Script for automatic enabling users for Lync based on AD group membership

Today a customer requested a script for all new members of a certain Active Directory Security Group to be enabled for Lync Server 2013.

This was a rather easy task to create a Powershell script and a scheduled task for handling this.

Here is how I did it.

Powershell script:

#
# First set some parameters
#
# Set AD Group for Lync users (between the "")
$ADGroup = "AdSecGroup"
# Set Site ID for user to register to
$SiteID = 1
#
# Script executes from here
#
Import-Module Lync
$Members = Get-ADGroupMember $ADGroup -Recursive
$cssite = get-cssite $SiteID
$regpool = Get-CsService -registrar | where {$_.SiteId -eq $CSSite.Identity}
ForEach ($user in $Members)
{
    $SID = $user.SID
    $ADUser = get-csaduser -Filter {SID -eq $SID}     
    $adexist = get-csaduser | where {$_.SID -eq $SID}  
    $display = $ADUser.FirstName + " " + $ADUser.LastName  
    $samaccountname = $ADUser.SamAccountName  
    if ($adexist -eq $null)        
    {
        $usernotinad = $true  
    }     
    else    
    {
        $usernotinad = $false
    }
    if ($usernotinad -ne $true)    
    {
        $enabled = Get-CsUser -filter {SamAccountName -eq $SamAccountName}     
        # Check if user is enabled for for OCS/Lync    
        if ($enabled)
        {        
            # Check if user is enabled for OCS            
            if ($enabled.RegistrarPool -eq $null)            
            { 
               # Write-Host "User is on OCS, enabling for Lync" -foregroundcolor Yellow -backgroundcolor Black 
                $pool = get-csservice -registrar | where {$_.ServiceID -eq $RegPool.ServiceId}
                Move-CsLegacyUser -Identity $ADUser.SipAddress -Target $pool.PoolFQDN -Force -Confirm:$false 
               # Write-Host "Successfully moved $display to Lync Server 2013"            
            }         
            else        
            {
               # Write-Host "$display is already on Lync - Skipping..." -foregroundcolor Yellow -backgroundcolor Black
            }
        }
        else
        {
           # Write-Host "Enabling user for Lync - Processing..." -foregroundcolor Yellow -backgroundcolor Black                 
            $pool = get-csservice -registrar | where {$_.ServiceID -eq $RegPool.ServiceId}         
            get-csaduser | where {$_.samaccountname -eq $samaccountname} | Enable-Csuser -registrarpool $pool.PoolFQDN -sipaddresstype emailaddress 
           # Write-Host "Successfully enabled $display for Lync Server 2013" -foregroundcolor Yellow -backgroundcolor Black    
        }
    }    
 }

The script basically takes all members of the Active Directory Security Group (this is done recursive, so also members of a group, which is a member of this group, is added) and checks if they are enabled for Lync and enables them for Lync (it also checks for legacy user (Pre-Lync) and then moves the user to the Lync pool). The script was made for a small deployment with only one site and one pool in this site, for multiple sites and/or pools this should be addressed properly.

Scheduled task:

Start by creating a Scheduled Task, select Basic task.

Fill in the fields and click Next

Select Daily, click Next

Select time for execution (we set 05:00:00 in the morning), click Next

 Select Start a program and click Next

Fill in powershell.exe in the program field, fill -file "C:\Install\Lync2013AutoenableUsers.ps1" or appropriate name and location of your script in Argument field, click Next

Not much here really, click Finish

Now open the task and make sure the task is run under an appropriate service account or the System account.

Click OK

Now we have everything beautifully together ready for testing in the morning.