Custom RBAC roles Lync 2013

This is  a quick note on the comands to create Lync 2013 RBAC role groups. First Verify the role you want to assign will run the cmdlets you expect. This will generate a list of the permitted cmdlets in the Role

Get-CsAdminRole -Identity “groupmgr” | select -ExpandProperty cmdlets

Next Create the role:

New-CsAdminrole -Identity “groupmgr” -Template CsResponseGroupManager

and then add or remove cmdlets you dont want the new role to have permissions for:

Set-CsAdminRole -Identity “groupmgr” -Cmdlets @{Remove=”get-cssite”,”get-csuser”,”New-csrgsqueue”,”get-csrgsworkflow”}

Now the above would not be very good to take basic permissios away from the role group. it may be more likely to add permissions: 

Set-CsAdminRole -Identity “groupmgr” -Cmdlets @{Add=”Disable-CsUser”,”Enable-CsUser”,”set-csOauthServer”,”new-CsOauthServer”}

This is the basic syntax and there are some Technet articles that may alos be helpful:

7 thoughts on “Custom RBAC roles Lync 2013

  1. ins says:


    trying to create new admin role in lync with the command
    Set-CsAdminRole -Identity “LyncArch” -Cmdlets @{Add=”Export-CsArchivingData”}
    and receive this message:
    WARNING: The role-based access control (RBAC) role ‘LyncArch’
    cannot contain ‘Export-CsArchivingData’, because ‘Export-CsArchivingData’ is
    not a Lync Server cmdlet. Only Lync Server cmdlets can be added to the role.

    Does anybody have any suggestion why it is happens?


    • In your example, lyncarch needs to have an underlying assignment of one of the 11 base Rbac templates- generally you will not need to add a specific command, as the 11 templates should have a level which already includes that command. if you post the new-csadminrole command you successfully created before this step, I may able to understand the context.


      • ins says:

        The prior command was
        New-CsAdminRole -Identity LyncArch -template CSAdministrator
        that is executed without any warning.


  2. ins says:

    Also Export-CsArchivingData is not includes in CSAdministrator role as I can see by executing
    (get-CsAdminRole -Identity CSAdministrator).cmdlets
    So I tried to create a new role according this article
    but meet this error with RBAC and actually I can execute the command locally on lync server but unable execute it remotely as it says that there is no such cmdlet.


  3. lou says:

    Ok so your AD connection works•local PowerShell is ad• remote PowerShell is rbac• You created a new role, but there is no scope for the role. add a user or site scope to “lyncarch”. Then, if you are part off the user or site scope, you will be able to connect to a remote session to make changes to the role.


  4. ins says:

    yes, I have already added user to this scope and connection to the remote session successfully works, I can execute many lync cmdlets (such as get-csuser, etc.) except the cmdlet Export-CsArchivingData.

    Please note I receive RBAC warning on the lync server itself with Export-CsArchivingData command, also the command Set-CsAdminRole locally is works perfect.


    • I would focus on getting to work from the Lync server first. I would say the permissions will get convoluted if you don’t have local permissions first. So you want to verify your also rtcuniversalserveradmin as well and have proper sql permissions -the command itself is different for 2010 vs 2013 see what Terence has to say about the syntax here

      Is archiving setup and installed. This is a prerequisite. Can you get reporting from monitoring database? Persistent chat is a different service, so you are trying to export IM or conference content? Does this work successfully from lync control panel? This is where I would start. Once that all works then move to a remote shell.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s