RSS Subscription 167 Posts and 2,643 Comments

Lync 2010 Client Policies

General Information

Rejoice Lync Administrators!  Gone are the days of out-of-band provisioning (Group Policy) and utilizing in-band-provisioning (connecting to the server and getting custom settings).  This is great news as many companies have machines that are either domain-joined and/or are outside of the network.  Deploying Group Policies are not viable for non-domain joined machines and are possible to mobile workers if you are using Direct Access.  But, with Lync 2010, you won’t have to worry about either.  Because Group Policies for Lync 2010 Client Settings have now been moved to in-band provisioning.  Lync 2010 uses the Lync Management Shell (LMS) to manage these in-band settings utilizing commands with the following noun: CSClientPolicy*.  Commands with this noun include:

  • New-CSClientPolicy
  • Get-CSClientPolicy
  • Set-CSClientPolicy
  • Grant-CSClientPolicy
  • Remove-CSClientPolicy
  • New-CSClientPolicyEntry

The main commands will will look at are the first four commands.

The biggest thing to note about Client Policies, is that they can be configured at three different levels.  These levels include:

  • User Level
  • Site Level
  • Global Level

By default, user policies are set at the Global Level.  Unfortunately, the Get-CSClientPolicy -Identity User, does not show anything other than the user set policies. So let’s say I want to see what I am assigned.  I can run the following command:

Get-CSUser “Shudnow, Elan”

VoicePolicy                       : ChicagoVoicePolicy
ConferencingPolicy                :
PresencePolicy                    :
DialPlan                          :
LocationPolicy                    :
ClientPolicy                      : ChicagoClientPolicy
ClientVersionPolicy               :
ArchivingPolicy                   :
PinPolicy                         : ChicagoPinPolicy
ExternalAccessPolicy              :
HostedVoiceMail                   :
HostedVoicemailPolicy             :

If one of the variables above is $null, that doesn’t mean you are not abiding by some policy.  The above will only display User Level Policies.  Site Level and Global Policies are not displayed.  This is because User Level Policies are readily available in Active Directory whereas the Site Level Policies and Global Policies.  More information on this as well as a script that can provide more verbose information showing what policies including Site Level Policies or Global Level Policies are included here.

But by default, we can see that no policies exist other than the Global Policy by running the following command:

Get-CsClientPolicy | FL Identity

There are some fundamental things you should know about when managing policies on users:

  • When we want to create policies, we use the New-CSClientPolicy command.
  • When we want to modify policies, we use the Set-CSClientPolicy command.
  • When using the Set-CSClientPolicy with no -Identity (as -Identity is actually Optional), the Global Policy is modified.
  • When using the Set-CSClientPolicy with the -Identity specified, if we want to modify or create a Site Policy, we prefice the Identity with site:.  For Example: Set-CSClientPolicy -Identity site:Chicago.
  • When using the Set-CSClientPolicy with the -Identity specified, if we want to modify or create a User Policy, we do not prefice the Identity. For Example: Set-CSClientPolicy -Idenitty ChicagoClientPolicy.
  • When setting a client policy on a user, we use the Grant-CSClientPolicy.  For Example: Grant-CsClientPolicy -Identity “Elan Shudnow” -PolicyName SalesPolicy

Example

Let’s take a look at an example.  Let’s remove the ability for my account to be able to display photos.  As you can see in the following screenshot, I currently have the ability to display photos:

We need to first create the ChicagoClientPolicy.  We do this by running the following command:

New-CSClientPolicy -Identity ChicagoClientPolicy

Now let’s re-run the command we saw in the first screenshot in this article to verify we see both a Global Policy as well as our new ChicagoClientPolicy.

Get-CsClientPolicy | FL Identity

I will run the following two commands command to remove the ability to Display Photos for our new ChicagoClientPolicy and then verify the DisplayPhoto parameter is set to NoPhoto:

Set-CSClientPolicy -Identity ChicagoClientPolicy -DisplayPhoto NoPhoto
Get-CSClientPolicy -Identity ChicagoClientPolicy | Format-List DisplayPhoto

Now we’ll have to assign the ChicagoClientPolicy to my user account and then verify it was assigned.  We do this by running the following commands:

Grant-CSClientPolicy -Identity “Shudnow, Elan” -PolicyName ChicagoClientPolicy
Get-CSUser -Identity “Shudnow, Elan” | FL ClientPolicy

After signing out and signing back in, voila, pictures are no longer there.  Success!

But, let’s say we wanted to reverse this.  You may think to yourself, can I just set the setting to Null/Remove Policy or do I have to set the property to the opposite value to reset the registry setting?  Well, let’s have a look.  I’m going to try to just remove the policy from my account and verify that and then see if that takes care of it.  I’ll do this by running the following command:

Grant-CSClientPolicy -Identity “Shudnow, Elan” -PolicyName $Null
Get-CSUser -Identity “Shudnow, Elan” | FL ClientPolicy

After signing out and signing back in, voila, pictures are back.  Success again!

