Category: Skype for Business

Here’s a quick and vaguely interesting one for you. I was recently trying to bulk update some delegates in Skype for Business Server using SefaUtil. As part of that process, I had to remove existing delegates. I was using a command like this:

Sefautil David.Hasselhoff@KnightIndustries.com /server:FrontEnd.Consoto.local /removedelegate:Pamela.Anderson@KnightIndustries.com 

Now, whatever I did, could I get Pamela to go? No, no I couldn’t. After scratching my head a few times I tried to find Pamela in Skype for Business – and bingo, I spotted that Pamela no longer existed. She’d been terminated. There’s an easy way to fix this, fortunately. To do it you will need a test user in Skype for Business – so either use an existing test user (you have one, right?), or setup a new AD Account and use that.

What you need to do is set that test user’s SIP address to the same as what the person you’re trying to remove was – so in this instance, Pamela.Anderson@KnightIndustries.com. Set that, and wait a while for everything to update, and then re-run the sefautil command as above. You’ll find Pamela has now been removed.

You can then go through and remove the Pamela Anderson SIP Address from wherever you put it.

Simple way to fix something I thought I’d have to be diving in to SQL to resolve. Sometimes, lateral thinking things through to a simple conclusion is far easier.

An age ago I wrote about dual-homing Windows servers, and what you need to do with static routing:

It’s interesting that even today I still run in to sites that have issues due to incorrectly configured routing on their Access Edge units. The Edge server plays an important role in Lync & Skype for Business – and not just always for the obvious stuff like remote access and federation. It also can get involved in media calls for internal subnets.

Jeff Schertz has a great article explaining why, linked below. Rather than me make a hash of it, have a read, it’s good stuff:

Lync Edge STUN versus TURN

In certain scenarios your internal clients will need to talk to your Access Edge for media – for example if peer to peer communication isn’t possible.

This brings me on to the point of static routes on the Access Edge – they’re very important! Get them wrong and some subnets may not be able to communicate with the Access Edge, and that’ll lead to all kinds of issues. Of course the obvious ones like remote access etc. but also –  more confusingly – ones like not being able to make a VoIP call between two clients.

Hopefully your internal network only uses RFC1918 compliant addresses – that is your internal networks are on:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16

I usually define static routes on the internal interface for all of the private ranges. It’s easy to do with the following commands:

netsh interface ipv4 add route 10.0.0.0/8 “InternalNW” 10.100.0.1

netsh interface ipv4 add route 172.16.0.0/12 “InternalNW” 10.100.0.1

netsh interface ipv4 add route 192.168.0.0/16 “InternalNW” 10.100.0.1

You need to replace the ‘InternalNW’ with the name of your internal NIC, and of course 10.100.0.1 with your internal next hop gateway, but it’s pretty straight forward.

The subnet mask is particularly important – a few sites I’ve seen configure 172.16.0.0 in the wrong way – they’ll use the wrong subnet mask such as 172.16.0.0/255.255.0.0 (172.16.0.0./16)…which is of course wrong, and will miss out a chunk of the private ranges.

Anyway, that’s my random musing for the day.

Skype & Lync Server can look very confusing from a protocol and message flow perspective. What connects where, how, what protocol etc. It’s not as complex as you’d imagine – but I would say that as I’m doing this every day.

Anyway, there’s a great protocol workflow diagram here that shows all the major protocols and flows:

Skype for Business 2015 Protocol Workloads Poster

I’ve downloaded the current one, and uploaded here, should the link change in the future.

From a what goes where perspective, there’s peer to peer and central MCU brokered traffic to think about. I.e. Does the workload go direct client to client, or does all of the traffic go to a central bridge and then out to the clients. The following summarises the protocol flows:

Where a workload can do both – I.e. Peer to peer or via the central MCU – is typically down to escalation. Take audio for example, that will for the most part go peer to peer (Well, there’s some other scenarios here including the process of STUN/TURN, but this is a quick summary)…..Until you drag in a third party and it becomes a three way audio call. At this point the call escalates from peer to peer to the MCU. Once you’ve gone to the MCU a media session will not go back to peer to peer.

