My name is Walt Whitman and I am a Sr. Support Escalation Engineer on the Forefront Identity Manager team.

I recently worked an issue where the customer was attempting to take existing OCS users and create Lync Enabled objects using a workflow from within FIM.

The issue at hand was that the FIM Service essentially had to be configured as a Lync Administrator to create the Lync Enabled objects.  It was discovered after a troubleshooting session that the Lync objects were not being created.

We began looking at the issue and breaking out the piece parts of the customer’s solution.

There were two critical things that we quickly noted:

1. The PowerShell user provisioning script was running outside of FIM just fine
2. The PowerShell provisioning script was prompting for credentials

As long as we provided the credentials the PowerShell script fired just fine.  The issue appeared to be FIM in that credentials were not being manually entered upon each run.

I worked with Christopher Tart on our LYNC team and determined a method of invoking the necessary PowerShell session so that the account credentials for the FIM Service would not have to be entered each time.

Here is the script to start a session in the context of the user who invokes the session and these credentials will be used for the remainder of the session.

Essentially once this was entered into the FIM Workflow and the FIM Service was granted the necessary permissions to provision a Lync enabled object the LYNC Specific PowerShell worked flawlessly.

I hope this helps you with your OCS migration if you are using FIM

 For More information:

Setting Up Kerberos Authentication

Enable-CsUser

Lync Server 2010 Role-Based Access Control