Nota: Este artigo foi publicado originalmente em 2012 for Lync Server 2010/2013. The concepts also apply to Skype for Business Server 2015/2019. Microsoft Teams has since replaced Skype for Business Online, but on-premises Skype for Business Server deployments continue to use the Control Panel described here.
The Lync Server Control Panel (CSCP) is the web-based administrative interface for managing Microsoft Lync Server deployments. It provides a graphical UI for user management, conferencing policies, voice routing, monitoring, and more. This guide covers how to access it, configure a friendly administrative URL, use PowerShell as an alternative, and understand the RBAC (Role-Based Access Control) model.
Accessing the Lync Control Panel via Direct URL
The simplest way to access the Lync Server Control Panel is to navigate directly to it in a web browser.
Default URL Format
https://<Front-End-Server-FQDN>/cscpFor example:
https://lyncfe01.contoso.com/cscpWhen you browse to this URL, the server will prompt for authentication. You must log in with an account that has been assigned a Lync Server administrative role (covered in the RBAC section below).
Avoid Repeated Credential Prompts
If you are accessing the Control Panel from a domain-joined machine and want to avoid entering credentials every time:
- Open Internet Explorer (or the legacy Edge mode) and navigate to the CSCP URL.
- Go to Internet Options > Segurança > Local Intranet > Sites > Advanced.
- Add the CSCP URL (e.g.,
https://lyncfe01.contoso.com) to the Local Intranet zone. - Ensure that Automatic logon only in Intranet zone is enabled under Segurança > Local Intranet > Custom Level > User Authentication.
This allows Windows Integrated Authentication (Kerberos/NTLM) to pass your current domain credentials to the Lync web service automatically.
For Google Chrome and Chromium-based Edge, the Intranet zone settings are inherited from Internet Explorer settings on Windows. Alternatively, you can configure Chrome policies:
# Chrome policy (Windows Registry)
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"AuthServerAllowlist"="*.contoso.com"
"AuthNegotiateDelegateAllowlist"="*.contoso.com"Configuring a Custom Administrative URL (Simple URL)
Instead of remembering the server FQDN, you can configure a friendly Simple URL for administration using Topology Builder.
Passo 1: Open Topology Builder
- Launch Lync Server Topology Builder from the Start menu on a machine with the Lync administrative tools installed.
- Download the topology from the Central Management Store, or open your existing topology document.
Passo 2: Configure the Administrative Simple URL
- Right-click the top-level node (your Lync deployment) and select Edit Properties.
- In the Simple URLs section, look for the Administrative access URL.
- Set it to a friendly URL, for example:
https://lyncadmin.contoso.com
Passo 3: Create the DNS Record
Create an A record (or CNAME) in your DNS zone:
lyncadmin.contoso.com -> 10.0.1.50 (IP of the Front End Server or VIP of the HLB)If you use a hardware load balancer, point the DNS record to the virtual IP of the Lync web services pool.
Passo 4: Publish the Topology and Rerun the Deployment Wizard
- In Topology Builder, click Action > Publish Topology.
- On the Front End Server, open the Lync Server Deployment Wizard.
- Rerun Passo 2: Setup or Remove Lync Server Components to update the IIS bindings.
- Rerun Passo 3: Request, Install, or Assign Certificates if the new URL requires an updated SAN (Subject Alternative Name) on the certificate.
After these steps, you can access the Control Panel at:
https://lyncadmin.contoso.com/cscpCertificate Considerations
The new administrative URL must be included in the SSL/TLS certificate as a Subject Alternative Name (SAN). If it is not, browsers will display a certificate warning. You can verify the current certificate SANs with PowerShell:
# Check the certificate bound to the Lync web services
Get-CsCertificate | Where-Object {$_.Use -eq "WebServicesInternal"} | Select-Object -ExpandProperty AlternativeNamesManaging Lync Server with PowerShell
The Lync Server Management Shell provides full administrative control and is often more efficient than the Control Panel for bulk operations or automation.