Other workloads like the Whiteboad/Polls/PowerPoint streaming will always go via the central bridge.

*EDITED to add there’s another more general set of diagrams and descriptions at the following location:

Technical diagrams for Skype for Business Server 2015

*EDITED to add – Jeff Shertz has a more in depth article on the subject here:

Understanding Lync Modalities

It is perfectly possible to implement a Lync 2013 or Skype for Business 2015 platform without implementing Office Web Apps – after all, Web Apps is just used for streaming PowerPoint slides, right?

Well, yes, it is – but there are some other things to consider, mainly around how you control the user experience.

What Changed?

There are major differences between how PowerPoint slide-decks are presented in Lync 2010 and Lync 2013 – and it’s key to understanding the differences when assessing the requirement for Web Apps. In summary, Lync 2010 shares PowerPoint data in-client, whereas in Lync 2013/Skype for Business requires an Office Web Applications server to achieve similar, but far superior functionality.

In Lync Server 2010, PowerPoint presentations are viewed in one of two ways:

• For users who run Lync 2010, PowerPoint presentations are displayed by using the PowerPoint 97-2003 format and they are viewed by using an embedded copy of the PowerPoint viewer. 

• For users who run Lync Web App, PowerPoint presentations are converted to dynamic HTML files then viewed by using a combination of the customised DHTML files and Silverlight.

This model did have some limitations, namely:

• The embedded PowerPoint Viewer (which provided a more optimal viewing experience) is available only on the Windows platform.

• Many mobile devices (including some of the more popular mobile telephones) do not support Silverlight.

• Neither the PowerPoint Viewer nor the DHTML/Silverlight approach supports all the features (including slide transitions and embedded video) found in the more recent editions of PowerPoint.

To improve the overall experience of anyone who presents or views PowerPoint presentations, Lync Server 2013 or Skype for Business uses Office Web Apps Server to handle PowerPoint presentations. This is a better model, in that it offers:

• Higher-resolution displays and better support for PowerPoint capabilities such as animations, slide transitions, and embedded video.

• Additional mobile devices can access these presentations. That’s because Lync Server 2013 uses standard DHTML and JavaScript to broadcast PowerPoint presentations instead of customized DHTML and Silverlight.

• Users who have appropriate privileges can scroll through a PowerPoint presentation independent of the presentation itself. For example, while David is presenting his slide show, Karen can scroll through and view any slide she wishes, all without affecting David’s presentation.

User Experience – It’s Important

It is important to understand the user experience of having an Office Web server in the architecture. To explain, the following screen shot shows the sharing options of a fully enabled client with an Office Web Applications Server present:

In the above screenshot, you can see the sharing options for Desktop, Program, PowerPoint, Whiteboard and Polls. This enablement is driven by the conferencing policy assigned to individual users. Selecting the PowerPoint presentation then uploads the presentation to the Lync Data share, and this is then streamed via the Office Web Applications Server.

With architectures that do not have an Office Web Applications server available to them, users can share PowerPoint presentations using desktop and application sharing – marked out in the screen shot below – they cannot use the ‘PowerPoint’ button. This is different to the Lync 2010 client experience.

The challenge with the user experience for architectures without an Office Web Apps server is configuring the policy to allow Desktop & Program Sharing, Whiteboard and Polls and removing the PowerPoint button – this is not currently possible.

The reason for this is that PowerPoint, Whiteboard and Polls are part of the Data Collaboration Policy, whereas Desktop/Program sharing are part of the Application sharing policy.

Disabling the data collaboration for a user disables the following functions:

• Office Web Applications PowerPoint uploads

• Whiteboards

• Polls

There is no granular control to just turn off the PowerPoint option. Turning off data collaboration disables all the above functions.

Summary

So, yes, you can implement a platform without Office Web Apps, but you just need to consider the other functions that it impacts when you turn it off by policy.

The thing is, if the server role is just for a Skype for Business or Lync platform, you do not need Web Apps server or CALs…All you need to cover is the operating system to stand up the Web Apps platform, so it’s not particularly heavy duty.

Anyways, I get asked this a lot, so I thought I’d provide some background.

