Enabling a User for Microsoft Lync Server 2010

Throughout the world, tribes, clubs, organizations, and other groups of like-minded people often require newcomers to be initiated before they can become members in good standing of that tribe, club, or organization. For example, the infamous Skull and Bones club at Yale reportedly makes newcomers chant the following “death mantra” over and over again:

 
“The hangman equals death!
The devil equals death!
Death equals death!”

 
And then, just for good measure, Skull and Bones has the initiates repeatedly yell “OOGA-BOOGA!” at the top of their lungs, which must thrill the neighbors to no end. (Although we suppose you only have yourself to blame if you decide to live next to some place called the Skull and Bones.)

 
Fortunately, Microsoft Lync Server 2010 requires no such initiation ceremony. (Although it is tempting to tell users that they have to yell “OOGA-BOOGA!” at the top of their lungs before they can use Microsoft Lync. Very tempting.) But just because there’s no initiation ceremony that doesn’t mean people can start using Microsoft Lync the moment you finish installing Lync Server 2010. Instead, no one can use Microsoft Lync until their Active Directory user account has been enabled for Microsoft Lync Server. And to enable an account for Microsoft Lync Server you need to do two things:

  1. Yell “OOGA-BOOGA!” at the top of your lungs. (OK, this step is optional.)
  2. Run the Enable-CsUser cmdlet.

Note. Actually, there’s another way: you can also enable user accounts via the Lync Server Control Panel. But seeing as how this is a PowerShell article we’re just going to forget about Control Panel for now. Instead, everything we’ll talk about from here on in will take place in the Lync Server Management Shell.

 
Let’s start with the simplest possible case: we need to enable Ken Myer for Lync Server, and we want to assign Ken the SIP address sip:kenmyer@litwareinc.com. Here’s a command that will do just that:

 
Enable-CsUser –Identity "Ken Myer" –RegistrarPool atl-cs-001.litwareinc.com –SipAddress "sip:kenmyer@litwareinc.com"

 
Let’s take a look at the individual parameters (and parameter values) that make up this command. As you might have guessed, the –Identity parameter represents the Identity of the user whose account is to be enabled for Lync Server. Officially, there are four different ways to specify a user’s Identity:

  1. By using the user’s Active Directory display name. That’s the route we’ve taken in this example.
  2. By using the user’s SIP address. That works just fine, but if the user hasn’t been enabled for Lync Server then there’s a good chance he or she won’t actually have a SIP address.
  3. By using the user’s User Principal Name (UPN).
  4. By using the user’s logon name and domain name, in the format domain\logon_name. For example: litwareinc\kenmyer.

Note. Hey, wait a second: why did you say that “officially” there are four different ways to specify a user’s Identity. Does that mean there’s a fifth way to specify the Identity?

 
As a matter of fact, there is: you can also use the user’s Active Directory distinguished name. That’s going to be something on the order of CN=Ken Myer,OU=Finance,OU=Redmond,DC=Litwareinc,DC=com. If you want to type all that in (as opposed to, say, typing Ken Myer), well, that’s entirely up to you.

 
Incidentally, what if you don’t know any of these values for any of your users? Well, this command might help: it returns the display name, SIP address, and UPN for all your Active Directory user accounts:

 
Get-CsAdUser | Select-Object DisplayName, SipAddress, UserPrincipalName

 
As for the –RegistrarPool parameter, well, this is simply the fully qualified domain name of the Lync Server Registrar pool where the user account should be homed. Like -Identity, this is a mandatory parameter: all user accounts must be homed on a Registrar pool. If you omit the –Identity parameter your command is going to fail.

Note. What’s that? You say you don’t know the fully qualified domain names of all your registrar pools either? Boy, are you lucky that we’re the ones writing this article or what? Here’s a command that will return that information for you:

 
Get-CsPool | Where-Object {$_.Pools –match "Registrar:"} | Select-Object Fqdn

 
That leaves us with just one unexplained parameter: -SipAddress. It probably goes without saying that this parameter is used to specify the SIP address to be assigned to the user. Keep in mind that you can’t enable a user without assigning him or her a SIP address; that’s true even if the person in question already has a SIP address. (Like we showed you earlier, however, you can use the Get-CsAdUser cmdlet to determine the SIP address, if any, that has already been assigned to a user.) Note that the SIP address has to start with the prefix sip: . This syntax will work:

 
-SipAddress "sip:kenmyer@litwareinc.com"

 
This syntax won’t:

 
-SipAddress "kenmyer@litwareinc.com"

Note. We should also point out that the domain portion of the SIP address must represent a valid SIP domain; that’s important, because it’s possible for you to have domains in your organization that haven’t been enabled for SIP traffic. If that’s the case, don’t use one of those non-SIP domains when specifying a SIP address.

 
Sigh. OK, if you don’t know the names of your SIP domains try running this command:

 
Get-CsSipDomain

You might have noticed that we said you had to assign a user a SIP address; however, we didn’t say that the –SipAddress parameter is a mandatory parameter. Was that just a mistake on our part?

 
As a general rule, we’d strongly encourage you to take any bet that suggests we made a mistake. In this case, however, we actually knew what we were talking about: yes, you have to give each user a SIP address, but you don’t have to use the –SipAddress parameter to do this. The –SipAddress parameter is used if you want to assign a specific SIP address to a user; for example, if it’s important that Ken Myer be given the specific SIP address sip:kenmyer@litwareinc.com then you need to use -SipAdress. However, if you aren’t quite so particular about SIP addresses, then there are alternative ways to assign a SIP address, alternative ways in which Lync Server actually constructs the SIP address for you:

 
Construct a SIP address using the user’s first name and last name

 
With this approach, the SIP address will consist of the user’s first name, a dot (.), and the user’s last name, followed by the @ sign and the user’s SIP domain. (For example: Ken.Myer@litwareinc.com.) To have Communications Server create this type of address for you, you need to use the –SIPAddressType parameter along with the parameter value FirstLastName. You also need to include the –SipDomain parameter followed by the appropriate SIP domain.