Share

36 Responses to “Lync 2010 Client Policies”

  1. [...] Lync 2010 Client Policies | Elan Shudnow’s Blog Posted on October 28, 2010 by johnacook http://www.shudnow.net/2010/10/28/lync-2010-client-policies/ [...]

  2. [...] This post was mentioned on Twitter by John A Cook, Tim Harrington and Elan Shudnow, Mark Hickson. Mark Hickson said: Lync 2010 Client Policies | Elan Shudnow's Blog http://goo.gl/ga3X #lync #ucoms #ocs [...]

  3. on 09 Nov 2010 at 12:50 pmAndy

    Elan,

    Good to see you are still posting great articles. A while back you helped me out with an OCS R2 issue. I was hoping you maybe be able to help with a new question?

    It is tentatively related to the above.

    We have OCS 2007 R2 deployed with the sip domain of sip1.net and the AD domain or ad1.net. If i want to upgrade to lync 2010 is it possible to deploy the lync server into the same sip domain or do i need to create/use a separate sip domain for lync?

    Thanks.

  4. on 18 Nov 2010 at 9:49 amElan Shudnow

    Yes, that'll be fine. You never have to create new SIP Domains when upgrading.

  5. [...] Client Policies: http://www.shudnow.net/2010/10/28/lync-2010-client-policies/ [...]

  6. [...] Client Policies: http://www.shudnow.net/2010/10/28/lync-2010-client-policies/ [...]

  7. on 04 Dec 2010 at 6:54 am@jdscher

    Geoff, the process is a migration but a shared SIP domain namespace can be used during the migration. An 'upgrade' typically refers to in-place upgrade of individual servers which is not the case with any Communications/Lync Server release.

  8. on 06 Dec 2010 at 3:44 pmSachin

    Great information, is it possible to apply more than one user client policy to same user? as an example, one user client policy has different settings and another one has another setting. can both user policy get agreegated and apply resultant set of policy (like GPO). I see that in GUI, it is not possible might be possible using Lync Shell but not 100 % sure.

  9. on 07 Dec 2010 at 11:52 amDave Harris

    Great work Elan, thank you!

  10. on 07 Dec 2010 at 3:19 pmJamie Schwinn

    Sachin,

    Policy is not cumulative like AD Group Policy. Only 1 policy will apply.

  11. on 08 Dec 2010 at 11:22 pmMartin

    Hi, do you know where I can find the list of parameters I can use in Lync 2010?
    Thanks.

  12. on 09 Dec 2010 at 12:01 amElan Shudnow

    http://technet.microsoft.com/en-us/library/gg3983

  13. [...] The intention is that we use the in-band-provisioning, which is great, and you’ll find a nice article on Elan Shudnow’s blog. [...]

  14. on 06 Jan 2011 at 4:11 pmJose

    Hi Elan,

    How do i apply a setting by policy to a group of users (Lync enabled users)?

    Regards.

  15. on 13 Jan 2011 at 2:48 pmFrancesco

    Hi Helan, i'm reading the Lync Server 2010 documentation about the Client Ports in the "Determining your infrastructure requirements …" document. I cannot understand why the "Required client ports" is inserted in the "..Internal server " section.
    In the descriptions of the client ports i read for example "Used for client-to-server SIP traffic for external user access" … but if these ports must be opened (on the firewall ??) for "external user access" ..why they are in *Internal Server section* ?
    Thanks a lot in advance,
    Francesco

  16. on 15 Feb 2011 at 9:43 amTim

    Good morning,
    Thanks for your wonderful post!!!! Can you assist me with something that's been troubling me? I need to disable the feature in the Lync client that allows the users in my environment to "Save instant message conversations in my email Conversation history folder".

    Can this be done through the Lync management shell or does it have to be done through a GPO. My company doesn't want user's to be able to save their instant messages.

    Thanks in advance.

  17. on 10 Mar 2011 at 3:35 pmAshton

    Tim,

    Check it out on TechNet. I had no idea that it could be configured this way.
    http://technet.microsoft.com/en-us/library/gg4129

  18. on 10 Mar 2011 at 3:40 pmAshton

    Oops! Sorry Tim. I meant to post this link.
    http://technet.microsoft.com/en-us/library/gg4259

    It is possible to disable saving IMs.

  19. on 21 Mar 2011 at 12:11 pmKen

    Elan,

    Hopefully you can help me with some bit of information I must be missing. I understand that the global policies are default and I know when the user poliices are in use as well. I have been trying to use site policies without much success in being able to determine that a particular site policy is in use. ie… 7 sites and the need to assign a related site policy to all users at that site. I have basically decided to use user policies to ensure the assignments are correct, but for the next project it would be helpful to understand how/where a site policy is assigned to a user.