High availability and Disaster Recovery in Skype for Business/Lync 2013 is a beautiful thing. Providing always on services, as well as great recovery provisions for DR is core to the product. Looking at it though, you could perceive it requiring a whole heap of hardware and licensing – not the case really. A common misconception is around the pool pairing types. Let’s have a look at that. 

Before we do however, let’s just qualify some terms for the purposes of this blog:

High Availability

For a service to be HA, it automatically survives a failure in the topology, and recovers, without administrative input.

Disaster Recovery

For DR, Administrative input is required to ‘push’ services/users to a DR site.

Other’s have different definitions of the above, but this will do for the purposes of this blog.

Firstly, for both HA and DR, don’t be quick to dismiss the Standard Edition of the product. It provides great high availability for voice, and easy to implement/low cost DR. Have a read of this to explain why:

In praise of Lync Standard Edition

Things seem to get expensive when you want to pair an Enterprise Pool for high availability. Consider the pool pairing requirements from this article:

Front End pool disaster recovery in Skype for Business Server 2015

In particular, note the requirements on the pool pairing:

As a quick side note, have a look at the RTO & RPO for the failover:

Great RTO and RPO, right? But wait – this is measured on 40 *thousand* active users, with 200 *thousand* enabled users. So, there’s that….

Anyway, back to HA/DR. So let’s say for example you implement an Enterprise Edition pool as you want High Availability in your primary pool, and you also want to provision Disaster Recovery for the same pool. The configuration I often see proposed is similar to this (click on the image for a larger view):

So we put three front end servers in the primary pool, and have an SQL server for the databases. We also have the DR pool of three front end servers, and the associated SQL services at that site. Let’s say you have 3.5k users for example, that’s a lot of  server instances and Skype for Business Server 2015 licenses isn’t it? With that model, let’s assume:

Primary DC (Active)

• 2 x SQL Servers
  • 2 x OS, 2 x SQL
• 3 x Front End Servers
  • 3 x Skype for Business Server 2015 licenses
• Hardware Load Balancer for Web Services

Secondary DC (Passive)

• 1 SQL Server
  • 1 x OS, 1 x SQL
• 3 x Front End Servers
  • 3 x Skype for Business Server 2015 licenses
• Hardware Load Balancer for Web Services

With three servers in the pool you’ll need to load balance the web services between the pool servers as well, usually using a Hardware Load Balancer of some sort.

In this setup you have done the correct thing according to the supportability rules. Enterprise Pool with Enterprise Pool, virtual to virtual or physical to physical (no virtual to physical pairing), and you’ve used the same OS across the platforms.

Here’s the thing though – why do you need three Front End Servers in the secondary/passive data centre? Look at the rules – where does it state you need the same number of Front End servers? The answer is – it doesn’t. You can have a differing amount of Front End servers in the paired pools.

All of a sudden, that architecture is looking smaller. Consider this:

In this model, you’d need:

Primary DC (Active)

• 2 x SQL Servers
  • 2 x OS, 2 x SQL
• 3 x Front End Servers
  • 3 x Skype for Business Server 2015 licenses
• Hardware Load Balancer for Web Services

Secondary DC (Passive)

• 1 SQL Server
  • 1 x OS, 1 x SQL
• 1 x Front End Servers
  • 1 x Skype for Business Server 2015 licenses

You’ve immediately cut out an extra two servers, and the associated licensing, as well as the requirement for hardware load balancing in the secondary site. This works, and is supported. It’s a good model for when you want to provide HA & DR for users, without having to put a lot of infrastructure in the secondary DC.

Of course this model only really suits an Active/Passive setup where you have users being provisioned from the primary DC, and the secondary DC is only used in a fail over scenario. If you wanted Active/Active (which is a very credible option), then you’d really need to provide HA in both DCs and provision enough resources for each DC to carry 100% of the load.

I haven’t included Office Web Apps in the above, however that’s another consideration. You may put a couple of them in the Active DC load balanced – but why would you want multiple in DR? In fact, there’s a question of whether you need them in DR anyway unless you consider it a critical function.

