Automate enabling and disabling Lync / Skype for Business users
When I see administrators manually enabling all of their Lync / Skype for Business users it makes me cringe. With just a few lines of PowerShell and a scheduled task you can have users enabled for Lync / Skype for Business automatically. Simply copy the script examples and modify them with your infrastructure details and make a scheduled task on your Lync / Skype For Business Server or non Lync / Skype for Business server through remoting.
The first thing to determine is who should be enabled for Lync / Skype for Business and the required settings to be given to those users. I will provide examples of different scenarios both enabling or disabling users. (All examples only search for Lync / Skype for Business users that are not currently enabled and assume that the Email Address would be the enabled SIP Address.)
Example #1: Enable all users in the company with an e-mail account matching @yourdomain.com for normal Lync use.
Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like '*@yourdomain.com' } |
Enable-CsUser -RegistrarPool 'yourpool' -SipAddressType emailaddress
Example #2: Enable all users in the company within a specific Active Directory OU and an e-mail account matching @yourdomain.com for normal Lync use.
Get-CsAdUser -OU 'your.domain.com/OU' -Filter { Enabled -ne $True -and WindowsEmailAddress -like '*@yourdomain.com' } |
Enable-CsUser -RegistrarPool 'yourpool' -SipAddressType emailaddress
Example #3: Enable all users in the company with a specific City attribute for normal Lync use with an appropriate registrar pool.
Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like '*@yourdomain.com' -and City -eq 'YourCityName' } |
Enable-CsUser -RegistrarPool 'yourlocationdependantpool' -SipAddressType emailaddress
Example #4: Enable all users in the company with a specific City attribute for normal Lync use with an appropriate registrar pool and a specific Location Policy.
$users = Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like '*@yourdomain.com' -and City -eq 'YourCityName' }
ForEach ($user in $users)
{
Enable-CsUser $user.Identity -RegistrarPool 'yourlocationdependantpool' -SipAddressType emailaddress
Grant-CsLocationPolicy -Identity $user.Identity -PolicyName 'yourlocationpolicy' -Confirm:$False
}
Example #5: Enable all users in the company with a specific City attribute for Enterprise Voice with a specific Voice Policy, Dial Plan, Conferencing Policy, Location Policy. (Don’t forget a unique Line URI when you run the Set-CsUser command if one is required.)
$users = Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like '*@yourdomain.com' }
ForEach ($user in $users)
{
Enable-CsUser -Identity $user.Identity -RegistrarPool 'yourlocationdependantpool' -SipAddressType emailaddress
Set-CsUser -Identity $user.Identity -EnterpriseVoiceEnabled $True -Confirm:$False
Grant-CsConferencingPolicy -Identity $user.Identity 'yourconferencingpolicy' -Confirm:$False
Grant-CsDialPlan -Identity $user.Identity -PolicyName 'yourdialplan' -Confirm:$False
Grant-CsLocationPolicy -Identity $user.Identity -PolicyName 'yourlocationpolicy' -Confirm:$False
Grant-CsVoicePolicy -Identity $user.Identity -PolicyName 'yourvoicepolicy' -Confirm:$False
}
Example #6: The following example highlights PowerShell Remoting to remotely execute the enabling of user accounts from a separate computer.
$serviceuser = 'serviceuser'
$servicepassword = 'servicepassword' | ConvertTo-SecureString -AsPlainText -Force
$servicecredential = New-Object system.Management.Automation.PSCredential($serviceuser, $servicepassword)
$lyncsession = New-PSSession -ConnectionUri 'https://yourpoolname/ocspowershell' -Credential $servicecredential
$emailaddress = '*@yourdomain.com'
Invoke-Command -Session $lyncsession -ScriptBlock {
param ($emailaddress) Get-CsUser -Filter "WindowsEmailAddress -like '$emailaddress'" |
Enable-CsUser -RegistrarPool 'yourpool' -SipAddressType emailaddress
} -ArgumentList $emailaddress
Remove-PSSession $lyncsession
Example #7: The following example highlights looping through multiple cities and setting the proper pool and policies according to that city. This example uses a .CSV file that contains all the cities and their respective settings. You could accomplish the same thing through code by adding a custom object and then adding each city. Using a .CSV file is preferred as it will allow you to add/remove cities in the future without changing the script.