 
In other words:

 
Enable-CsUser –Identity "Ken Myer" –RegistrarPool atl-cs-001.litwareinc.com –SipAddressType FirstLastName –SipDomain litwareinc.com

 
Construct a SIP address using the user’s SamAccountName and domain name

 
The SamAccountName is the user’s logon name: it’s the kenmyer portion of litwareinc\kenmyer. To use the SamAccountName as the SIP address use the –SipAddressType parameter followed by the parameter value SamAccountName:

 
Enable-CsUser –Identity "Ken Myer" –RegistrarPool atl-cs-001.litwareinc.com –SipAddressType SamAccountName –SipDomain litwareinc.com

 
Note that you also need to include the –SipDomain parameter followed by the appropriate SIP domain. With both FirstLastName and SamAccountName you must explicitly indicate the SIP domain; Enable-CsUser won’t try to make a “best guess” at determining the domain name for you.

 
Use the user’s email address as his or her SIP address

 
This is kind of a nice option: it simply grabs the user’s email address and uses that same value for his SIP address. (That way, users have just one address to remember.) To use this option, simply include the –SipAddressType parameter followed by the parameter value EmailAddress:

 
Enable-CsUser –Identity "Ken Myer" –RegistrarPool atl-cs-001.litwareinc.com –SipAddressType EmailAddress

 
Notice that you don’t need to add the –SipDomain parameter; that’s because the email address already includes domain information. This is also true if you use the next option, the User Principal Name. No need to use –SipDomain there, either.

 
Use the user’s UPN as his or her SIP address

 
Are your UPNs so wonderful that you can’t bear not to use them as SIP addresses, too? No problem: just include the –SipAddressType parameter followed by the parameter value UserPrincipalName. You know, like this:

 
Enable-CsUser –Identity "Ken Myer" –RegistrarPool atl-cs-001.litwareinc.com –SipAddressType UserPrincipalName

 
Good question: why would you even want to have Lync Server create SIP addresses for you? Well, there are several reasons that we can think of. For one, it’s less typing, which means less chance for you to make a mistake. (For example, typing kenmeyer rather than kenmyer.) For another, it helps ensure consistency throughout the organization. If you let Lync Server create SIP addresses for you (in this case, using the FirstLastName approach) you’ll get SIP addresses that look like these:

  • Ken.Myer@litwareinc.com
  • Jonathan.Haas@litwareinc.com
  • Pilar.Ackerman@litwareinc.com
  • Kim.Abercrombie@litwareinc.com

By contrast, if you let administrators arbitrarily assign SIP addresses themselves then you might very well get SIP addresses that look like these:

  • big_guy_KM@litwareinc.com
  • JHAAS@litwareinc.com
  • ackermanpilar@litwareinc.com
  • ka@litwareinc.com

More importantly, having Lync Server auto-assign SIP addresses also allows you to enable multiple users in a single command. For example, suppose you want to enable all the users in the Sales department. If you provide custom SIP addresses for everyone you’re going to have to run Enable-CsUser multiple times, once for each user. If you let Lync Server create the addresses for you, you can enable all these users (however many tens or hundreds or thousands of them there might be) with just a single command:

 
Get-CsUser –LdapFilter "Department=Sales" | Enable-CsUser –RegistrarPool atl-cs-001.litwareinc.com –SipAddressType FirstLastName –SipDomain litwareinc.com

 
Note. Don’t worry about the command Get-CsUser –LdapFilter "Department=Sales" . If you aren’t sure what we’re doing there, or why we’re doing it, take a look at the article Retrieving Active Directory and Microsoft Lync Server 2010 User Accounts .

 
That’s all we have time for today. As those of us who are members of the Skull and Bones like to say, “OOGA-BOOGA!”

 
Note. Actually, neither of the authors are members of the Skull and Bones club. And it’s hard to say who’s happier about that: us, or the members of the Skull and Bones club.

Comments

  • Anonymous
    January 01, 2003
    Hey BK, That happens because Get-CsPool doesn't actually return a property named Pools. Try this: Get-CsPool | Where-Object {$_.Services -match "Registrar:"} | Select-Object Fqdn

  • Anonymous
    September 15, 2010
    An entertaining Lync read indeed.  Keep up the posts!

  • Anonymous
    February 09, 2011
    haha, i agree with Pat... This was very enjoyable :) oh and it helped me alot aswell! Keep it up!

  • Anonymous
    April 14, 2011
    The comment has been removed

  • Anonymous
    August 12, 2011
    How can I mass SIP enable users in AD. I have over 4000 users. Is there any way you could script it so all the users will get it stamped and also if it is possible Automate the process (for example Raun as scheduled task every day to check if there is any user user and if there is m then stamp/Sip enable that user Thank you so much

  • Anonymous
    August 18, 2011
    Yeah I second FZAMIR Can we enable an AD group instead of individual users?

  • Anonymous
    September 13, 2011
    The comment has been removed

  • Anonymous
    September 22, 2011
    I am also searching a way to enable a Security/Email enabled AD Group on Lync 2010. It will help to minimise the efforts of for Lync adins to enabling User for Lync. Though this we goonna achieve the the default Lync enabled users based on this Group membership.