General Information
Rejoice Lync Administrators! Gone are the days of out-of-band provisioning (Group Policy) and utilizing in-band-provisioning (connecting to the server and getting custom settings). This is great news as many companies have machines that are either domain-joined and/or are outside of the network. Deploying Group Policies are not viable for non-domain joined machines and are possible to mobile workers if you are using Direct Access. But, with Lync 2010, you won’t have to worry about either. Because Group Policies for Lync 2010 Client Settings have now been moved to in-band provisioning. Lync 2010 uses the Lync Management Shell (LMS) to manage these in-band settings utilizing commands with the following noun: CSClientPolicy*. Commands with this noun include:
- New-CSClientPolicy
- Get-CSClientPolicy
- Set-CSClientPolicy
- Grant-CSClientPolicy
- Remove-CSClientPolicy
- New-CSClientPolicyEntry
The main commands will will look at are the first four commands.
The biggest thing to note about Client Policies, is that they can be configured at three different levels. These levels include:
- User Level
- Site Level
- Global Level
By default, user policies are set at the Global Level. Unfortunately, the Get-CSClientPolicy -Identity User, does not show anything other than the user set policies. So let’s say I want to see what I am assigned. I can run the following command:
Get-CSUser “Shudnow, Elan”
VoicePolicy : ChicagoVoicePolicy
ConferencingPolicy :
PresencePolicy :
DialPlan :
LocationPolicy :
ClientPolicy : ChicagoClientPolicy
ClientVersionPolicy :
ArchivingPolicy :
PinPolicy : ChicagoPinPolicy
ExternalAccessPolicy :
HostedVoiceMail :
HostedVoicemailPolicy :
If one of the variables above is $null, that doesn’t mean you are not abiding by some policy. The above will only display User Level Policies. Site Level and Global Policies are not displayed. This is because User Level Policies are readily available in Active Directory whereas the Site Level Policies and Global Policies. More information on this as well as a script that can provide more verbose information showing what policies including Site Level Policies or Global Level Policies are included here.
But by default, we can see that no policies exist other than the Global Policy by running the following command:
There are some fundamental things you should know about when managing policies on users:
- When we want to create policies, we use the New-CSClientPolicy command.
- When we want to modify policies, we use the Set-CSClientPolicy command.
- When using the Set-CSClientPolicy with no -Identity (as -Identity is actually Optional), the Global Policy is modified.
- When using the Set-CSClientPolicy with the -Identity specified, if we want to modify or create a Site Policy, we prefice the Identity with site:. For Example: Set-CSClientPolicy -Identity site:Chicago.
- When using the Set-CSClientPolicy with the -Identity specified, if we want to modify or create a User Policy, we do not prefice the Identity. For Example: Set-CSClientPolicy -Idenitty ChicagoClientPolicy.
- When setting a client policy on a user, we use the Grant-CSClientPolicy. For Example: Grant-CsClientPolicy -Identity “Elan Shudnow” -PolicyName SalesPolicy
Example
Let’s take a look at an example. Let’s remove the ability for my account to be able to display photos. As you can see in the following screenshot, I currently have the ability to display photos:
We need to first create the ChicagoClientPolicy. We do this by running the following command:
Now let’s re-run the command we saw in the first screenshot in this article to verify we see both a Global Policy as well as our new ChicagoClientPolicy.
I will run the following two commands command to remove the ability to Display Photos for our new ChicagoClientPolicy and then verify the DisplayPhoto parameter is set to NoPhoto:
Now we’ll have to assign the ChicagoClientPolicy to my user account and then verify it was assigned. We do this by running the following commands:
After signing out and signing back in, voila, pictures are no longer there. Success!
But, let’s say we wanted to reverse this. You may think to yourself, can I just set the setting to Null/Remove Policy or do I have to set the property to the opposite value to reset the registry setting? Well, let’s have a look. I’m going to try to just remove the policy from my account and verify that and then see if that takes care of it. I’ll do this by running the following command:
After signing out and signing back in, voila, pictures are back. Success again!
Great article, thank you.
I tried this with with my server by changing my team to a different policy that has the rule: DisplayPhoto : PhotosFromADOnly
The problem is that it does not change the picture for people that had a picture in their profile already, do you know how to fix that?
I added your blog to favorites Looking for more update.
Please let me know if you’re looking for a article writer for your blog. You have some really great articles and I believe I would be a good asset. If you ever want to take some of the load off, I’d absolutely love to write some articles for your blog
in exchange for a link back to mine. Please shoot
me an e-mail if interested. Regards!
great article Elan. I've been trying to work out if i could use these commands to prevent users changing their photo. We have an on-premise solution, not O365 and i have discovered there is no easy "GPO" for this.
