Tuesday, 15 September 2015

Enabling and Disabling Skype for Business Users

Hello devoted readers.  Just a quick post today to discuss enabling and disabling user accounts in Lync and Skype for Business.

Enabling an account in Skype for Business is pretty straightforward.  The first requirement is that the user has an account in Active Directory.  

I could show you the steps for adding a user account in Active Directory Users and Computers, but where's the fun in that?  I like PowerShell and so should you ;).

Create the User

First Create and Mail enable the Users - for this example I am creating a user called Mike Rowsoft.  New-ADUser will work, but we will kill two birds with one stone.

NOTE: New-Mailbox cmdlet can be used to create a user in Active Directory and mailbox-enable this new user.

To create the user open Exchange Server Management Shell as Administrator
$password = Read-Host "Enter password" -AsSecureString (Enter the password when prompted)
New-Mailbox -UserPrincipalName mike.rowsoft@domain.com -Alias Mike.Rowsoft -Database "Mailbox Database 1" -Name Mike.Rowsoft -OrganizationalUnit Users -Password $password -FirstName Mike -LastName Rowsoft -DisplayName "Mike Rowsoft" -ResetPasswordOnNextLogon $true
If you need to add additional attributes you can do that with PowerShell too.  Use the Set-ADUser cmdlet.

Now Skype for Business enable the users. Skype for Business Server Management Shell As Administrator
Enable-CsUser -Identity "Mike Rowsoft" -RegistrarPool "FrontEnd01.domain.com" -SipAddress "sip:mike.rowsoft@domain.com" | Set-CsUser -EnterpriseVoiceEnabled $True -lineURI "TEL:+44123549092;ext=9092"
And finally, UM enable the Users.  Exchange Server Management Shell as Administrator
Enable-UMMailbox -Identity mike.rowsoft@domain.com -UMMailboxPolicy UMMailboxPolicy -Extensions 9092
Once all of this is done you will have added an AD user account, mail enabled, Skype for Business enabled and Exchange UM enabled.  See?  That was fun. 

Now your user has left the company you need to do some cleanup.  You can of course just disable the user account in AD, but the user will still be enabled in Skype for Business.  What's more, the user will still be able to log in to Skype for Business for up to 180 days even after the account has been disabled.


Yes.  If a user logs in to the Skype for Business and ticks the "Save my password" check box (see below) the server will generate a certificate for the user to use for certificate based authentication.  This certificate is published to the RTC database and the personal store on the client PC along with the private key.

Top Tip

By default certificates are valid for 180 days.  Fellow UC blogger Mika Ullgren posted a great one liner on twitter to shorten the validity of these certificates.

To do this open the Skype for Business Server Management Shell As Administrator.  
Set-CsWebServiceConfiguration -Id site:site1 -DefaultValidityPeriodHours 24
This example sets the validity period to 24 hours.  DefaultValidityPeriodHours can be any integer value between 8 hours and 8760 hours (365 days). The default value is 4320 (180 days).

Disable the User 

1. You can disable the AD account in PowerShell.
Disable-ADAccount -Identity "Mike Rowsoft"

Note: This only disables the user account in Active Directory.  You could do a little more here.  In the following example I get the user, pipe it to a disable command, then pass through pipe to move the account object to another OU.
Get-ADAccount -Identity "Mike Rowsoft" | Disable-ADAccount -Passthru | Move-ADObject -TargetPath "OU=Disabled Users,dc=domain,dc=com"

2. Now disable the account in Skype for Business
Disable-CSUser -Identity "Mike Rowsoft"
3. Now revoke the Skype for Business certificate. 
Revoke-CsClientCertificate -Identity "Mike Rowsoft" 
Note: This doesn't remove the certificate from the client device, only the server.  If the user tries to authenticate using the certificate and the certificate isn't found on the server the authentication request will be denied.

And that's it.  Easy right? 

As an extra value add I have done a script that can be used to perform the operation.  This script asks for the name of a user account of a person that has left the company.  It moves the user object to a OU you choose, disables the account in Active Directory, disables the account in Skype for Business and revokes the user certificate.

Version 1 of the script is available on the TechNet Gallery here.

Thanks for reading.  

If this or any other post has been useful to you please take a moment to share.  Comments are welcome.