Disabled in Active Directory, Enabled in Lync

When you disable a user in AD, it’s important you do it in Lync too!

====
One common workflow that is often missed in the Lync world is what happens when you disable a user in Active Directory? For example, if a user has left? Well, the user will remain enabled for Microsoft Lync, and in some situations will still be able to logon to Lync as well:

Disabled AD User Account can still login to Lync

In reality you need to work in disabling a user for Lync when disabling their Active Directory account as well. Now, fortunately it's fairly easy to find out who those disabled users are, and to disable them - so let's have a look at that here.

How Many Are There?
Firstly, you may want to know exactly how many Disabled AD Users that are enabled for Lync - it's pretty easy to find out using this command:

Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled} | Measure-Object

Note the above may be wrapped on your browser - it should be entered as a single command. The output of this will show you how many disabled accounts you have - like this:

2014-11-03DisabledAccounts

So in the system I'm looking at there's 461 accounts - quite a few.

Who are they?
Next, you'll want to know who those accounts are? Well, again that's pretty easy to do with PowerShell - like this:

Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled -eq $true} | Format-Table Name

This will give a text output of the disabled accounts - if you want, you can push to a text file by putting >Output.TXT or similar on the end.

How can I disable them for Lync?
Again this is very easy with PowerShell - you can use this command. Bear in mind this will disable all of those identified users for Lync. All of them! Consider this for example if you have some AD disabled accounts you use for Synthetic Tests and the like. Anyway, the command is this:

Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled} | Disable-CsUser

Summary
All of the above commands are built in the same way and should be fairly obvious. PowerShell is a fantastic tool for the scaled systems Adminstrator - how people managed without it I don't know. Well, VBScript I guess? Still a big fan of that for down & dirty quick stuff.



blog comments powered by Disqus