Summary: Use Windows PowerShell to disable Active Directory users for Lync.
Hey, Scripting Guy!
I was so happy yesterday! I spun up thousands of users in Lync, and it worked beautifully. But now management has come back and indicated that it should not be enabled for our temporary staff. How can I quickly disable Lync users?
—LN
Hello LN,
Honorary Scripting Guy, Sean Kearney, is here with more Lync cheer and cmdlets to save the day!
Note This is the second part in a series. You might also enjoy reading Managing Lync Server 2013 with Windows PowerShell—Part 1.
First let me explain that in Lync, you have a "disabled" Lync user and a "removed" Lync user, and they are not the same (for good reason). In one state, their access to Lync is turned off. In the other, they are physically removed from the Lync environment. This is an important distinction to remember.
If you are simply disabling a Lync user, you are stopping their ability to sign-in to Lync. It's a bit like disabling a user in Active Directory. The object is still there, but it can do anything it wants. So in some cases, you might want to disable but not remove. Maybe somebody is on vacation or perhaps this is their punishment: "No Lync for you, young man, until you eat your vegetables!"
In either case, you have two options. One is our GUI friend. Within the Lync Server Control Panel, select the user (in this case, Arthur Dent), click Edit, and then click Show Details.
When the user name is displayed, clear the Enabled for Lync Server check box and click Commit. You've turned off the lights on him for Lync. However, note that he is still in the list of Lync users, but not as an enabled user.
Now again, for one user, using the GUI is fine. But it appears that you need to do this operation "en-masse."
Let me think…
If only there was some kind of Powerful Shell technology out there that could do this. A way to do it with one line…
*Smack!*
Of course I know! I was I teasing (or was there a Babel fish poking my ear?)
Windows PowerShell!
We can use a cmdlet called Set-CSUser. This cmdlet allows us to adjust the various settings for a Lync user, including whether Lync access has been enabled or disabled. To disable Mr. Dent's access in Lync we simply launch this:
SET-CSUser –identity 'Arthur Dent' –enabled $FALSE
This will do the same as our little GUI friend, but much faster. If we'd like to re-enable his access, we can do this:
SET-CSUser –identity 'Arthur Dent' –enabled $TRUE
In your case, you've been asked to disable access for a whole group of staff. Let's imagine the temp workers are in a particular organizational unit in Active Directory. We can target that organizational unit like when we enabled the accounts in the first place:
GET-ADUser –filter * -searchscope 'CN=Temps,DC=Contoso,DC=local'
And like our previous cmdlet, we need break it out of an array with a Foreach:
GET-ADUser –filter * -searchscope 'CN=Temps,DC=Contoso,DC=local' | Foreach { SET-CSUser –identity $_.Name –enabled $FALSE }
The advantage to using this cmdlet is obvious. You would want to cut off their access first and then later remove their accounts. When you lose the user settings in Lync, they are gone. So if the boss changes her mind later in the day or week, and she decides those workers should in fact have access, you won't have to re-populate the information, their particular pool, or in the case of enterprise voice clients, their phone extensions!
Pop in tomorrow for more Lync and Windows PowerShell goodness, and please don't forget your towel!
I invite you to follow The Scripting Guys on Twitter and Facebook. If you have any questions, send an email to The Scripting Guys at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then remember to eat your cmdlets each and every day with a dash of creativity.
Sean Kearney, Windows PowerShell MVP and Honorary Scripting Guy