Rejoice Lync Administrators! Gone are the days of out-of-band provisioning (Group Policy) and utilizing in-band-provisioning (connecting to the server and getting custom settings). This is great news as many companies have machines that are either domain-joined and/or are outside of the network. Deploying Group Policies are not viable for non-domain joined machines and are possible to mobile workers if you are using Direct Access. But, with Lync 2010, you won’t have to worry about either. Because Group Policies for Lync 2010 Client Settings have now been moved to in-band provisioning. Lync 2010 uses the Lync Management Shell (LMS) to manage these in-band settings utilizing commands with the following noun: CSClientPolicy*. Commands with this noun include:
The main commands will will look at are the first four commands.
The biggest thing to note about Client Policies, is that they can be configured at three different levels. These levels include:
- User Level
- Site Level
- Global Level
By default, user policies are set at the Global Level. Unfortunately, the Get-CSClientPolicy -Identity User, does not show anything other than the user set policies. So let’s say I want to see what I am assigned. I can run the following command:
Get-CSUser “Shudnow, Elan”
VoicePolicy : ChicagoVoicePolicy
ClientPolicy : ChicagoClientPolicy
PinPolicy : ChicagoPinPolicy
If one of the variables above is $null, that doesn’t mean you are not abiding by some policy. The above will only display User Level Policies. Site Level and Global Policies are not displayed. This is because User Level Policies are readily available in Active Directory whereas the Site Level Policies and Global Policies. More information on this as well as a script that can provide more verbose information showing what policies including Site Level Policies or Global Level Policies are included here.
But by default, we can see that no policies exist other than the Global Policy by running the following command:
There are some fundamental things you should know about when managing policies on users:
- When we want to create policies, we use the New-CSClientPolicy command.
- When we want to modify policies, we use the Set-CSClientPolicy command.
- When using the Set-CSClientPolicy with no -Identity (as -Identity is actually Optional), the Global Policy is modified.
- When using the Set-CSClientPolicy with the -Identity specified, if we want to modify or create a Site Policy, we prefice the Identity with site:. For Example: Set-CSClientPolicy -Identity site:Chicago.
- When using the Set-CSClientPolicy with the -Identity specified, if we want to modify or create a User Policy, we do not prefice the Identity. For Example: Set-CSClientPolicy -Idenitty ChicagoClientPolicy.
- When setting a client policy on a user, we use the Grant-CSClientPolicy. For Example: Grant-CsClientPolicy -Identity “Elan Shudnow” -PolicyName SalesPolicy
Let’s take a look at an example. Let’s remove the ability for my account to be able to display photos. As you can see in the following screenshot, I currently have the ability to display photos:
We need to first create the ChicagoClientPolicy. We do this by running the following command:
Now let’s re-run the command we saw in the first screenshot in this article to verify we see both a Global Policy as well as our new ChicagoClientPolicy.
I will run the following two commands command to remove the ability to Display Photos for our new ChicagoClientPolicy and then verify the DisplayPhoto parameter is set to NoPhoto:
Now we’ll have to assign the ChicagoClientPolicy to my user account and then verify it was assigned. We do this by running the following commands:
After signing out and signing back in, voila, pictures are no longer there. Success!
But, let’s say we wanted to reverse this. You may think to yourself, can I just set the setting to Null/Remove Policy or do I have to set the property to the opposite value to reset the registry setting? Well, let’s have a look. I’m going to try to just remove the policy from my account and verify that and then see if that takes care of it. I’ll do this by running the following command:
After signing out and signing back in, voila, pictures are back. Success again!