Zachary Loeber

The personal website of Zachary Loeber.

Find Disabled Users With Lync Enabled Without Lync Cmdlts

Here is a quick tip which applies to more than just Lync. I use powershell with .NET ADSI to gather a list of all users which are disabled but still have Lync sip addresses assigned. There are numerous reasons to disable lync on such accounts. One reason would be to make certain that users whom are no longer with the organization get removed from the Lync address list. Another is so these same users can no longer access Lync! (Yes, a disabled AD account may still be authorized to access Lync).

It is a common misnomer that the Lync administration console is required to access basic Lync information. In all actuality, you need only have a domain user account and a bit of active directory acumen to report upon a whole bunch of Lync related attributes. And you can get even more information from AD about Exchange (See my article comparing the level of AD reliance Lync and Exchange exhibit).

Here is a small example on getting some of this kind of info. Essentially all we are looking for are accounts in AD with a disabled account but which still have a primary sip address assigned to the msRTCSIP-PrimaryUserAddress attribute.

Lets start with the disabled user part. An LDAP filter which will find all the disabled accounts is:

(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)

Ok, so now add in any account where  msRTCSIP-PrimaryUserAddress contains any value. Easy peasy…

(msRTCSIP-PrimaryUserAddress=*)

So the new LDAP filter becomes:

(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)(msRTCSIP-PrimaryUserAddress=*)

So with the magic filter at hand, all that is left to do is query AD with it. You actually don’t even need to do this with powershell. If so inclined, you can simply create a new advanced query in Active Directory Users and Computers:

ldap-aduc-filter

This should instantly show you all your disabled accounts which are still associated with a primary sip address in ADUC. But I promised a powershell way to do this as well. Here it is, without any AD or Lync modules.

$ADS_UF_ACCOUNTDISABLE = 0x00002
$root = [ADSI]''
$search = [adsisearcher]$root
$search.PageSize = 2000
$search.Filter = '(&(&(&(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)(msRTCSIP-PrimaryUserAddress=*))))'
$colResults = $Search.FindAll()
$Output = @()
foreach ($i in $colResults)
{
 $ObjProps = @{
 Name = [string]$i.Properties.Item('Name')
 Disabled = [bool]([string]$i.Properties.Item('useraccountcontrol') -band $ADS_UF_ACCOUNTDISABLE)
 PrimarySipAddress = [string]$i.Properties.Item('msRTCSIP-PrimaryUserAddress')
 }
 $Output += New-Object psobject -Property $ObjProps
}
$Output

I added in a few items just for aesthetics (The actual sip address and proof that the account is in fact disabled) but it is easy to get the gist of what I’m doing here. Note that [ADSI]” is essentially the root of the default naming context, also known as the top of your domain. You can target other partitions to get other information though. Of particular interest is the configuration partition. You can quickly start querying the configuration partition with the following code:

$RootDSC = [adsi]"LDAP://RootDSE"
$ConfigNamingContext = $RootDSC.configurationNamingContext
$Root = [ADSI]"LDAP://$([string]$ConfigNamingContext)"

If you search the configuration partition for the following:

(&(objectClass=msRTCSIP-Pool))

And then return the dnshostname attribute, you will have effectively queried AD for all Lync pool names.

Or filter for internal lync server names:

Filter: (&(objectClass=msRTCSIP-TrustedServer))
Attribute: msrtcsip-trustedserverfqdn

Or find the Lync edge servers…

Filter: (&(objectClass=msRTCSIP-EdgeProxy))
Attribute: msrtcsip-edgeproxyfqdn

Well, you get the picture. AD is a very big open book for those who know where to look 🙂

 

 

comments powered by Disqus