Partitioning Lync Address Book using msRTCSIP-GroupingID

In certain large organizations, the need exists to not allow certain users to search for others.  One simple example of this is a school district.  Perhaps the school district wants to only allow users within schools to search for each other.  So if I belong to Cougar Hill Elementary I can search for my fellow teachers there, but I cannot search for users at Tiger Hill Elementary.

Partitioning users in this way is supported using a little known AD attribute called msRTCSIP-GroupingID.  Before I explain this further, however, I would like to mention that this does not prevent users from communicating with each other, it simply prevents them from finding each other using the address book.  Therefore, while I cannot look up another teacher at Tiger Hill Elementary if I am not in the same grouping, I can call or IM the teacher if I know the Sip address or phone number (though I will not be able to see the user’s photo).

The basic premise is you can define groups of users in your organizations and assign them different groupingIds.  A groupingId is simply a guid and only users who have the same groupingId may search for each other.  To set the groupingId for a user, you must set the value of msRTCSIP-GroupingId in Active Directory.

Unfortunately this is slightly tricky as we do not expose this attribute anywhere in our UI, nor do we expose it in Powershell.  The best way to set this, therefore, is to make use of Active Directory’s Powershell module.

import-module ActiveDirectory

To select your users, you may use either Get-CsUser or Get-AdUser.  If you choose to use Get-CsUser, there is a simple way to convert between them.

$myuser = Get-CsUser myuser@mydomain.com

Get-AdUser $myuser.Identity.DistinguishedName –Properties * | get-member

This will show all of the properties in Active Directory for the user myuser@mydomain.com.  To work on multiple users at a time you may pipe the results.

Get-CsUser | foreach {Get-AdUser $_.Identity.DistinguishedName}

Though I certainly would not run the above command on most servers due to the result set size.  To set the value of groupingId, the following will work.

$guid = [guid].NewGuid()

$myuser = Get-CsUser myuser@mydomain.com

Set-AdUser $myuser.Identity.DistinguishedName –Replace @{“msRTCSIP-GroupingID”=$guid}

Again, you can either create a script to do this for all the necessary users, or you can pipe the output.  Just make sure all users you want to be able to see each other in the address book have the same groupingId.