As you'd expect, almost immediately after the roll-out the users went mad changing their settings, photos etc. We want everyone to keep their AD photo so its consistent with Outlook etc.
i'm a novice with powershell so was looking for a GUI but happy to give it a go :)
Hello Élan,
Please help!
My lync 2010 client does not show phone/dialpad icon.my users are enabled for enterprise voice. I have tested on windows 2008 r2 and vista BE platforms. Tried to see if there is anything in client policy but could not figure out.
Thanks in advance!
Faisal
I've seen this when a custom Group Policy for OCS was pushed out to machines and enabled the use of something called TelephonyMode. See Jeff Schertz post here: http://social.technet.microsoft.com/Forums/en-US/…
That is where I would start troubleshooting. I would set this to 0 and let the in-band settings from Lync take effect.
Very well written and useful – thank you for posting this. I have a customer with Office 365 Lync installed, and the CS-clientpolicy cmdlets are not available. Are the GPOs that used to provide this functionality still available?
Is there anyway to restrict who is allowed to send somebody a Lync IM. For example can we restrict who is allowed to send our CEO IMs. Would be great if there was a setting that only people in his contact list are able to IM him.
Thanks
This is possible with custom development by building an MSPL Application using the Ethical Firewall API.
A sample is here and the API really hasn't changed from OS to Lync: : http://www.microsoft.com/downloads/en/details.asp…
Elan,
Hopefully you can help me with some bit of information I must be missing. I understand that the global policies are default and I know when the user poliices are in use as well. I have been trying to use site policies without much success in being able to determine that a particular site policy is in use. ie… 7 sites and the need to assign a related site policy to all users at that site. I have basically decided to use user policies to ensure the assignments are correct, but for the next project it would be helpful to understand how/where a site policy is assigned to a user.
Thanks in advance to any insight anyhone has on this.
Keep in mind that these Site Policies are not AD Site Policies. If you look in the Lync Topology Builder, there are Central Sites and Branch Sites that connect to Central Sites. This is what the policies are assigned to. If you have PoolA and PoolB assigned to SiteA, then if you apply the policy to SiteA, it applies to both PoolA and PoolB.
Oops! Sorry Tim. I meant to post this link.
http://technet.microsoft.com/en-us/library/gg4259…
It is possible to disable saving IMs.
Tim,
Check it out on TechNet. I had no idea that it could be configured this way.
http://technet.microsoft.com/en-us/library/gg4129…
Good morning,
Thanks for your wonderful post!!!! Can you assist me with something that's been troubling me? I need to disable the feature in the Lync client that allows the users in my environment to "Save instant message conversations in my email Conversation history folder".
Can this be done through the Lync management shell or does it have to be done through a GPO. My company doesn't want user's to be able to save their instant messages.
Thanks in advance.
Hi Helan, i'm reading the Lync Server 2010 documentation about the Client Ports in the "Determining your infrastructure requirements …" document. I cannot understand why the "Required client ports" is inserted in the "..Internal server " section.
In the descriptions of the client ports i read for example "Used for client-to-server SIP traffic for external user access" … but if these ports must be opened (on the firewall ??) for "external user access" ..why they are in *Internal Server section* ?
Thanks a lot in advance,
Francesco
Hi Elan,
How do i apply a setting by policy to a group of users (Lync enabled users)?
Regards.
Jose,
It been several weeks since you posted your question, so I'm not sure if you ever found an answer to your question on assigning a policy to a Group, but I had the same question and found this blog with the information you may find useful…just thought i'd share in case someone else has the same question.
https://blogs.technet.com/b/csps/archive/2010/06/…
Hi, do you know where I can find the list of parameters I can use in Lync 2010?
Thanks.
http://technet.microsoft.com/en-us/library/gg3983…
Great work Elan, thank you!
Great information, is it possible to apply more than one user client policy to same user? as an example, one user client policy has different settings and another one has another setting. can both user policy get agreegated and apply resultant set of policy (like GPO). I see that in GUI, it is not possible might be possible using Lync Shell but not 100 % sure.
Sachin,
Policy is not cumulative like AD Group Policy. Only 1 policy will apply.
Geoff, the process is a migration but a shared SIP domain namespace can be used during the migration. An 'upgrade' typically refers to in-place upgrade of individual servers which is not the case with any Communications/Lync Server release.
Elan,
Good to see you are still posting great articles. A while back you helped me out with an OCS R2 issue. I was hoping you maybe be able to help with a new question?
It is tentatively related to the above.
We have OCS 2007 R2 deployed with the sip domain of sip1.net and the AD domain or ad1.net. If i want to upgrade to lync 2010 is it possible to deploy the lync server into the same sip domain or do i need to create/use a separate sip domain for lync?
Thanks.
Yes, that'll be fine. You never have to create new SIP Domains when upgrading.