One of These Things is Not Like the Others: Challenge 6 Answer
One of These Things is Not Like the Others: Challenge 6
To be honest, there's a lot of pressure involved in running a highly-prestigious competition such as the weekly Lync Server PowerShell One of These Things is Not Like the Others Challenge.
Note. If you aren't familiar with the Challenge, many people consider it to be the Nobel Prize of the Lync Server world, the only real difference between the two being that people actually care about the Nobel Prize.
Well, that and the fact that people who win the Nobel Prize receive $1.4 million dollars. People who win the Lync Server PowerShell Challenge get about $1.4 million dollars less than that.
At any rate, one of the pressures involved in running the Lync Server PowerShell Challenge is trying to balance the need to make the weekly question difficult enough to still be considered a challenge, yet not so difficult that no one can answer it. Make the question too hard and everyone complains that the question was too hard; make the question too easy and everyone complains that the question was too easy. But make the question just right and – well, we’ll let you know what everyone says about that just as soon as we actually make the question just right.
Our solution to this on-going problem has been to try to mix things up a bit: some weeks the questions are easy, some weeks the questions are not-so-easy. For example, last week we gave you an easy question to answer. (How do we know that? Well, for one thing, every single person who submitted an answer got it correct.) In our last Challenge, we presented you with the following four Lync Server PowerShell cmdlets and asked you to tell us which of those four cmdlets was not like the others:
Grant-CsExternalAccessPolicy |
Grant-CsDialPlan |
Grant-CsOUPermission |
Grant-CsConferencingPolicy |
And the answer to this challenge? Grant-CsOUPermission.
But, needless to say, you already knew that, didn't you?
Why Grant-CsOUPermission? Well, as everyone pointed out, the other three cmdlets in the group – Grant-CsExternalAccessPolicy, Grant-CsDialPlan, and Grant-CsConferencingPolicy – are used to assign something (an external access policy, a dial plan, and a conferencing policy) to a specific user or set of users. For example, this command grants a specific external access policy to the user Ken Myer:
Grant-CsExternalAccessPolicy –Identity "Ken Myer" –PolicyName "RedmondAccessPolicy"
And this command grants a dial plan to all the users in the Redmond OU:
Get-CsUser –OU "OU=ou=Redmond,dc=litwareinc,dc=com" | Grant-CsDialPlan –PolicyName "RedmondDialPlan"
So what's different about Grant-CsOUPermission? Well, with that cmdlet you can't assign something (i.e., user management permissions) to any old person or group of people. Instead, running the cmdlet automatically grants user management permissions to one group and one group only: the RTCUniversalUserAdmins security group. If you want Ken Myer to have these user management permissions you can't use Grant-CsOUPermission to specifically assign those permissions to Ken. Instead, you need to make Ken a member of the RTCUniversalUserAdmins group. That's the only way to get him those permissions.
Note. We should point out that you don't necessarily have to run Grant-CsOUPermission: when you install Lync Server, Setup will try to grant all the required permissions for you. Grant-CsOUPermission is typically only needed in a locked-down domain where permission inheritance has been disabled. If you don't have a locked-down domain, then you won't need to run Grant-CsOUPermission; Setup itself will make sure that the RTCUniversalUserAdmins group has all the user management permissions it needs.
So how could you figure this out? Well, to be honest, the only way we know of is to read the help. For example, if you read the help for the Grant-CsOUPermission cmdlet you'll see this sentence:
Note that this cmdlet only grants permissions to a set of predefined security groups; the cmdlet cannot be used to grant permissions to arbitrary security groups or to individual users.
Because the help for the other three cmdlets show a number of examples in which items are assigned to individuals and groups of individuals, well, there's your answer right there.
See? We told you last week's Challenge was easy.
And what about this week's Challenge : is it an easy one or is it a hard one? You'll just have to see for yourself.