos ticket to be updated with the new group membership. Without this process, they will not be able to use the new rights that they are granted.
For users who are given any level of administrative rights within Lync Server 2010, carefully consider which tasks they need to perform and then assign them to the roles with the least privilege and scope necessary to perform the tasks.
For administrators interested in what rights are available to each of the predefined groups, Microsoft has published a fairly exhaustive list at the following URL: http://technet.microsoft.com/en-us/library/gg425917.aspx.