In a nutshell there are 4 options:
- Use a Windows Script (e.g. VBScript or JavaScript/JScript)
- Use the OCS 2007 Resource Kit Script (LCSEnableConfigureUsers.wsf)
- Use Microsoft Powershell
- Use a Bulk Active Directory Import/Export Tool
I explore these 4 options below. The first 3 options make use of WMI under the covers to set the “Enabled” property on the OCS user in Active Directory.
Important notes for the first 3 (WMI-based) Options:
- All options require the OCS WMI class MSFT_SIPESUserSetting to be available locally. The OCS Administrative Tools installs this WMI class and is an important pre-requisite.
- You should run these solutions with the appropriate permissions to access the Active Directory user objects. The user you run as should be a member of the RTCUniversalUserAdmins group.
- These options assume that the underlying AD user object has been created and the user has been provisioned for OCS (e.g. SIP address created). The scripts are setting an OCS AD attribute to enable or disable the user; not creating the actual AD object and provisioning it.
- The WMI attribute the “EnabledForEnhancedPresence” property controls whether the user is enabled for Enhanced Presence and can sign-in with the new Communicator 2007 client (for the corresponding AD attribute, see the related blog post “Provisioning OCS Users (and the AD msRTCSIP-OptionFlags Attribute“).
Option 1: Using a Script (e.g. VBScript or JavaScript/JScript)
I’ve put together a sample VBScript to enable or disable a single OCS user. Set the g_userURI and g_OCSEnableUser variables accordingly. You can use the guts of this script to easily do it for a batch of users (i.e. read a list of users from a file).
‘ SET THE USER WE WANT TO ENABLE or DISABLE
g_userURI = “sip:someTestUser@SIPDomain.com”
‘ TRUE TO ENABLE or FALSE TO DISABLE
g_OCSEnableUser = True
‘ Connect to a WMI object
Set wmiServer = CreateObject(”WbemScripting.SWbemLocator”).ConnectServer()
‘ Get the SIP User
Query = “SELECT * FROM MSFT_SIPESUserSetting where PrimaryURI = ‘” & g_userURI & “‘”
Set OCSUsers = wmiServer.ExecQuery(Query)
If ( IsEmpty(OCSUsers) Or OCSUsers.Count = 0) Then
WScript.Echo “No matching SIP user was found.”
Else
For each OCSUser in OCSUsers
PrimaryURI = OCSUser.PrimaryURI
HomeServerDN = OCSUser.HomeServerDN
UserDN = OCSUser.UserDN
’ Wscript.Echo “URI: ” & PrimaryURI & Chr(13) & Chr(10) & HomeServerDN & Chr(13) & Chr(10) & UserDN
OCSUser.Enabled = g_OCSEnableUser
Err.Clear()
OCSUser.Put_ 0 ‘ 0 for create or update
If Err = 0 Then
WScript.Echo “Operation Successfull”
Else
WScript.Echo “Detected an error”
End If
Next
End If
Option 2: Using an OCS 2007 Resource Kit Script
The script requires 2 input files: one file containing a list of users to enable or disable (specified with their SIP or distinguished names), and another file with the corresponding OCS user settings.
These files require some time and effort to set up, so this option is best for big batch operations. The Resource Kit ReadMe contains good information on prerequisities and permissions expected for this script.
Option 3: Using Microsoft PowerShell
Microsoft PowerShell is a powershell scripting environment that comes with a WMI provider that can be used to manage OCS. You can download Powershell 1.0 here: http://www.microsoft.com/windowsserver2003/technologies/management/powershell/download.mspx.
Once installed, you can easily script a solution to enable/disable OCS users. Important Note: if the AD user has never been enabled for OCS (or LCS), you will not be able to use this method to enable the user (they won’t show up in the MSFT_SIPESUSERSETTING class).
To get a list of OCS Enabled users, you can simply issue the command:
> get-wmiobject -class msft_sipesusersetting | ForEach-Object { $_.Enabled = true}
To enable a particular SIP user for OCS:
> get-wmiobject -class MSFT_SIPESUserSetting | where-object { $_.PrimaryURI -eq “sip:userid@SIPDomain” } | % { $_.Enabled = $True; $_.put() | out-null }
Option 4: Use a Bulk Active Directory Import/Export Tool
Many OCS user features that can be set in the OCS management console GUI can be set or changed through underlying Active Directory (AD) attributes. If you are attempting a bulk change, you’ll generally want to export the users, modify the data (to turn a feature on or off), and re-import the data. The following two command line tools will allow you to do this:
- LDIFDE – Export / Import data from Active Directory. LDIFDE Import/export information from/to Active Directory. It queries any available domain controller to retrieve/update AD information.
- CSVDE (Comma Separated Value Data Exchange). CSVDE is a small command-line tool that can import and export data from AD in a CSV file. It is included in Windows 2003 installs by default (usually in the %windir%/system32 directory).
Although not a command-line tool per se, ADModify.NET is an excellent GUI based tool for making batch changes to objects in AD. It can record all changes that it made to an XML file which is handy.
[...] Because this is a bit-mask, becareful not to clobber any existing features. For example, if you are setting Enhanced Presence (bit 256), and want to preserve the ability for the user to have Public IM functionality, be sure to set the value to 257 (i.e. add a “1″ to set the enabled for PIC bit). A good way to approach this is to add the value of the bit representing the feature you want to add to the existing value. You can do this through several command line options outlined in my blog post “Provisioning OCS From the Command Line“). [...]