The request came in today to enable Lync Mobility for one of our remote groups. Fine enough I though, I will just run this script and be done with it.
But alas things were not so simple. The scripts bombed out with this mess:
Grant-CsMobilityPolicy : Cannot bind argument to parameter ‘Identity’ because i
t is null.
At E:EnableMobility.ps1:15 char:31
+ Grant-CsMobilityPolicy <<<< $x -PolicyName $args[1]
+ CategoryInfo : InvalidData: (:) [Grant-CsMobilityPolicy], Param
eterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
icrosoft.Rtc.Management.AD.Cmdlets.AssignOcsMobilityPolicyCmdlet
After some poking around, we realized that our target group contained groups, not users. And further, those sub-groups often contained groups of their own. So the script was not going to work in this situation. So I banged around for an hour and produced the following:
###############################################################
# Recursively Enable Lync Mobility for an AD Group
# Allows you to enable users in a non-default domain
#
# Parameters:
# 1: The Full DN of the target group. e.g.:
# "CN=Detroit Users,OU=Distribution Groups,OU=MI,DC=NorthAmerica,DC=flincbot,DC=com"
# 2: The name of a domain controller to go against. e.g.
# miadc01.northamerica.flinchbot.com
# 3: The Policy to assign. e.g.:
# "tag:Enable Mobility"
# So the whole command would look like this:
# .EnableMobility.ps1 "CN=Detroit Users,OU=Distribution Groups,OU=MI,DC=NorthAmerica,DC=flincbot,DC=com" miadc01.northamerica.flinchbot.com "tag:Enable Mobility"
#
###############################################################
Import-Module ActiveDirectory
####################
#Set up the logfile
####################
$LogFile = "Enable-LyncMobilityLog-"+(get-date -uformat %d%m%Y-%H%M%S)+".txt"
########################
#Submit entry to Logfile
########################
$LogTXT = "Processing Users.....`n"
Out-File -FilePath $LogFile -InputObject $LogTXT
######################
#Get the list of users
######################
$members = Get-ADGroupMember $args[0] -server $args[1] -recursive
###############################################################
#Loop through the returned users and attempt to enable Mobility
###############################################################
Foreach ($user in $members)
{
#############################################################
#Select the SAM account name attribute form the data returned
#############################################################
$samaccountname = $user.samaccountname
########################
#Submit entry to Logfile
########################
$LogTXT = "Attempting to enable $samaccountname"
Out-File -FilePath $LogFile -InputObject $LogTXT -Append
################
#Enable Mobility
################
Grant-CsMobilityPolicy $samaccountname -PolicyName $args[2]
}
There are three mandatory command line parameters.
The first is the distinguished name of the group you want to work with. I use the ADSIEdit utility to grab the Distinguished Name as it is usually just as fast as banging it out on your own and there is less of a change of typo by copying it from there.
The second command line argument is a fun one if you are in a multi-domain forest. To get the group members, I used the Get-ADGroupMember cmdlet. This is perfect for this usage but by default it only looks in the current domain for the group. By typing in a domain controller from the remote domain, Get-ADGroupMember will search that domain instead looking for the group you are working with.
The final parameter is the Lync mobility policy you wish to assign to those users.
There is some basic logging as well. Upon launching the script, a file gets created called Enable-LyncMobilityLog-<DATETIME>.txt where DATETIME is the current date and time. Here is an example of what that filename might look like:
Enable-LyncMobilityLog-09012013-180655.txt
This will let you have multiple separate logs each time you run it. All that the log does is spit out a list of the usernames it has tried to enable. There is no detailed logging for success or failure. That gets logged to the PowerShell screen so if you are anticipating doing a massive amount of users, increase the PowerShell window buffer size.
Let’s say you are running the script against a remote domain. After it completes, you want to verify that it worked so you type Get-CsUser -Identity “Username” into your PowerShell. To your disappointment, the Mobility Policy field is blank. The reason is that you need to wait for replication to happen. If you want to see that the change actually happened, use the -DomainController switch on the Get-CsUser command and point it to the same DC you used in the script. For example:
Get-CsUser -identity “username” -DomainController miadc01.northamerica.flinchbot.com
Alternately, go to lunch and come back and you should see the change without needing to point to the remote DomainController.
If you want to download the script without mucking about with copy and paste and bad formatting, then please click below.
[office src=”https://skydrive.live.com/embed?cid=31E64FCE17A6E0B2&resid=31E64FCE17A6E0B2%215116&authkey=ABSvk_NXNCeOeYM” width=”98″ height=”120″]
3 pings
[…] via Lync News http://flinchbot.wordpress.com/2013/01/09/recursively-enabling-lync-mobility/ […]
[…] after I wrote this post my mind spun a little and I though “Why should I limit it to just the […]
[…] http://flinchbot.wordpress.com/2013/01/09/recursively-enabling-lync-mobility/ […]