A lot of companies nowadays use Microsoft Lync for their internal messaging and video conferencing. This internal messaging and videoconferencing saves them a lot of time and travel and it makes it easier to contact colleagues for a short question.

To be able to actually use Lync, a series of powershell scripts need to be executed. These scripts are part of the Lync Server 2013 cmdlets. This blogpost gives some hints and tips to NetIQ users how to enable Lync. This blogpost does not tell you how to configure Lync itself.

Consider the situation that you use NetIQ Identity Manager for creating AD accounts for new employees. You’d want Identity Manager to enable the user for Lync as well. How can we accomplish this ? We already know that NetIQ 4.0.2 has a lot of drivers for connected systems, for example Google Apps, Salesforce.com and Office 365 but no Lync driver.

One of the possible solutions is to use the NetIQ Scripting driver (you need a separate license for this driver). The scripting driver has the ability to start scripts using the event-based model of NetIQ Identity Manager. To do this, the driver captures events in Identity Manager, sends them to a so called ‘Remote Loader’ which starts the script corresponding to the event (add.ps, modify.ps etc).

When a new employee enters the company, he or she will be added to Identity Manager. An AD account will be created for this user and we want to enable Lync as well. Here we have our first challenge. We can only enable Lync for a user when the Domain Controllers (DC’s) have replicated this account to the other DC’s. Otherwise the enabling of the account will fail.

There are several ways in which we can accomplish this and it will depend on your situation which one is best. For example:
– You can just use a delay in the scripting driver
– You can use the workorder driver to delay the enable actions
– You can use workflows / entitlements and approvals to delay the enable actions

For this example we use the easiest solution, the delay in the driver. This is quickly implemented and can be a good solution for companies that only have 1 or 2 new employees a day. This is because a driver processes events sequentially. If you have 20 new employees every day it will take 20*[delay] for the last new employee to be enabled.

First of all we need to make sure that the account actually exists in AD. This can be done by scoping the Lync driver on the adding of the DirXML-ADAliasName of the DirXML-Associations attribute. You can also use a password sync event for this. Again this will depend on your actual implementation.

When the AD account exists we use the modify of one of those attributes to start the processing by the Lync driver. First: we want to implement the sleep we talked about. The DirXML policy for this is:

<do-set-local-variable name="sleep-result" scope="policy">
<token-xpath expression="java.lang.Thread:sleep($x_delay)"/>

where the $x_delay is configured as Global Configuration Value.

When the sleep has ended, use the driver to send attribute values to the remote loader (and script) and initialize them in the script using idm_geteventvalue:

$classname = idm_geteventvalue "CLASS_NAME"
$cn = idm_geteventvalue "CN"
$uniqueID = idm_geteventvalue "uniqueID"
$uri = idm_geteventvalue "connectionUri"
$pool = idm_geteventvalue "RegistrarPool"
$policy =  idm_geteventvalue "Policy"
$sourceDN = idm_geteventvalue "SRC_DN"

As you can see we configure the connectionUri and Policy in the scripting driver (using Global Configuration Values) and also send them to the Remote Loader.

Now we have to do the following using the script:

  1. Open a session
  2. Enable the user for Lync Server
  3. Grant a policy to the user
  4. Close the session

this can be done using the following commands:
1. $CSSession = New-PSSession -ConnectionUri "$uri" -Authentication NegotiateWithImplicitCredential -ErrorAction SilentlyContinue if ($CSsession) {Import-PSSession $CSSession}
2. Enable-CSUser -Identity $uniqueID -RegistrarPool "$pool" -SipAddressType emailaddress
3. Grant-CsClientPolicy -Identity $uniqueID -policyname $policy
4. Remove-PSSession $CSSession

It can be wise to put a sleep (Start-Sleep -Second 10) between step 2 and 3.
At the end of the script we want to send a success back to Identity Manager to be able to add an association:

if ($LASTEXITCODE -eq 0) {
idm_setcommand "ADD_ASSOCIATION"
idm_writevalue "ASSOCIATION" "$cn"
idm_writevalue "DEST_DN" "$sourceDN"
idm_statussuccess "Add event succeeded"
else {
idm_statuserror "Add event failed with error code $LASTEXITCODE"

Well, there you have it. A lync enabled account,, an association on the user object in Identity Manager and last but not least: a happy employee because there is no need for requesting basic functionality via portals and/or servicedesks.