<#
Contents of an example cities.csv
Name,RegistrarPool,DialPlan,ConferencingPolicy,LocationPolicy,VoicePolicy
London,LondonPool,LondonDialPlan,LondonConferencingPolicy,LondonLocationPolicy,LondonVoicePolicy
Chicago,ChicagoPool,ChicagoDialPlan,ChicagoConferencingPolicy,ChicagoLocationPolicy,ChicagoVoicePolicy
Toronto,TorontoPool,TorontoDialPlan,TorontoConferencingPolicy,TorontoLocationPolicy,TorontoVoicePolicy
Sydney,SydneyPool,SydneyDialPlan,SydneyConferencingPolicy,SydneyLocationPolicy,SydneyVoicePolicy
#>
$cities = Import-Csv cities.csv
ForEach ($city in $cities) {
$users = Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like ‘*@yourdomain.com’ -and City -eq $city.Name }
ForEach ($user in $users)
{
Enable-CsUser -Identity $user.Identity -RegistrarPool $city.RegistrarPool -SipAddressType emailaddress
Set-CsUser -Identity $user.Identity -EnterpriseVoiceEnabled $True -Confirm:$False
Grant-CsConferencingPolicy -Identity $user.Identity $city.ConferencingPolicy -Confirm:$False
Grant-CsDialPlan -Identity $user.Identity -PolicyName $city.DialPlan -Confirm:$False
Grant-CsLocationPolicy -Identity $user.Identity -PolicyName $city.LocationPolicy -Confirm:$False
Grant-CsVoicePolicy -Identity $user.Identity -PolicyName $city.VoicePolicy -Confirm:$False
}
}
The following are some examples of automatically disabling users from Lync if their Active Directory account is disabled.
Example #1: Disabling Lync / Skype for Business from all users in Active Directory that are disabled.
Get-CsAdUser -LDAPFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=2)(msRTCSIP-UserEnabled=TRUE))" | Disable-CsUser
Example #2: Remotely disabling Lync / Skype for Business from all users in Active Directory that are disabled.
$serviceuser = 'serviceuser'
$servicepassword = 'servicepassword' | ConvertTo-SecureString -AsPlainText -Force
$servicecredential = New-Object system.Management.Automation.PSCredential($serviceuser, $servicepassword)
$lyncsession = New-PSSession -ConnectionUri 'https://yourpoolname/ocspowershell' -Credential $servicecredential
Invoke-Command -Session $lyncsession -ScriptBlock {
Get-CsAdUser -LDAPFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=2)(msRTCSIP-UserEnabled=TRUE))" |
Disable-CsUser
}
Remove-PSSession $lyncsession
Example #3: As requested, here is the solution to remotely disabling Lync / Skype for Business from all users in an Active Directory group. The key here is adjusting the LDAP Filter to only include members of a particular group.
$serviceuser = 'serviceuser'
$servicepassword = 'servicepassword' | ConvertTo-SecureString -AsPlainText -Force
$servicecredential = New-Object system.Management.Automation.PSCredential($serviceuser, $servicepassword)
$lyncsession = New-PSSession -ConnectionUri 'https://yourpoolname/ocspowershell' -Credential $servicecredential
Invoke-Command -Session $lyncsession -ScriptBlock {
Get-CsAdUser -LDAPFilter "(&(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com)(msRTCSIP-UserEnabled=TRUE))" |
Disable-CsUser
}
Remove-PSSession $lyncsession
Feel free to leave a comment with your required scenario and I will update this post with the solution.
These command’s are created for on premise server only, of do they work in Office 365 also?
These are specifically for On Premise but portions will work on Office 365 as well. I will prepare an Office 365 Skype for Business post that shows how to automate provisioning on Office 365.
Great article.
“$users = Get-CsAdUser -Filter { Enabled -ne $True -and WindowsEmailAddress -like ‘*@yourdomain.com’ -and City -eq ‘YourCityName’ }”
How do you recommend checking for multiple cities within this command? and maybe even looping to handle multiple pools?
To check for multiple cities there are a variety of ways to handle it. I updated the blog with Example $7 that shows one technique. The other technique would be to just have a separate $users line for each City with their respective settings or a custom object. The .csv import is a preferred method.
Hi Steve,
I’m trying to disable users in Lync based on a security group membership, could you help?
Nick
Posted the solution for you. Ensure to get the full DN for the group you are looking to include.
Steve I’m looking for a script to list all Skype users that have no dial plan policy specified. Everything I try gives me more output than I want or need. Any help would be appreciated.
It is usually best to set the Dial plan at the Site level as opposed to assigning each user one but I can help you out. As in you would like to know if a user is seen as Automatic in the Control Panel?
I setup multiple user dial plans in order to define my conferencing regions and site locations as all my users are apart of the same site with only one Front-end. I need to know how many users are inheriting the global dial plan or exactly as you stated set to automatic. Any help you can provide would be appreciated. Thanks again..
This should do it:
Get-Csuser -filter {DialPlan -notlike “*”}