«

»

Sep 18

Print this Post

Synchronize Lync Enabled Users with Active Directory

When I learned that Disabling an AD account does not prevent users from logging in to Lync, I knocked this out and scheduled it to run periodically to keep my Lync Enabled users in sync with AD.

### Synchronize your Lync Enabled users with AD Enabled Users ###

Import-Module Lync
Import-Module ActiveDirectory

# Set your Lync Pool Name here
$lyncPoolFqdn = “lyncpool.domain.com”

# Set your Sip Address Type… Usually Email or UPN
$sipAddressType = “EmailAddress”

Write-Host “Loading AD Users”
$adUsers = @()

# Get all Enabled users from AD in the specified OUs Add as many lines as you need to cover all of your user OUs
$adUsers += Get-ADUser -Filter { Enabled -eq $true } -SearchBase “OU=OrganizationalUnit1,DC=Domain,DC=COM” -Properties mail,DisplayName
#$adUsers += Get-ADUser -Filter { Enabled -eq $true } -SearchBase “OU=OrganizationalUnit2,DC=Domain,DC=COM” -Properties mail,DisplayName

# Filter out any test or UAT accounts. You can add addtional filters here
$adUsers = $adUsers | WHERE { $_.Name -notlike “*TEST*” -and $_.Name -notlike “*UAT*” }

# This will be used later. The Hashtable is much faster than querrying a table over and over
Write-Host “Building AD Hashtable”
$adHash = @{}
foreach($adUser in $adUsers){ $adHash.Add($adUser.SamAccountName,$adUser.DisplayName) }

# Load all Lync Users
Write-Host “Loading Lync Users”
$csUsers = Get-CsUser -Filter { Enabled -eq $true } -ResultSize Unlimited

# This will be used later. The Hashtable is much faster than querrying a table over and over
$csHash = @{}
foreach($csUser in $csUsers){ $csHash.Add($csUser.SamAccountName,$csUser.DisplayName) }

# This count use used for our progress bar
$count = $adUsers.Count + $csUsers.Count
$i = 0

### Pass 1 Enable Missing CS Users ###
Write-Host “Pass 1: Enable Missing CS Users”
foreach($adUser in $adHash.Keys){
### Update Progress bar ###
$i += 1
$pctComplete = [int] (($i / $count) * 100)
$name = $adUser.DisplayName
$status = “$pctComplete% ($i / $count) $name”
Write-Progress -Activity “Check and Enable Missing CS Users” -Status $status -PercentComplete $pctComplete
### ###

# Check if the ADuser is missing from the list of Lync Enabled Users
if($csHash.ContainsKey($adUser) -eq $false){
$name = $adHash[$adUser]
Write-Host “Enabling $name”
$enableUser = Get-ADUser $adUser

#Lync Enable the user
Enable-CsUser $enableUser.UserPrincipalName -SipAddressType $sipAddressType -RegistrarPool $lyncPoolFqdn
}
}
### ###

### Pass 2 Disable CS Users that are disabled or missing from AD ###
Write-Host “Pass 2: Disable CS Users”
foreach($csUser in $csHash.Keys){
### Update Progress bar ###
$i += 1
$pctComplete = [int] (($i / $count) * 100)
$name = $csUser.DisplayName
$status = “$pctComplete% ($i / $count) $name”
Write-Progress -Activity “Check and Disable inactive CS Users” -Status $status -PercentComplete $pctComplete
### ###

# Check if the Lync user is in the list of Enabled AD Users
if($adHash.ContainsKey($csUser) -eq $false){
$name = $csHash[$csUser]
Write-Host “Disabling $name”
$disableUser = Get-ADUser $csUser

# Disable the Lync user
Disable-CsUser $disableUser.UserPrincipalName

}

}

Permanent link to this article: https://www1.wperry.net/code/synchronize-lync-enabled-users-with-active-directory/

Leave a Reply

Your email address will not be published. Required fields are marked *