The following Active Roles components must be installed in your Active Directory environment:
• Administration Service
• Web Interface
• Active Roles console
You can install these components on member servers in a user forest or in the Lync Server forest. For installation
instructions, see the Active Roles Quick Start Guide.
Log on as Active Roles Admin
To configure Lync Server User Management, log on as Active Roles Admin. This ensures that you have sufficient
rights to make the necessary configuration changes. Assuming the default configuration of the Active Roles
Administration Service, you should log on with a domain user account that is a member of the Administrators
group on the computer running the Administration Service.
Register domains with Active Roles
Lync Server User Management requires the following domains to be registered with Active Roles:
• At least one domain that holds computers running the Front End Server or Standard Edition Server role in
your Lync Server deployment
• Domains that hold logon-enabled users you are going to administer with Lync Server User Management
• In case of multi-forest topology, the domain in the Lync Server forest that holds shadow accounts for Lync
When registering a domain, you are prompted to choose which account you want the Administration Service to
use to access the domain. You can either specify a so-called override account or let the Administration Service
use its service account. With either option, the account must have sufficient rights in the domain you are
registering. At a minimum, the account must have the following rights:
• In the domain that holds Lync Server computers, a member of the RTCUniversalUserAdmins group
• In the user domains, a member of the Account Operators group
• In the shadow accounts domain, a member of the Account Operators group
For a central forest deployment, the account must also have the rights to create, view, modify and
delete contact objects in the shadow accounts domain. It will suffice to make the account a member of
the Domain Admins group.
For instructions on how to register domains with Active Roles, see “Adding and removing managed domains” in
the Active Roles Administrator Guide.
Apply the User Management policy
The Built-in Policy - Lync - User Management Policy Object enables Active Roles to perform Lync Server user
management tasks on user accounts in the Lync Server forest. It needs to be linked to domains or containers in
the Lync Server forest that hold shadow accounts. In case of central forest, you also need to link that Policy
Object to Active Directory domains or containers in the Lync Server forest that hold logon-enabled user
accounts for which you want Active Roles to perform Lync Server user management tasks.
To link the Policy Object to an organizational unit or domain
1 In the Active Roles console tree, select Configuration | Policies | Administration | Builtin.
2 In the details pane, right-click the Built-in Policy - Lync - User Management Policy Object, and then
click Policy Scope.
3 In the dialog box that appears, click Add, and then select the desired organizational unit or domain.
Out of the box, the Policy Object has all policy settings configured. You can use the Active Roles console to view
or change policy settings as needed.