Anyway, the point of this blog is really just to show that there’s a lot of flexibility in Lync/Skype for Business in terms of HA/DR – put some thought in to it, you’ll find it’s not as difficult/expensive as you’d imagine.

As I’ve said previously on my site here I spend most of my time designing Unified Comms systems, now predominantly around Microsoft architectures.

I also get involved in normalising/rectifying/stablising systems that have already been deployed. With UC platforms it’s not that hard other a solution to 80% deployed and operational with little UC knowledge…and yet it’s that last 20% of deployment that can utterly ruin a user experience.

Anyway, on that ruining a user experience piece, two networking things that I see a lot of that tends to fly under the radar at the design phases are VPNs, and Proxy setups. Media does not play well with a proxy system…but nor do VPNs. I’ll talk about the Proxy issues in another post, but lets look at VPNs first.

So, whats the beef with VPNs? It’s really down to the fact that operating over a VPN can seriously degrade media performance to the point that it irritates the users. The reason for it is that the process of pushing traffic through an encrypted VPN tunnel seriously impacts jitter and latency figures for the media connection – mainly through the additional workload of additional encryption and decryption. Lync/Skype traffic is already encrypted – signalling via TLS and media via SRTP. so pushing it through a VPN just means you’re encrypting already encrypted traffic. Hardly efficient.

Now, Microsoft’s architecture has a model in place for just this scenario – the Access Edge topology. Media relayed through the Edge is designed to provide a high quality experience over uncontrolled networks. 

The problem is though how do you stop users sending their traffic over the VPN when they want to make a call? It’s not as if you can ask them to disconnect from the VPN to accept or make a call can you? Well, there is a way, but it does take a bit of planning – namely configuring a split tunnel VPN configuration.

What you want to achieve is all your normal traffic goes via the VPN except any Skype/Lync traffic – you want that to go to the Access Edge servers. Split Tunnel VPNs are not that unusual and most VPN platforms support the capability – there’s something else you need to consider however, and that’s the client connectivity logic.

Imagine the scenario where you enable split-tunnel on your VPN so that your Lync clients can connect to the Access Edge servers. The problem you’ll run in to is that the Lync client will first check for internal connections to the Front End servers using either LyncDiscoverInternal or other DNS entries – if it find them and the front-end servers then it will connect via the VPN tunnel regardless of the ability to connect to the Access Edge.

So, how do you fix this? Well, explained simply the way to fix it is to ensure that not only do you allow the split-tunnel for the client but you also block access to the Front End Servers. Essentially you need a firewall rule that blocks:

There’s numerous ways of achieving this. You can even achieve it using Windows Firewall policies for example, however for the most part it’s easier to configure at either a firewall or VPN platform level. The Windows firewall policies for example wouldn’t apply to Mac users or people using systems that don’t receive those policies.

VPN configurations are one of those things that add to the quality of experience of using a platform, making the user’s situation stable, repeatable, and positive. Will the product work through a VPN? For the most part, yes – your users won’t thank you for it though.

I’m working on a site at the minute that has disjointed extension/DDI numbers – that is their extension numbers in no way match their assigned DDI. Throw in some routing to legacy PBX platforms…and your dial plan gets ‘interesting’. 

Anyway, one thing I wanted to do was to turn on the ability to view extension numbers in the Skype client. What do I mean I hear you say – well, consider the normal display when I type in an extension number:

You’ll see the normalised number – notice how 8622 actually maps to a 5831 number – but it would be useful to see the extension, like this:

With this set, it displays the extension as well – of course you have to have it normalised like that in your dial-plan and your address book rules for it to appear as above.

Anyway, how do we achieve this? Well, it’s pretty easy. You can do it in a client policy, like this:

$x = New-CsClientPolicyEntry -Name “ShowExtensionInFormattedDisplayString” -Value “True”

$y = Get-CsClientPolicy -Identity Global

$y.PolicyEntry.Add($x)

Set-CsClientPolicy -Instance $y

The above puts it in the Global policy, but you could if you wanted create a new one, and assign that. See here on the processes for adding options to client policies:

New-CsClientPolicyEntry

WAIT! What if I want to remove it? Well, again it’s pretty easy.