    Thanks in advance to any insight anyhone has on this.

  20. on 11 Apr 2011 at 12:31 pmJulia

    Jose,

    It been several weeks since you posted your question, so I'm not sure if you ever found an answer to your question on assigning a policy to a Group, but I had the same question and found this blog with the information you may find useful…just thought i'd share in case someone else has the same question.
    https://blogs.technet.com/b/csps/archive/2010/06/

  21. on 17 Apr 2011 at 4:28 pmElan Shudnow

    Keep in mind that these Site Policies are not AD Site Policies. If you look in the Lync Topology Builder, there are Central Sites and Branch Sites that connect to Central Sites. This is what the policies are assigned to. If you have PoolA and PoolB assigned to SiteA, then if you apply the policy to SiteA, it applies to both PoolA and PoolB.

  22. [...] But what if you don’t want this entire port range open between your sites?  You can utilize in-band provisioning  to limit the amount of ports that are being used.  This is very different than how it was configured in OCS 2007 R2.  OCS 2007 R2 utilized Group Policies to set these options whereas in Lync, it uses Client Policies which in turn, provide Lync clients settings via in-band provisioning.  You can read up on how Client Policies work on my previous article here. [...]

  23. on 05 Jul 2011 at 5:02 amBlog d'Eudo

    Lien vers les rôles et features de Lync 2010 et comment les installer…

    Je reprends cet article pour le compléter. En effet, il m’es ……

  24. [...] was reading Elans Blog which gave me a good haad start into using the Management [...]

  25. on 21 Jul 2011 at 4:26 pmRobert G

    Is there anyway to restrict who is allowed to send somebody a Lync IM. For example can we restrict who is allowed to send our CEO IMs. Would be great if there was a setting that only people in his contact list are able to IM him.

    Thanks

  26. on 28 Jul 2011 at 8:25 pmElan Shudnow

    This is possible with custom development by building an MSPL Application using the Ethical Firewall API.

    A sample is here and the API really hasn't changed from OS to Lync: : http://www.microsoft.com/downloads/en/details.asp

  27. [...] But what if you don’t want this entire port range open between your sites?  You can utilize in-band provisioning  to limit the amount of ports that are being used.  This is very different than how it was configured in OCS 2007 R2.  OCS 2007 R2 utilized Group Policies to set these options whereas in Lync, it uses Client Policies which in turn, provide Lync clients settings via in-band provisioning.  You can read up on how Client Policies work on my previous article here. [...]

  28. [...] http://www.shudnow.net/2010/10/28/lync-2010-client-policies/ [...]

  29. [...] Client Policies: http://www.shudnow.net/2010/10/28/lync-2010-client-policies/ [...]

  30. on 25 Jul 2012 at 10:53 ammatt

    Very well written and useful – thank you for posting this. I have a customer with Office 365 Lync installed, and the CS-clientpolicy cmdlets are not available. Are the GPOs that used to provide this functionality still available?

  31. [...] Client Policies: http://www.shudnow.net/2010/10/28/lync-2010-client-policies/ [...]

  32. on 03 Oct 2012 at 4:05 pmFaisal

    Hello Élan,
    Please help!
    My lync 2010 client does not show phone/dialpad icon.my users are enabled for enterprise voice. I have tested on windows 2008 r2 and vista BE platforms. Tried to see if there is anything in client policy but could not figure out.

    Thanks in advance!
    Faisal

  33. on 03 Oct 2012 at 4:51 pmElan Shudnow

    I've seen this when a custom Group Policy for OCS was pushed out to machines and enabled the use of something called TelephonyMode. See Jeff Schertz post here: http://social.technet.microsoft.com/Forums/en-US/

    That is where I would start troubleshooting. I would set this to 0 and let the in-band settings from Lync take effect.

  34. on 17 Dec 2012 at 9:38 amGordon S

    great article Elan. I've been trying to work out if i could use these commands to prevent users changing their photo. We have an on-premise solution, not O365 and i have discovered there is no easy "GPO" for this.

    As you'd expect, almost immediately after the roll-out the users went mad changing their settings, photos etc. We want everyone to keep their AD photo so its consistent with Outlook etc.

    i'm a novice with powershell so was looking for a GUI but happy to give it a go :)

  35. on 27 Dec 2012 at 10:25 amdumpster rental atlanta ga

    Please let me know if you’re looking for a article writer for your blog. You have some really great articles and I believe I would be a good asset. If you ever want to take some of the load off, I’d absolutely love to write some articles for your blog
    in exchange for a link back to mine. Please shoot
    me an e-mail if interested. Regards!

  36. on 15 Apr 2013 at 9:32 amFaith quotes

    I added your blog to favorites Looking for more update.

Trackback this post | Feed on Comments to this post

Leave a Reply