Managing Lync Server 2013 with Windows PowerShell—Part 2

Managing Lync Server 2013 with Windows PowerShell—Part 2

  • Comments 3
  • Likes

Summary: Use Windows PowerShell to disable Active Directory users for Lync.

Hey, Scripting Guy! Question Hey, Scripting Guy!

I was so happy yesterday! I spun up thousands of users in Lync, and it worked beautifully. But now management has come back and indicated that it should not be enabled for our temporary staff. How can I quickly disable Lync users?

—LN

Hey, Scripting Guy! Answer Hello LN,

Honorary Scripting Guy, Sean Kearney, is here with more Lync cheer and cmdlets to save the day!

Note  This is the second part in a series. You might also enjoy reading Managing Lync Server 2013 with Windows PowerShell—Part 1.

First let me explain that in Lync, you have a "disabled" Lync user and a "removed" Lync user, and they are not the same (for good reason). In one state, their access to Lync is turned off. In the other, they are physically removed from the Lync environment. This is an important distinction to remember.

If you are simply disabling a Lync user, you are stopping their ability to sign-in to Lync. It's a bit like disabling a user in Active Directory. The object is still there, but it can do anything it wants. So in some cases, you might want to disable but not remove. Maybe somebody is on vacation or perhaps this is their punishment: "No Lync for you, young man, until you eat your vegetables!"

In either case, you have two options. One is our GUI friend. Within the Lync Server Control Panel, select the user (in this case, Arthur Dent), click Edit, and then click Show Details.

Image of menu

When the user name is displayed, clear the Enabled for Lync Server check box and click Commit. You've turned off the lights on him for Lync. However, note that he is still in the list of Lync users, but not as an enabled user.

Image of menu

Image of menu

Now again, for one user, using the GUI is fine. But it appears that you need to do this operation "en-masse."

Let me think…

If only there was some kind of Powerful Shell technology out there that could do this. A way to do it with one line…

*Smack!*

Of course I know! I was I teasing (or was there a Babel fish poking my ear?)

Windows PowerShell!

We can use a cmdlet called Set-CSUser. This cmdlet allows us to adjust the various settings for a Lync user, including whether Lync access has been enabled or disabled. To disable Mr. Dent's access in Lync we simply launch this:

SET-CSUser –identity 'Arthur Dent' –enabled $FALSE

This will do the same as our little GUI friend, but much faster. If we'd like to re-enable his access, we can do this:

SET-CSUser –identity 'Arthur Dent' –enabled $TRUE

In your case, you've been asked to disable access for a whole group of staff. Let's imagine the temp workers are in a particular organizational unit in Active Directory. We can target that organizational unit like when we enabled the accounts in the first place:

GET-ADUser –filter * -searchscope 'CN=Temps,DC=Contoso,DC=local'

And like our previous cmdlet, we need break it out of an array with a Foreach:

GET-ADUser –filter * -searchscope 'CN=Temps,DC=Contoso,DC=local' | Foreach { SET-CSUser –identity $_.Name –enabled $FALSE }

The advantage to using this cmdlet is obvious. You would want to cut off their access first and then later remove their accounts. When you lose the user settings in Lync, they are gone. So if the boss changes her mind later in the day or week, and she decides those workers should in fact have access, you won't have to re-populate the information, their particular pool, or in the case of enterprise voice clients, their phone extensions!

Pop in tomorrow for more Lync and Windows PowerShell goodness, and please don't forget your towel!

I invite you to follow The Scripting Guys on Twitter and Facebook. If you have any questions, send an email to The Scripting Guys at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then remember to eat your cmdlets each and every day with a dash of creativity.

Sean Kearney, Windows PowerShell MVP and Honorary Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • ForEach is not required, as Set-CsUser accepts input from pipeline and Get-CsUser includes an OU filter.

    Using Get-CsUser also ensures that you are only retrieving the accounts within the OU that are enabled for Lync.

    Get-CsUser -OU "OU=Temps,DC=Contoso,DC=local" | Set-CsUser -Enabled $false



  • Thanks for the information on filtering by OU within the Cmdlet. You are correct, it is a much better approach.

    I'll have to check on my Lync and see if I'm missing an update in my lab. Although my SET-CSuser would accept the pipeline, it would not accept and despool the array of data presented, Thus the Foreach was used.

    Going to have to patch that sucker then :)

    Sean

  • thank you