Managing Lync Server 2013 with Windows PowerShell—Part 3

Managing Lync Server 2013 with Windows PowerShell—Part 3

  • Comments 4
  • Likes

Summary: Use Windows PowerShell to remove Active Directory users for Lync.

Honorary Scripting Guy, Sean Kearney, is here.

     Note This is the third part in a series. You might also enjoy reading:

Yesterday, we learned that in Lync, you can "disable" a user or you can "remove" a user. We actually disabled the Lync user in that post, which meant that the attributes and information were still in Lync, but the user was unable to access and use Lync. This is like when you disable a user in Active Directory.

Today we're going to see how to remove that user, or many users if you need to.

Let's keep one key point in mind: Short of trying to restore from backup, this is a permanent operation. So we have a couple things to think about:

  1. Mistakes can happen, so try to have something in place to prevent them.
  2. Have some kind of easy-to-implement rollback plan (see point 1).

In the GUI interface, it's very easy to remove a user from Lync (presuming, of course, that you have all the permissions and are a member of the correct groups). First, access the Lync Server Control Panel:

Image of menu

Then simply select the users you want to remove, click Action, and click Remove from Lync Server:

Image of menu

Within a prompt or two, all of these people would be removed. For a few people, that could be OK. What about removing hundreds of dead accounts? Perhaps you want a rollback option? For this, we can step in to Windows PowerShell to customize our options. We will be leveraging a new Lync cmdlet called Disable-CSUser.

The first time I saw this cmdlet, I made the mistake of presuming that it was meant to only disable access (like we did in Part 2). Fortunately, I found out in a lab environment that this is not true. It really should have been called Remove-CSUser because you are removing the object from Lync.

If it makes it easier to remember or use, we can make up an alias like this:

NEW-Alias REMOVE-CSuser DISABLE-CSuser

Now removing an object is quite simple. We supply in the identity and…

Oh, wait a minute! Didn't I say we wanted to keep two important things in mind?

  1. Mistakes can happen, so try to have something in place to prevent them.
  2. Have some kind of easy-to-implement rollback plan (see point 1).

So to prevent mistakes from happening, or at least giving you a chance to see what is going to happen before it does, the Disable-CSUser cmdlet (like many "destructive" cmdlets, as I like to think of them) has the GREATEST feature ever created in Windows PowerShell—the -whatif parameter.

To see what would happen if I tried to remove Mr. Ford Prefect from Lync permanently without actually removing him, I can do this:

DISABLE-CSuser –identity 'Ford Prefect' –whatif

Windows PowerShell and Lync will respond with this lovely little line:

What if: Performing the operation "Disable-CsUser" on target "CN=Ford Prefect,CN=Users,DC=Contoso,DC=local"

If I had inadvertently piped in a large list of users, this cmdlet would have warned me before I had to fill out an incident report for the sudden loss of Lync access to many of the staff.

Like the other Lync cmdlets, this one cannot accept an array of information. But we can pipe information the same as before! So if want to shut down Lync access for all Active Directory accounts that are co-op students, we can first grab a list from Active Directory:

Get—Aduser –filter * -searchbase 'CN=CoopStudents,CN=Staff,DC=Contoso,DC=Local'

We can take that list and pipe it to the Disable-CSuser cmdlet, but we're going to tack on a –whatif just in case we made an error:

Get—Aduser –filter * -searchbase 'CN=CoopStudents,CN=Staff,DC=Contoso,DC=Local' | Foreach { DISABLE-CSUser –identity $_.Name –whatif }

Then if we we are satisfied with the results, we remove the -whatif, and we can remove them with the knowledge that we can perform the task in a controlled manner.

Now all is well with the world, except of course, our co-op students are madly scrambling about wondering why they can't chat with each other in Lync anymore.

Pop back in tomorrow as we check out the important second part of disabling a user—a rollback plan!

I invite you to follow The Scripting Guys on Twitter and Facebook. If you have any questions, send an email to The Scripting Guys at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then remember to eat your cmdlets each and every day with a dash of creativity.

Sean Kearney, Windows PowerShell MVP and Honorary Scripting Guy

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Agree fully with the -whatif and mistakes can happen, my rollback plan is typically to run export-csuserdata immediately before so I can put contacts back if I have to restore the user. Policies are a little easier to guess at and put back in place. Even though I have a backup script that does this for me, I always like to have something very recent nearby. You never want to find out that jsmith@consoso.com should have been josmith@contoso.com and not have a plan.

  • @Anthony

    Thanks for the feedback! Keep it coming in! :)

    Sean


  • You may wish to remove superfluous dashes from commands such as "Get—Aduser".


    Thanks / rgds,

    http://www.leedesmond.com/

  • thank you