$y = Get-CsClientPolicy -Identity global

$y.PolicyEntry.RemoveAt(0)

Set-CsClientPolicy -Instance $y 

The above assume it’s the first policy entry – you’ll need to update it to match the actual entry if you have multiple ones. Note you can clear all of them too using this command:

Set-CsClientPolicy -Identity global -PolicyEntry $Null

Fairly simple stuff. This capability was first introduced back with Lync 2010 – see here for info:

An update is available to display the extension number of non-US telephone numbers in contact cards in Lync 2010

I’ve been setting up a couple of Standard Edition servers recently, and I wasn’t seeing the performance I expected when importing a fairly large number of users (about 3k) – this was a test lab. It was a bit confusing really, as the servers themselves were very well specified. 8 cores, 32Gb RAM, running on SSDs….albeit the platform being virtualised.

After playing around with it for a while, I could see that SQL Express only seemed to be executing on a single core, not up to 4 which is what I thought was standard. I.e. SQL Express can use up to four cores. You can see the restrictions in this article here:

Compute Capacity Limits by Edition of SQL Server

(2012 version here).

In particular, pay attention to this bit:

It’s limited to the less of 1 socket or 4 cores. So, having looked, my VMs were running not with a single socket with 8 cores, but as a server with 8 sockets, each with 1 core. Explained the restriction. Having spoken to the VMWare administrator, this got fixed pretty quickly. Haven’t really looked at how, but there’s a great article here explaining how to allocate cores per processor. As a side note, the memory is still limited to 1Gb for SQLe I believe.

Setting the number of cores per CPU in a virtual machine

Anyways, an interesting one, and something to watch out for.

There’s a lot been written about the Lync or Skype for Business Address Books over the years, so I’ll not go into that whole thing here. What I do get asked about though is clearing down address books on a client and downloading a clean copy. How can we do that automatically?

Well, firstly, you need to be aware of how those address books get downloaded. Have a read of this article here, it explains the background.

Downloading the Address Book in Lync 2013

While the above is for Lync 2013, the process is much the same for Skype for Business 2015.

Deleting the local copies of the address books involves deleting GalContacts.db and GalContacts.db.idx from the user’s SIP profile directory. For Skype for Business 2015, this is in this location:

C:\Users\username\AppData\Local\Microsoft\Office\15.0\Lync\sip_sipaddress

As we know that, it’s pretty easy to automate.

I’ve written a script that will do this for you. You can download that script here.

AutoDelAddressBook.rar

The script also creates a log file of the work that it carries out. The below is an example output from the script:

==========================================================================================

17-Nov-15:2:18:58 PM: Delete GalContacts Script.

17-Nov-15:2:18:58 PM: Running on workstation: BERKPC

17-Nov-15:2:18:58 PM: User: *****

==========================================================================================

17-Nov-15:2:18:58 PM: Path root: C:\Users\*****\AppData\Local\Microsoft\Office\15.0\Lync\

17-Nov-15:2:18:58 PM: Temp Path: C:\Users\*****\AppData\Local\Temp

==========================================================================================

17-Nov-15:2:18:58 PM: Checking to see if TEMP file exists….

17-Nov-15:2:18:58 PM: Temp file does not exist.

17-Nov-15:2:18:58 PM: Getting directory of all SIP users…

17-Nov-15:2:18:58 PM: Command for directory: CMD.exe /c DIR C:\Users\*****\AppData\Local\Microsoft\Office\15.0\Lync\sip_* /b >C:\Users\*****\AppData\Local\Temp\GalContactsDel.TMP

17-Nov-15:2:18:58 PM: Running command….

17-Nov-15:2:18:58 PM: Checking to see if TEMP file exists….

17-Nov-15:2:18:58 PM: Temp file found, directory completed.

==========================================================================================

17-Nov-15:2:18:58 PM: Opening temp file, scanning for GalContacts file in each specified SIP directory…

17-Nov-15:2:18:58 PM: Working on: sip_***@*****.**.**

17-Nov-15:2:18:58 PM: Full Path: C:\Users\*****\AppData\Local\Microsoft\Office\15.0\Lync\sip_***@*****.**.**

17-Nov-15:2:18:58 PM: Could not find GalContacts.db in directory.

