Skype for Business Delegated Permissions
Scenario:
Skype for Business Delegated Permissions
The script that you will see below is about providing delegated permissions to IT Administrators in Skype for Business. Lets see first few details and what you need to know about it.
Request
I had a request to provide delegated permissions to local IT administrators on Skype for Business server through the web console. Local IT administrator need to be able to
- Enable / Disable Skype for Business for a user
- Modify settings for a user in Skype for Business
- Enable / Disable Skype for Business Telephony for a user
- Permissions only for the users responsible for
The Target
In order to be able to provide this to local IT administrators, we have to provide them with the “CSUserAdministrator” permissions on Skype for Business. The problem is that if we apply these permissions directly to them, they will be able to perform administration for all users. In order to limit the users, they are able to perform administration, we need to use scopes. In this case I have used UserScopes, which are based on Active Directory Organizational Units.
I could do it manually by for each location but it would take a lot of time. I would need to find all Organizational Units from Active Directory manually and run the command in PowerShell trying not to leave any Organizational Unit out of the scope. In order to avoid this, I wrote the script below, so I will be able to run it whenever is needed. The script is able create new role based on the current setting in the script or update the “UserScope” of an existing role. It is able only to apply changes to the pre-defined roles within the script. We going now to explain what the script does and how I have achieved the my target.
[adinserter name=”In Article”]
Script Details
Collecting the Information
First the script will collect the information about the domain. Then it collects all Organizational Units under a specific Organizational Unit. As you can see in the script, I am using -SearchBase parameter in order to limit the collection of Organizational Units only to the ones that I would like to have. You are able also to use it without the -SearchBase parameter if you would like to collect all Organizational Units under the Active Directory. This depends on the structure of your Active Directory.
After the script has collected all Organizational Units that we need it will show the user the information about the actions that is able to perform. Each number represents a specific action.
Then the script will request from the user to provide the number of the location that want to give delegated permissions using the same way.
[adinserter name=”In Article”]
Processing the Information
After the information has been collected, the script will process the data according to the selections of the user. As you can see below in the script, there is a switch statement based to perform some filtering on Organizational Units for the specific location selection. In the script below the filtering is simple and you need to change the filtering according to your Active Directory structure. The one that I am using in the actual script for my company, the filters are much more complicated. When the filtering will be completed a second switch statement follows in order to call the function responsible for the action selected.
Functions
In the script we have 2 functions in order to provide the delegated permissions to the selected local IT. One of the functions is responsible for the creation of a new “CsAdminRole” and the other one to update the user scope of the role. You will see that within the functions I am working with the array in order to edit the data and arrange to be acceptable by the cmdlet.
Then the permissions are applied. For both functions if the operation is correct and the is no issue, it will inform the user that the permissions have been provided. In the case of the “userscope” update it will inform the user that the scope has been. If there is any error during that operation, the script will show a warning message that permissions have not been applied or there was an error during the update process.
function fn_NewRole($CurrentAdmin,$ActiveOUs,$CurrentLocation){
$CurrentOUs = @()
ForEach ($_ in $ActiveOUs) {
$TempOU = "OU:$_"
$CurrentOUs += $TempOU
}
try{
$NewAdminParams = @{
Identity = $CurrentAdmin
Template = "CsUserAdministrator"
UserScopes = $CurrentOUs
}
New-CsAdminRole @NewAdminParams
Write-Host "Sfb Delegation has been applied on $CurrentLocation" -ForegroundColor Green
}
catch{
Write-Warning "Not able to apply SfB Delegation for $CurrentLocation"
}
}
function fn_UpdateFilter($CurrentAdmin,$CurrentOUs,$CurrentLocation){
$CurrentOUs = @()
ForEach ($_ in $ActiveOUs) {
$TempOU = "OU:$_"
$CurrentOUs += $TempOU
}
try{
Set-CsAdminRole -Identity $CurrentAdmin -UserScopes @{Replace=$CurrentOUs}
Write-Host "User scope has been updated on $CurrentAdmin for $CurrentLocation" -ForegroundColor Green
}
catch{
Write-Warning "Not able to update user scope for $CurrentLocation"
}
}After everything has been completed successfully or not, the script will ask the user if he needs to run it again or not. The default answer is “No”
Note that the name of the role that you will give for role creation, you need to have a security group enabled in Active Directory which has the same name in order to work.
This script is simple but it can save you a lot of time if you would like to provide delegated permissions on Skype for Business to local IT administrators.
You can download the script here or copy it from below. (Note that code within the script might not be copied correctly due to syntax highlighting.)
Hope you like it.
You feedback is appreciated.
If you have any questions or anything else please let me know in the comments below.
