In-band provisioning, client bootstrapping, tags, Group Policy, policies vs. settings. Yup, it can be confusing . In this post, I try to demystify Lync Server 2010 policies and settings.
The benefits that Microsoft lists for in-band provisioning settings are:
If you refer to the Microsoft Lync Server documentation, you will notice the use of policies and settings. Policies, in terms of Lync Server 2010, are a grouping of settings that can be applied at various levels (Global, Site, and Tag). Settings are the settings that effect Lync Server 2010 functionality. For example, a default installation of Lync Server 2010 includes a Global policy. Within the Global policy, there are several settings that can be defined. An example of settings that can be defined is the file transfer filter configuration settings, which define whether or not file transfers through instant messaging are allowed.
Microsoft does have an administrative template file that can be used with Group Policy for client bootstrapping policies. However, the availability of this file is somewhat confusing. For starters, the Lync Server 2010 TechNet Library states the file is called Lync.adm and it is located on the Lync distribution disk. I interpreted this as the Lync Installation media, so I checked the Lync Server 2010 installation ISO that I downloaded from from my TechNet subscription, but the file was not there. After doing some research, the unofficial consensus is that the adm file is located on the Lync 2010 Client media available through a Partner download, and is actually called communicator.adm. I don't have access to this media. However, there is someone that has posted the communicator.adm file and made it available for download. I downloaded the adm from this source, and use the Group Policy Object Editor to load it into a GPO. Below is a screenshot of the settings that can be defined through this adm file. Notice that the name of the Administrative Template does include Microsoft Lync in it.
You can also view policies by using the Lync Server Management Shell. To view the File Filters policies using the Lync Server Management Shell, I would use the following command:
First, I will create a new Presence policy. To create the presence policy, I use the following command in the Lync Server Management Shell:
Next, I will grant this new policy to a single user, called User1. To grant the new presence policy, I use the following command in the Lync Server Management Shell:
The above command first 'gets' all users that are in the Toronto OU, and then pipes those results to the Grant cmdlet, so that the policy is granted/applied to all users within the Toronto OU at this time. It's important to note that this is a point-in-time action. As users and added and/or removed from this OU, the granting of the policy WILL NOT be updated automatically.
Overview
In Lync Server 2010, the Group Policy settings that were used in previous OCS releases have been replaced with server settings that are sent to clients through in-band provisioning. In-band provisioning settings are managed through the two Lync Server 2010 administrative tools – Lync Server Control Panel and Lync Server Management Shell. In Lync Server 2010, you can centrally manage all policy settings and apply them at the global level, site level, or tag level. Tags are settings that can be applied to a single user or to a group of users.The benefits that Microsoft lists for in-band provisioning settings are:
- Administrators can handle all client configuration tasks in a single location, using a single user interface.
- Settings can be configured at the global, site, or tag level.
- Settings that are server-based provide a consistent end-user experience for people who are not joined to the corporate domain or who join using devices or remote clients.
- Settings take effect immediately.
- Settings that are server-based help improve client security because they do not depend on the client program to enforce the policy.
If you refer to the Microsoft Lync Server documentation, you will notice the use of policies and settings. Policies, in terms of Lync Server 2010, are a grouping of settings that can be applied at various levels (Global, Site, and Tag). Settings are the settings that effect Lync Server 2010 functionality. For example, a default installation of Lync Server 2010 includes a Global policy. Within the Global policy, there are several settings that can be defined. An example of settings that can be defined is the file transfer filter configuration settings, which define whether or not file transfers through instant messaging are allowed.
Precedence
Since Lync Server 2010 client settings can be set at various levels (in-band provisioning, registry, and the Lync – Options dialog box in Microsoft Lync 2010), it is important to understand the precedence used. The table below lists the precedence that is used for Lync Server 2010 client settings.
Precedence
|
Location of Method of Setting
|
1
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator |
| 2 | HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator |
| 3 | Lync Server 2010 in-band provisioning |
| 4 | The Lync – Options dialog box in Microsoft Lync 2010 |
Configuring Lync Server 2010 Client Bootstrapping Policies
There are several client bootstrapping policies that you should configure before users sign in to the server for the first time. Because these policies take effect before the client signs in and begins receiving in-band provisioning settings from the server, you can use Group Policy to configure them.Microsoft does have an administrative template file that can be used with Group Policy for client bootstrapping policies. However, the availability of this file is somewhat confusing. For starters, the Lync Server 2010 TechNet Library states the file is called Lync.adm and it is located on the Lync distribution disk. I interpreted this as the Lync Installation media, so I checked the Lync Server 2010 installation ISO that I downloaded from from my TechNet subscription, but the file was not there. After doing some research, the unofficial consensus is that the adm file is located on the Lync 2010 Client media available through a Partner download, and is actually called communicator.adm. I don't have access to this media. However, there is someone that has posted the communicator.adm file and made it available for download. I downloaded the adm from this source, and use the Group Policy Object Editor to load it into a GPO. Below is a screenshot of the settings that can be defined through this adm file. Notice that the name of the Administrative Template does include Microsoft Lync in it.