Opening the Management Shell
Open the Lync Server Management Shell from the Start menu, or import the module in a regular PowerShell session:
# Import the Lync Server module (Lync 2013)
Import-Module "C:\Program Files\Common Files\Microsoft Lync Server 2013\Modules\Lync\Lync.psd1"
# For Skype for Business Server 2015/2019
Import-Module SkypeForBusinessCommon Administrative Cmdlets
# List all Lync-enabled users
Get-CsUser | Select-Object DisplayName, SipAddress, RegistrarPool
# Enable a user for Lync
Enable-CsUser -Identity "contoso\jdoe" -RegistrarPool "lyncpool01.contoso.com" -SipAddressType EmailAddress
# Disable a user
Disable-CsUser -Identity "sip:jdoe@contoso.com"
# View conferencing policies
Get-CsConferencingPolicy
# Assign a conferencing policy to a user
Grant-CsConferencingPolicy -Identity "sip:jdoe@contoso.com" -PolicyName "RestrictedConferencing"
# View voice routing policies
Get-CsVoicePolicy
# Check the status of all Lync services on a server
Get-CsWindowsService -ComputerName "lyncfe01.contoso.com"
# View pool topology information
Get-CsPool
# Test user connectivity
Test-CsRegistration -TargetFqdn "lyncpool01.contoso.com" -UserSipAddress "sip:testuser@contoso.com" -UserCredential (Get-Credential)PowerShell Remoting for Remote Administration
You can manage Lync Server from a remote workstation using PowerShell remoting:
# Establish a remote session to the Lync Front End
$session = New-PSSession -ComputerName "lyncfe01.contoso.com"
Import-PSSession $session -Module Lync
# Now run Lync cmdlets locally; they execute on the remote server
Get-CsUser | Select-Object DisplayName, SipAddressRBAC Roles in Lync Server
Lync Server uses Role-Based Access Control (RBAC) to determine what each administrator can do. You must be a member of at least one of these roles to access the Control Panel:
| RBAC Role | Scope | Description |
|---|---|---|
| CsAdministrator | Global | Full control over all Lync settings and policies. |
| CsUserAdministrator | Global | Can enable/disable users and assign per-user policies but cannot change server topology. |
| CsVoiceAdministrator | Global | Can manage voice-related settings: dial plans, voice policies, routes. |
| CsServerAdministrator | Global | Can manage server services, monitoring, and archiving but not user-level policies. |
| CsHelpDesk | Global | Read-only access to user properties and policies. Useful for support teams. |
| CsArchivingAdministrator | Global | Can manage archiving configuration and policies. |
| CsResponseGroupAdministrator | Global | Can manage Response Group workflows. |
| CsLocationAdministrator | Global | Can manage E911 and location information services. |
Assigning RBAC Roles
RBAC roles in Lync are mapped to Active Directory security groups. To grant a user administrative access:
# Add a user to the CsAdministrator role (AD group)
Add-ADGroupMember -Identity "CSAdministrator" -Members "contoso\adminuser"
# Verify membership
Get-ADGroupMember -Identity "CSAdministrator" | Select-Object NameThe AD groups are created automatically during Lync forest preparation (Enable-CsAdForest).
Solução de Problemas Common Access Issues
”403 Forbidden” When Accessing the Control Panel
- The logged-in user is not a member of any Lync RBAC group. Verify group membership in Active Directory.
- The user’s account has not replicated to the domain controller that the Front End Server is using. Force replication with
repadmin /syncall.
IIS Application Pool Crash
If the CSCP URL returns a 503 error, the IIS application pool may have stopped:
# Check the Lync web services app pool status
Import-Module WebAdministration
Get-WebAppPoolState -Name "LyncIntFeature"
# Restart the app pool
Restart-WebAppPool -Name "LyncIntFeature"Certificate Mismatch Warning
If the browser shows a certificate error, the CSCP URL is not listed in the certificate’s SAN. Update the certificate:
# Request a new certificate with the updated SAN list
Request-CsCertificate -New -Type WebServicesInternal -DomainName "lyncfe01.contoso.com","lyncadmin.contoso.com","lyncweb.contoso.com"Silverlight Requirement (Lync 2010)
The Lync Server 2010 Control Panel required Microsoft Silverlight to be installed in the browser. Lync Server 2013 and Skype for Business Server removed this requirement and use standard HTML5.
Migration Path: Lync to Skype for Business
If you are running Lync Server 2010 or 2013, Microsoft’s recommended upgrade path is to Skype for Business Server 2019 (the final on-premises version). Key changes to the Control Panel:
- The URL path changes from
/cscpto the Skype for Business equivalent, though/cscptypically still works for backward compatibility. - The Control Panel UI is updated with Skype for Business branding.
- PowerShell cmdlets remain largely the same (
Get-CsUser,Set-CsUser, etc.) but are loaded from theSkypeForBusinessmodule. - Skype for Business Server 2019 is the last on-premises version. Microsoft recommends migrating to Microsoft Teams for cloud-based unified communications.
Coexistence During Migration
During a migration from Lync to Skype for Business, both Control Panels will be accessible. Users can be homed on either pool:
# Move a user from Lync pool to Skype for Business pool
Move-CsUser -Identity "sip:jdoe@contoso.com" -Target "sfbpool01.contoso.com" -ForceResumo
Accessing the Lync Server Control Panel is straightforward once you know the correct URL (https://<server>/cscp) or configure a custom Simple URL through Topology Builder. For power users and automation, the Lync Server Management Shell (PowerShell) provides complete administrative capabilities. Make sure your admin accounts are members of the appropriate RBAC groups, keep your certificates updated with the correct SANs, and plan your migration path to Skype for Business Server or Microsoft Teams for long-term support.