[adinserter name=”In Article”]
Related Links:
- PowerShell Scripts
- PowerShell Tutorials
- about_Functions | Microsoft Docs
- PowerShell Assignment Operators
- Get-ADDomain – Microsoft Docs
- PowerShell Arithmetic Operators
- Get-ADOrganizationalUnit – Microsoft Docs
- PowerShell Comparison Operators
- New-CsAdminRole – Microsoft Docs
- Set-CsAdminRole – Microsoft Docs
- Write-Host – Microsoft Docs
- Read-Host – Microsoft Docs
- Write-Warning – Microsoft Docs
- about_Foreach | Microsoft Docs
- about_Try_Catch_Finally | Microsoft Docs
- about_While | Microsoft Docs
- about_Do | Microsoft Docs
- about_Switch | Microsoft Docs
- about_If | Microsoft Docs
[adinserter name=”In Article”]
Solution / Script:
<# .SYNOPSIS Name: Set-SfbDelegation.ps1 The purpose of this script is to provide delegated access to administrators for Skype for Business. .DESCRIPTION The script will provide the predefined permissions to IT administrators by creating custom admin role in Skype for Business or updating the userscopes of existing roles that are already configured in the script. .RELATED LINKSHome.NOTES Version: 1.0 Release Date: 03-07-2018 Author: Stephanos Constantinou .EXAMPLE Set-SfbDelegation.ps1 #> $again = "yes" $answer = "no" $domain = Get-ADDomain $AllOUsParams = @{ Properties = "DistinguishedName" SearchBase = ("OU=Offices,"+$domain.DistinguishedName) Filter = "*"} $AllOUs = Get-ADOrganizationalUnit @AllOUsParams $actioninfo = @" List of actions: 1. New Role 2. Update Role User Scopes "@ $countryinfo = @" List of the countries that you want to apply the delegation for: 1. Cyprus 2. Greece 3. Germany 4. India "@ function fn_NewRole($CurrentAdmin,$ActiveOUs,$CurrentLocation){ $CurrentOUs = @() ForEach ($_ in $ActiveOUs) { $TempOU = "OU:$_" $CurrentOUs += $TempOU } try{ $NewAdminParams = @{ Identity = $CurrentAdmin Template = "CsUserAdministrator" UserScopes = $CurrentOUs } New-CsAdminRole @NewAdminParams Write-Host "Sfb Delegation has been applied on $CurrentLocation" -ForegroundColor Green } catch{ Write-Warning "Not able to apply SfB Delegation for $CurrentLocation" } } function fn_UpdateFilter($CurrentAdmin,$CurrentOUs,$CurrentLocation){ $CurrentOUs = @() ForEach ($_ in $ActiveOUs) { $TempOU = "OU:$_" $CurrentOUs += $TempOU } try{ Set-CsAdminRole -Identity $CurrentAdmin -UserScopes @{Replace=$CurrentOUs} Write-Host "User scope has been updated on $CurrentAdmin for $CurrentLocation" -ForegroundColor Green } catch{ Write-Warning "Not able to update user scope for $CurrentLocation" } } while (($again -ieq "yes") -or ($again -ieq "y")){ do{ Write-Host $actioninfo -ForegroundColor Green $ActionOption = Read-Host -Prompt 'Please select the action that you want'} until (($ActionOption -eq "1") -or ($ActionOption -eq "2")) do{ Write-Host $countryinfo -ForegroundColor Green $countryoption = Read-Host -Prompt 'Please select the number of the country'} until (($countryoption -eq "1") -or ($countryoption -eq "2") -or ($countryoption -eq "3") -or ($countryoption -eq "4")) switch ($countryoption){ 1 { $CyprusOUs = ($AllOUs | where { (($_.DistinguishedName -like "*Employees*") -or ($_.DistinguishedName -like "*ApplicationAccounts*")) -and ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName $CurrentAdmin = "cy-Admin" $CurrentLocation = "Cyprus" $ActiveOUs = $CyprusOUs } 2 { $GreeceOUs = ($AllOUs | where { (($_.DistinguishedName -like "*Employees*") -or ($_.DistinguishedName -like "*ApplicationAccounts*")) -and ($_.DistinguishedName -like "*Greece*")}).DistinguishedName $CurrentAdmin = "gr-Admin" $CurrentLocation = "Greece" $ActiveOUs = $GreeceOUs } 3 { $GermanyOUs = ($AllOUs | where { (($_.DistinguishedName -like "*Employees*") -or ($_.DistinguishedName -like "*ApplicationAccounts*")) -and ($_.DistinguishedName -like "*Germany*")}).DistinguishedName $CurrentAdmin = "de-Admin" $CurrentLocation = "Germany" $ActiveOUs = $GermanyOUs } 4 { $IndiaOUs = ($AllOUs | where { (($_.DistinguishedName -like "*Employees*") -or ($_.DistinguishedName -like "*ApplicationAccounts*")) -and ($_.DistinguishedName -like "*India*")}).DistinguishedName $CurrentAdmin = "in-Admin" $CurrentLocation = "India" $ActiveOUs = $IndiaOUs } default {"You have entered a wrong number. Run the script again"; Exit} } switch ($ActionOption){ 1 {fn_NewRole $CurrentAdmin $ActiveOUs $CurrentLocation} 2 {fn_UpdateFilter $CurrentAdmin $ActiveOUs $CurrentLocation} } do{$answer = Read-Host -Prompt 'Do you want to run delegation script again (Default is No)?' If (($answer -ieq "n") -or ($answer -ieq "y") -or ($answer -ieq "no") -or ($answer -ieq "yes") -or ($answer -eq "")){ if ($answer -eq ""){$answer = "no"} $userinput = "correct" } else{ $userinput = "wrong" $WrongAnswer = @" You have entered a wrong answer. Please enter y [YES] or n [NO] "@ Write-Host $WrongAnswer -ForegroundColor Red } } while ($userinput -eq "wrong") $again = $answer}
[adinserter name=”Matched-Content”]
Leave a Reply