Enable-CsForestUser PowerShell Script

I wrote this script, partly to help a friend, and partly to follow on from my previous article called Lync Central Forest Topology with Forefront Identity Manager (FIM). In that article I tried to explain what FIM is, what it does, and the situations when it relates to Lync. If you’ve read it, you can see that it produces a fairly simple effect, which is to synchronise a specific set of attributes, from one user in one forest to an object in another forest, albeit in a not so fairly simple way.

FIM can be big investment in terms of time and money not only to understand, but to install, configure, and maintain. This script can be used for smaller deployments where a ‘semi-automatic’ approach may be better, or for temporary situations where FIM may be overkill.

Feel free to use this script, or any part of it, in your own scripts. Use it at your own risk and make sure you understand what it does before you run it in a production environment. </disclaimer>

Script Overview

The script automates the reading and writing of a bunch of attributes between forests, both for display purposes i.e. address book search, and specifically for the required attributes that let Lync associate the object with the source user.

The script finds the specified user, reads the attributes, and creates an object in the destination forest (either a “Resource”, or “Central” Forest), and creates a Lync account associated to the source user.

You can run the script multiple times, and it will update the destination object with the attributes from the source forest. For example, if the name, job title, department or anything else changes.

How to Use

You should run this script from the same forest where Lync is deployed. The first thing you need to specify is the UPN of the user in the source forest (the “User” Forest), as well as the usual parameters from Enable-CsUser such as -RegistrarPool, and -SipAddress. (If you want to use  -SipDomain and/or -SipAddressType then you should be able to edit the script fairly easily).

If there is already a previously synchronised object in the destination forest, the script will automatically update the attributes on that object. Otherwise the script will use the  -ObjectType  parameter to create either a Contact object, or a DisabledUser object in a location specified by the  -Path  parameter (which should be specified as an LDAP formatted Distinguished Name).

You should use a ‘Contact’ object if the resource forest only contains Lync. Or if you intend on setting up a Linked Mailbox in Exchange, then you need to use a ‘Disabled User’ object instead. There is no functionality different as far as Lync is concerned.

If there is only a one-way trust configured, then you can manually specify credentials to use when accessing the source forest by using the -SourceCreds parameter.

Examples

Example 1: Create a contact object based on graham@userforest.local, place it in an OU called Lync Users, home it on lyncpool.resource.local, and assign a SIP address of graham@sipdomain.co.uk

 

Example 2: Create a disabled user object based on graham@userforest.local, place it in an OU called Lync Users, home it on lyncpool.resource.local, and assign a SIP address of graham@sipdomain.co.uk, and pass that to Set-CsUser to enable Enterprise Voice and assign a LineURI

 

Example 3: Update attributes for existing object, using specified credentials.

Download

Enable-CsForestUser – Version 1.0

  • Version 1.0 – First release

Unzip and run from a PowerShell prompt.

And obviously – This Script is provided ‘as is’ without warranty of any kind.

The Script

Here’s some snippets from the code with some short explanations…

The script creates arrays containing the attributes to copy, this list is taken from FIM LcsSync. Feel free to add your own.

Get source user account by filtering for the specified UPN, also takes the domain part of the UPN to identify the server(s) to connect to, and return the attributes from $AllAttributes array.

Get the object in the destination forest that matches the ObjectSID of the source in its msRTCSIP-OriginatorSid

Create the object if it doesn’t exist, and write the DN to msDS-SourceObjectDN and ObjectSid to msRTCSIP-OriginatorSid, and return the new object.

Copy the attributes one by one, and write them to the destination object.

And finally, enable the user (by specifying the DN of the new object in this forest).

The End

There’s probably plenty of improvement that could be made to the script, like more error checking for example. Also it might suit you better not to filter based on the user’s UPN, and instead identify them by samAccountName or by full DN instead.

As always, I welcome any feedback, and it would be nice to hear if you use it.

Thanks,

Tweet about this on TwitterShare on LinkedInShare on Facebook
Pin on PinterestShare on Google+Digg thisShare on RedditShare on StumbleUponEmail this to someone

About Graham Cropley

Working as a Senior Consultant for Skype for Business, Exchange, and Office 365.

2 Comments

  1. Hi Graham,

    It is good work! Thank you.

    I need this script to work in my environment. I run it. It creates the contact object but it gives me an error when it is trying to set-adobject as you can find in the below. What is the problem? I could not understand what does it want. Do you know what can be the problem?

    Set-AdObject : The name reference is invalid
    At C:\Users\-\Desktop\Enable-CsForestUser.ps1:118 char:1
    + Set-AdObject -Instance $DestinationUser
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Set-ADObject], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.SetADObject

  2. Ok. I rewrite that line code and now it works 🙂
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *