This is a quick note on the comands to create Lync 2013 RBAC role groups. First Verify the role you want to assign will run the cmdlets you expect. This will generate a list of the permitted cmdlets in the Role
Get-CsAdminRole -Identity “groupmgr” | select -ExpandProperty cmdlets
Next Create the role:
New-CsAdminrole -Identity “groupmgr” -Template CsResponseGroupManager
and then add or remove cmdlets you dont want the new role to have permissions for:
Set-CsAdminRole -Identity “groupmgr” -Cmdlets @{Remove=”get-cssite”,”get-csuser”,”New-csrgsqueue”,”get-csrgsworkflow”}
Now the above would not be very good to take basic permissios away from the role group. it may be more likely to add permissions:
Set-CsAdminRole -Identity “groupmgr” -Cmdlets @{Add=”Disable-CsUser”,”Enable-CsUser”,”set-csOauthServer”,”new-CsOauthServer”}
This is the basic syntax and there are some Technet articles that may alos be helpful:
http://technet.microsoft.com/en-us/library/gg398271.aspx
Hello,
trying to create new admin role in lync with the command
Set-CsAdminRole -Identity “LyncArch” -Cmdlets @{Add=”Export-CsArchivingData”}
and receive this message:
WARNING: The role-based access control (RBAC) role ‘LyncArch’
cannot contain ‘Export-CsArchivingData’, because ‘Export-CsArchivingData’ is
not a Lync Server cmdlet. Only Lync Server cmdlets can be added to the role.
Does anybody have any suggestion why it is happens?
LikeLike
In your example, lyncarch needs to have an underlying assignment of one of the 11 base Rbac templates- generally you will not need to add a specific command, as the 11 templates should have a level which already includes that command. if you post the new-csadminrole command you successfully created before this step, I may able to understand the context.
LikeLike
The prior command was
New-CsAdminRole -Identity LyncArch -template CSAdministrator
that is executed without any warning.
LikeLike
Also Export-CsArchivingData is not includes in CSAdministrator role as I can see by executing
(get-CsAdminRole -Identity CSAdministrator).cmdlets
So I tried to create a new role according this article http://lyncinsider.com/lync-server-2013/custom-administrative-roles-in-lync-server-2013-now-with-cmdlet-control/
but meet this error with RBAC and actually I can execute the command locally on lync server but unable execute it remotely as it says that there is no such cmdlet.
LikeLike
Ok so your AD connection works•local PowerShell is ad• remote PowerShell is rbac• You created a new role, but there is no scope for the role. add a user or site scope to “lyncarch”. Then, if you are part off the user or site scope, you will be able to connect to a remote session to make changes to the role.
http://technet.microsoft.com/en-us/library/gg398271.aspx
LikeLike
yes, I have already added user to this scope and connection to the remote session successfully works, I can execute many lync cmdlets (such as get-csuser, etc.) except the cmdlet Export-CsArchivingData.
Please note I receive RBAC warning on the lync server itself with Export-CsArchivingData command, also the command Set-CsAdminRole locally is works perfect.
LikeLike
I would focus on getting to work from the Lync server first. I would say the permissions will get convoluted if you don’t have local permissions first. So you want to verify your also rtcuniversalserveradmin as well and have proper sql permissions -the command itself is different for 2010 vs 2013 see what Terence has to say about the syntax here
http://terenceluk.blogspot.com/2013/03/exporting-lync-server-2010-archive.html?m=1
Is archiving setup and installed. This is a prerequisite. Can you get reporting from monitoring database? Persistent chat is a different service, so you are trying to export IM or conference content? Does this work successfully from lync control panel? This is where I would start. Once that all works then move to a remote shell.
LikeLike