Deploying Lync Server 2010 (Part 8) – Managing User Policies

If you would like to be notified of when Anderson Patricio releases the next part in this article series please sign up to our Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:


In the last two articles we went over the process of managing Lync using the Control Panel. Also, we examined how to manage users through the Lync Management Shell. In this article we are going over the process of managing policies in order to leverage these features in a Lync environment.

Managing Lync Server Policies

Lync Server provides a number of policies for all main components of the infrastructure. These components have a Global Policy in place and they are created during the installation of the product. A Global policy is self-explanatory and it will apply to all Lync users that don’t have any other policy assigned to them. This can be defined at several levels: at User, Site or Pool level (depends of the policy that we are configuring).

The process to manage a Lync Policy is almost the same and a brief overview of the available policy components and what we can do with them will be described below. Besides this brief description, we are going to cover two of the most used Lync Policies in detail which are: Conferencing Policy and Client Policy.

  • Client version policy – Using the client version policy the administrator can control which client version will be able to connect to the Lync Server and even do updates if it is a Lync Client.
  • PIN Policy – Using this policy the administrator can control PIN (Personal Identification Number) which can be used instead of username and password when PIN authentication is enabled.
  • External access policy – We are going to use this policy when our organization has an Edge Server which allows Lync to be accessed externally. Also, when we share information with partners and public providers (MSN, Yahoo and AOL). This policy allows an administrator to control if a specific user can communicate with federated organizations, Public IM providers, access the Lync infrastructure from an external source without VPN.
  • Archiving Policy – This policy allows the administrator to control the archiving perspective of the communications where the scope can be Internal, External or even both to be stored on a SQL Database.
  • Location Policy – This policy was created to be used with E911 services which are used mainly in the USA where the emergency service can identify from where the calling is being made.
  • Mobile Policy (new) – This policy and the feature itself were introduced in a Rollup Update and enables mobile clients, such as: Windows Phone, Apple and Android to connect to the Lync infrastructure. The policy is really simple and it basically allows users to use their mobile to make and receive phone calls using the work phone number instead of their mobile number. The second policy is to enable or disable Lync users from using mobile devices.

The following tables lists all policies, where to find them on the Lync Server Control Panel and which cmdlet can be used to create a new one from Lync Server Management Shell, and the scope where they are applied.


Lync Server   Control Panel

How to create   a new policy?

Applies at


Conferencing item


Site Level

User Level

Client Version

Clients item


Site Level

Pool Level

User Level


Security item / PIN Policy


Site Level

User Level

External Access

External user access item


Site Level

User Level


Monitoring and Archiving item / Archiving Policy


Site Level

User Level


Netwok Item / Location Policy


Site Level

User Level



Site Level

User Level

Table 1

In order for an administrator to find out if a policy is being applied, the administrator can get properties of the Lync user and on the desired policy clicks View (Figure 01), in the example below we can see the Scope field which informs where the information is coming from and at the top we can identify which site as well.

Figure 01

If you are used to managing policies in Exchange Server and you are trying to do the same using Lync you will face some weird issues. The main reason is that Lync Server Management Shell uses a specific cmdlet to assign policies to users instead of using a pipe like Set-something as is the standard in Exchange Management Shell.

There are a couple of ways to assign policies based on your requirements. The first one is to assign directly to the user, and for that case the first step would be a list with all the policies available using the following cmdlet Get-CsConferencingPolicy | select identity; second step is to use the Grant-CsConferencingPolicy <user> -PolicyName <Policy-Name> to assign the conferencing policy.

In this example we are defining a conferencing policy, you should change the cmdlet based on the policy that you want to change. The entire process is shown in Figure 02.

Figure 02

Another requirement could be a change of a specific policy just for a certain region. If you are using Organization Unit the job becomes much easier because we can combine the output of Get-CsUser which lists all Lync Users with the Grant-Cs<Policy> and by doing that, we can set all users from a single location with a single line.

Let’s say that an OU that contains all users from Montevideo Uruguay requires a conferencing policy. The first thing before changing anything is to list all users of the OU to make sure that we are playing with the right users. We can use the following cmdlet: Get-CsUser –OU domain.local/OU | select identity. Now, the administrator can look at the results and if the users listed are the expected ones we just need to remove the | select identity and add | Grant-CsConferencingPolicy –PolicyName <PolicyName> to the previous cmdlet and all users of that specified OU will have the policy assigned. The entire process is shown in Figure 03.

Figure 03

If you want to change all users you can use a strategy similar to the previous one, however, it would be better to change the Global Policy associated to the feature instead of managing user by user policy.

Conferencing Policy

Conferencing Policy has several features that can be managed through a policy, such as: meeting size, recording, video resolution, Audio/video restrictions, application, meeting features (pools, annotations, etc.) In order to configure a Conferencing Policy using Lync Server Control Panel, we must click on the Conferencing item on the left (Figure 04). On the right side we will see the Global policy which can be edited and applied to all users. Additionally, we can create new policies, and conferencing policies at Site or User levels.

Figure 04

Let’s create a new Conferencing Policy by clicking New and then User Policy. Then let’s name the new policy as POA-ConferencingPolicy-Restricted and reduce the limit to 10 participants in a meeting (the default value is 250) as shown in Figure 05.

Figure 05

Now, if we go back to any Lync user properties we will be able to choose at conferencing policy the policy that we have just created, as shown in Figure 06.

Figure 06

Managing Client Policy

In the previous version of Lync which was Office Communications Server 2007 R2, the client settings were managed through Group Policies which was a challenge for some customers for several reasons: Active Directory GPOs may fail to apply or even not configured properly, clients that never connected to the network and so forth. Using the new Client Policy introduced with Lync Server 2010 the administrator can guarantee that every time a client logs on, the policy designed for that user will be applied.

The Client Policy contains the larger number of settings in the Lync universe. However, there are a couple of entries that will make you love this new concept if you have ever used GPO to manage OCS users in the past. Let’s see a couple of examples: Block external contacts to start conversations, disable emoticons, disable the user to save conversations, IM warning to inform the user, Maximum number of contacts, manage full screen video, Display photo – we can configure if the user can use a personal picture by defining from which source the picture will come from. Pretty cool, huh?

The Client Policy creation must be done using Lync Server Management Shell. Let’s create a policy named POA-ClientPolicy-restricted and force the Photo to be picked only from Active Directory, disable emoticons and OneNote integration, the cmdlet in action is shown in Figure 07.

Figure 07

The result at the client side will be that when the user tries to configure its own picture the only possible options will be “Do not show my picture or Default corporate picture (which is coming from Active Directory), as shown in Figure 08.

Figure 08

We can’t create Client Policies using Lync Server Control Panel, however, we can assign the policy as shown in figure 09. Unfortunately the View… button is not available in the Client Policy.

Figure 09


In this article we went over all the Policies that can be created in a Lync environment and covered their usage.

If you would like to be notified of when Anderson Patricio releases the next part in this article series please sign up to our Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:


About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top