Home > Lync Server/Skype for Business Server > One Liners: Finding AD Disabled Accounts Who are Still Lync/Skype for Business Enabled

One Liners: Finding AD Disabled Accounts Who are Still Lync/Skype for Business Enabled

Lync 2013 logo 128x128Fellow MVP Jeff Guillet wrote an article about the fact that disabling a user’s Active Directory account doesn’t mean they can’t log into Lync/Skype for Business. This is due to the way Lync uses certificates and authentication based on them. I highly recommend you read the article.

I recently was writing some documentation for a customer and wanted to include this important information, including methods for resolving the problem after the fact.

If you’ve not been disabling users in Lync while disabling them in AD, here’s a one liner to find those users:

Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled -eq $true} | Format-Table Name,Enabled,SipAddress -auto

You can shorten it somewhat by not checking if $_.Enabled is $true, but just that it exists. You can get a count of the users using:

Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled} | Measure-Object

and, if you want, can disable them in one line using

Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled} | Disable-CsUser

Update 09-14-2012: Be careful using that last option if you’ve configured test accounts for synthetic testing using the New-CsHealthMonitoringConfiguration cmdlet as I mention in Lync Synthetic Tests: What They are and When They Don’t Work – Part I.

Update 04-12-2014: Replaced aliases with full cmdlet per best practices.

Update 09-19-2014: Added -ResultSize Unlimited

  1. Tim B
    November 2nd, 2012 at 12:39 | #1

    Just what I was looking for! Thanks for the script.

  2. Phila
    April 15th, 2014 at 11:31 | #2

    How can you create an automation on this to have it run weekly and email the result to myself like every Monday morning?

  3. August 19th, 2014 at 11:17 | #3


    You can pipe that information to Export-CSV which will yield a Comma Separated File you can view with Excel

    Get-CsAdUser | Where-Object {$_.UserAccountControl -match “AccountDisabled” -and $_.Enabled -eq $true} | Export-CSV C:\Temp\WeeklyReport.csv

    Then afterwards you can leverage the Send-MailMessage from Powershell to automatically send off the email

    Send-MailMessage -Attachments C:\Temp\WeeklyReport.csv -To ‘somebodyimportant@contoso.local’ -Body ‘Weekly Report for Old Lync users’ From ‘lyncadmin@contoso.local’ -Subject ‘Weekly Lync Report’ -SmtpServer ‘mylocalsmtpserver.contoso.local’

    You would embody the whole thing as a single .PS1 file and then using standard Scheduled Tasks, schedule it as a recurring task.

    PowerShell.exe -executionpolicy Bypass -file LyncReport.ps1


    • Pat Richard
      August 19th, 2014 at 11:19 | #4

      I’d want to include the -NoTypeInformation switch when calling Export-Csv.

  4. Tony Hart
    June 15th, 2015 at 13:26 | #5

    Hi Pat. I love your Lync/S4B powershell scripts and have found quite a few of them useful. This little gem came in particularly useful. After a little bit of tweaking I managed to make something a little more eye friendly using your script and following some script voodoo from Exchange Server Pro.

    $a = “”
    $a = $a + “BODY{background-color:peachpuff;}”
    $a = $a + “TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}”
    $a = $a + “TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:thistle}”
    $a = $a + “TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:PaleGoldenrod}”
    $a = $a + “”

    $smtpServer = “smtp.watsammattau.edu”
    $smtpFrom = “Lync_Support_Team@watsammattau.edu”
    $smtpTo = “Lync_Support_Team@watsammattau.edu”
    $messageSubject = “Weekly Disabled AD Users”
    $message = New-Object System.Net.Mail.MailMessage $smtpFrom, $smtpTo
    $message.Subject = $messageSubject
    $message.IsBodyHtml = $true
    $message.Body = Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match “AccountDisabled” -and $_.Enabled -eq $true} | Select-Object Name,Enabled,SipAddress | ConvertTo-HTML -head $a
    $smtp = New-Object net.mail.smtpclient($smtpServer)

    Get-CsAdUser -Filter {UserAccountControl -eq “AccountDisabled, NormalAccount” -and Enabled -eq $true} | Set-CsUser -Enabled $false

  5. Tony Hart
    June 16th, 2015 at 10:27 | #6

    The one thing it lacks is a mechanism that says if there are no names to list, not run or send the email.

  6. Joseph
    June 26th, 2017 at 17:57 | #7

    Thank you very much for this, all 3 of these commands worked flawlessly and did exactly what I needed. We sadly did not have a very good termination policy in place up until mid last year and this really covered us to make sure none of these accounts slipped past. A shocking 183 were still active up until I ran this. Again thanks for powershell commands, they helped a bunch.

  7. Rakesh Chauhan
    November 10th, 2017 at 06:50 | #8

    To get the names of the disabled accounts:

    Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match “AccountDisabled” -and $_.Enabled -eq $true} | Format-Table Name

  8. Michael
    January 26th, 2018 at 17:21 | #9

    If I runt the script as is like you mention I will lose certain account that I still need. Is there a way to modify the script to exclude certain accounts?

    Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match “AccountDisabled” -and $_.Enabled} | Disable-CsUser

    • January 26th, 2018 at 17:23 | #10

      Anything is possible. But you didn’t include info on how to identify the accounts you need to keep. Without that, I can’t help.

  9. Edwin Crescini
    October 29th, 2019 at 10:56 | #11

    I just want further clarification on this. I fthe Lync/Skype environment does NOT allow remote users and there are NO MOBILE DEVICES with Skype/Lync. This does not apply correct? Our environment is pretty lockdonw. They are using Managed machines and our LYNC/SKYPE does not allow REMOTE Logins. I just want to test my understanding if it’s correct.

    • October 29th, 2019 at 23:52 | #12

      It doesn’t mean that it doesn’t apply – just that the risk is lower.

  10. Danish
    February 11th, 2020 at 07:18 | #13

    Hi folks,

    Can I get those accounts list in forms of UserName or email which are disabled in AD and Lync/Skype for business disabled? I want to find all users using my console application.

    Can anyone let me know how to do this? Thanks in Advance.

  1. May 4th, 2015 at 15:13 | #1
  2. May 16th, 2015 at 05:20 | #2
  3. May 29th, 2015 at 17:06 | #3
  4. September 19th, 2017 at 04:42 | #4