17-Nov-15:2:18:58 PM: Could not find GalContacts.db.idx in directory.

17-Nov-15:2:18:58 PM: Working on: sip_****@***.***

17-Nov-15:2:18:58 PM: Full Path: C:\Users\*****\AppData\Local\Microsoft\Office\15.0\Lync\sip_****@***.***

17-Nov-15:2:18:58 PM: Could not find GalContacts.db in directory.

17-Nov-15:2:18:58 PM: Could not find GalContacts.db.idx in directory.

17-Nov-15:2:18:58 PM: Working on: sip_****.********@***.***

17-Nov-15:2:18:58 PM: Full Path: C:\Users\*****\AppData\Local\Microsoft\Office\15.0\Lync\sip_****.********@***.***

17-Nov-15:2:18:58 PM: Could not find GalContacts.db in directory.

17-Nov-15:2:18:58 PM: Could not find GalContacts.db.idx in directory.

==========================================================================================

17-Nov-15:2:18:58 PM: Completed.

17-Nov-15:2:18:58 PM: Deleting temp file….

17-Nov-15:2:18:58 PM: Number of profiles scanned: 3

17-Nov-15:2:18:58 PM: Number of GalContacts.db deleted:0

17-Nov-15:2:18:58 PM: Number of GalContacts.db.idx deleted:0

==========================================================================================

What the script does is searches a user’s home directory for all of the SIP identities, and then in those identities removes those GalContact files. The script tells you which profiles were scanned, and how many removed.

So, to use the script, the first thing you need to do is set up a shared directory for all of the log files. In my script currently, the logging directory is set to “\\BerkPC\Logging”. You will need to edit line 16 to reflect the correct path for your logs.

‘===========

‘Set the LOGPATH Variable to the directory that you want to house the logging output files.

‘Note do NOT include a trailing \

‘I.e. \\unc\logs is OK \\unc\logs\ is NOT ok

‘===========

LogPath=”\\BerkPC\Logging”

Once it’s set, you can fire the script at as many machines as you want – there’s various ways of doing that, group policy objects for example. Remember that it needs to be executed under a user context not the machine one, as it’s the user profiles we’re interested in.

I was being asked about changing a SIP address for a user today on Lync 2013 – equally applies to Skype for Business too. What would the effect be on Contact lists? Say for example your login was ‘DerekT@TheForce.co.uk’, and that’s what you were on people’s contact lists as … What would happen if you changed that SIP login to ‘Derek.Trotter@Deathstar.co.uk’?

Well, the answer fortunately is a positive one. It works. The contact subscriptions are held in the database by a unique identifier created at the time of subscription – this unique ID is not the SIP address. So, change the address, and when people with that user on their contacts list logs out of Lync/Skype and back in, they’ll still see the person on the contact list with presence and everything.

One thing I’ve found by the way is that if you change the domain – I.e. The bit after the @ – you can see issues with authentication to Lync/Skype. Easily fixed by logging the user out/in again.

So you can change these addresses. You do need to plan when you change them though – may also be worth deleting and updating the address book files too. Now, this works well enough for contact lists – but one thing you must educate your users is about is that scheduled meetings will break. Users with changed SIP addresses should go back and re-send any meetings they have in their diary, so that they contain the right URLs for the conferences – otherwise the conference joins will fail.

Anyways, the video here shows the behaviour in action.

What feels like a long, long time ago I wrote an entry about how people can and should manage their presence – you can see it here:

The Etiquette of Presence Long gone, sorry!

Presence isn’t that unusual any more – people are use to it…. that’s not to say people are always using it in the best way however.

I still see people who the first thing they do when they get in or online is put their Status on busy. So much so you ignore the busy – you IM anyway, are you really busy or just on busy? Hello?

Of course their response or lack of it tells me whether the busy is real or not…but that’s not very good is it? I may as well just ignore their presence and call whenever I want. What’s the point of that?