Working with Lync Server 2010 In-Band Policies
As mentioned above, policies are groupings of settings that can be applied at the global, site, and tag level. Lync Server 2010 comes with built-in global policies for IM and Presence, Voice Routing, Conferencing, Clients, External User Access, Monitoring and Archiving, Security, and Network.Viewing Policies
You can view policies by using the Lync Server Control Panel and the Lync Server Management Shell. Within each workload, the relevant policy will be shown. For example, to use the Lync Server Control Panel to view the File Filter policies, you would:- Click on IM and Presence.
- Ensure the File Filters tab is selected. The File Filter policies will be visible, as shown below:
You can also view policies by using the Lync Server Management Shell. To view the File Filters policies using the Lync Server Management Shell, I would use the following command:
Get-CsFileTransferFilterConfigurationThis will list each File Filter policy, as shown below. In this case, I only have one File Filter policy in my lab, which is the default Global policy.
Creating Policies
You can create policies by using the Lync Server Control Panel and the Lync Server Management Shell. In this example, I create a new File Transfer Filter policy that is applied at the site level, to a site called Hub Site. To do so using the Lync Server Control Panel, I would do the following:- Click on IM and Presence.
- Click on New.
- Select the Hub Site, and then click OK.
- On the New File Filter – Hub Site window, leave the default settings or modify the settings, and then click Commit.
- The new policy will now be visible on the IM and Presence tab of the Lync Server Control Panel.
New-CsFileTransferFilterConfiguration -Identity site:Hub SiteAs you can see in the diagram below, the new policy is created with a set of default settings, because I did not specify any settings when I created the policy. The default settings enable the blocking of file transfers, but file transfers for files with specific extensions – not all file transfers.
Modifying Policies
You can also modify policies by using the Lync Server Control Panel and the Lync Server Management Shell. In this example, I modify the File Filter – Hub Site policy that I created above such that all file transfers are blocked.To do so using the Lync Server Control Panel, I would do the following:- Click on IM and Presence.
- Select the Hub Site policy, click Edit, and then click Show details
- On the Edit File Filter – Hub Site window, change the drop down under File Transfers to Block all, and then click Commit.
Set-CsFileTransferFilterConfiguration -Identity site:Hub SiteAs you can see in the diagram below, the policy is modified to block all file transfers:
Deleting Policies
The process to delete policies is quite straightforward as well. Like all else in Lync, you can do this by using the Lync Server Control Panel and the Lync Server Management Shell. Here's an example of using the Lync Server Control Panel to delete the File Filter policy I created above.- Click on IM and Presence.
- Select the Hub Site policy.
- Click Edit and then click Delete.
- On the confirmation dialog box, click OK.
Remove-CsFileTransferFilterConfiguration -Identity site:"Hub Site"
Tag Level Policies
So far, I've talked about global level and site level policies. To be conclusive, I want to touch on tag level policies. As mentioned above, tags are settings that can be applied to a single user or to a group of users. In this example, I am going to create a new Presence policy and apply it to a specific user. I will then expand the application of the policy to all users that are located in a particular organizational unit.First, I will create a new Presence policy. To create the presence policy, I use the following command in the Lync Server Management Shell:
New-CsPresencePolicy -Identity "TorontoPresencePolicy" -MaxPromptedSubscriber 400 -MaxCategorySubscription 500
Next, I will grant this new policy to a single user, called User1. To grant the new presence policy, I use the following command in the Lync Server Management Shell:
Grant-CsPresencePolicy -Identity "User1" -PolicyName "TorontoPresencePolicy"Lastly, I will grant this new policy to all users within an organizational unit called Toronto. To grant the new policy to all users in the Toronto OU, I use the following command in the Lync Server Management Shell:
Get-CsUser -OU "OU=Toronto,dc=lynclab2,dc=local" | Grant-CsPresencePolicy -PolicyName "TorontoPresencePolicy"After doing so, I get a warning that User1 was not changed. This is because User1 is in the Toronto OU, and I previously granted the policy to User1.
The above command first 'gets' all users that are in the Toronto OU, and then pipes those results to the Grant cmdlet, so that the policy is granted/applied to all users within the Toronto OU at this time. It's important to note that this is a point-in-time action. As users and added and/or removed from this OU, the granting of the policy WILL NOT be updated automatically.
No comments:
Post a Comment