In addition to that it’s obvious to me that some people bang up the times on their inactive and away settings:

They set them so that even when they wander off from the their PC for ages they’re still showing as available. Again, what is the point of that? Trying to IM someone when available only to see them rock in from the sandwich/coffee shop chatting away can be a little frustrating.

Why do people do that? Why want to appear to be available when you’re not? My guess is it’s down the fear of the ‘Big Brother’ as in oh my, if I’m away for ages people will assume I’m lounging around watching Homes under Hammer.

The reality of course is that few people do view this in such a way.

You can also do custom presence states with Lync too – for example I have a few extra on my presence options:

You can see I’ve got a few extra states at the bottom – all designed to help people understand the best way to contact me.

Mobile clients are also now massively on the rise. Personally for example I tend to leave my Lync client on my phone running all the time – I may logout at the weekends totally, but that’s only if I remember. I’m OK with that – I would get why a lot of people wouldn’t be of course.

Presence is a great tool if managed and used properly. Constantly on busy – people will ignore it. Constantly available but not, people will ignore it – and get frustrated with you in the process.

One common workflow that is often missed in the Lync world is what happens when you disable a user in Active Directory? For example, if a user has left? Well, the user will remain enabled for Microsoft Lync, and in some situations will still be able to logon to Lync as well:

Disabled AD User Account can still login to Lync

In reality you need to work in disabling a user for Lync when disabling their Active Directory account as well. Now, fortunately it’s fairly easy to find out who those disabled users are, and to disable them – so let’s have a look at that here.

How Many Are There?
Firstly, you may want to know exactly how many Disabled AD Users that are enabled for Lync – it’s pretty easy to find out using this command:

Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match “AccountDisabled” -and $_.Enabled} | Measure-Object

Note the above may be wrapped on your browser – it should be entered as a single command. The output of this will show you how many disabled accounts you have – like this:

So in the system I’m looking at there’s 461 accounts – quite a few.

Who are they?
Next, you’ll want to know who those accounts are? Well, again that’s pretty easy to do with PowerShell – like this:

Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match “AccountDisabled” -and $_.Enabled -eq $true} | Format-Table Name

This will give a text output of the disabled accounts – if you want, you can push to a text file by putting >Output.TXT or similar on the end.

How can I disable them for Lync?
Again this is very easy with PowerShell – you can use this command. Bear in mind this will disable all of those identified users for Lync. All of them! Consider this for example if you have some AD disabled accounts you use for Synthetic Tests and the like. Anyway, the command is this:

Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match “AccountDisabled” -and $_.Enabled} | Disable-CsUser

Summary
All of the above commands are built in the same way and should be fairly obvious. PowerShell is a fantastic tool for the scaled systems Adminstrator – how people managed without it I don’t know. Well, VBScript I guess? Still a big fan of that for down & dirty quick stuff.

There is a certain behaviour with Microsoft Lync 2013 (and 2010 I believe) and authentication that could mean that when you disable an account in Active Directory, the user can still login to the Lync client. This isn’t ideal as the user is able to continue using services on the Lync platform – including Enterprise Voice – for the whole time they are connected, regardless if their account is enabled or not within Active Directory.

Doesn’t sound great does it! The reasoning behind it is to do with the way that authentication is handled by the Lync client. If a user logs in to their Lync account and selects ‘Save my Password’, Lync will generate a certificate and this certificate will be installed in the user’s certificate store – this certificate is then used to authenticate.

If you look at the certificate that is generated for the user you can see that it’s often quite a large time period set for its validity:

In my demo environment for example you can see validity is some 6 months! As long as this certificate is valid the client will still be able to login to Lync regardless of whether their Active Directory account is enabled or not….seems kinda crazy doesn’t it?

In reality, as part of the administrative process for disabling a user account you should include the step of physically disabling the Lync user account too, either within the Lync Control Panel or with the PowerShell Management shell for Lync. Of course you can also add this option to your Active Directory Users & Computers plug-in and do it all at the same time! Why not – it makes admin far, far simpler.

For examples on that bit see here:

Automating Common Administrative Tasks

The video below shows you the effects of this login process, and why you need to be aware of it. Click here for the hi-def version.