Disable-CsUser
Topic Last Modified: 2012-03-23
Modifies the Active Directory account of the specified user or users; this modification prevents users from using Microsoft Lync Server 2010 clients such as Microsoft Lync 2010. Disable-CsUser only restricts activity related to Lync Server 2010; it does not disable or remove a user’s Active Directory account.
Syntax
Disable-CsUser -Identity <UserIdParameter> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-PassThru <SwitchParameter>] [-WhatIf [<SwitchParameter>]]
Detailed Description
The Disable-CsUser cmdlet deletes all the attribute information related to Lync Server from an Active Directory user account; this prevents the user from logging on to Lync Server. When you run Disable-CsUser all the Lync Server-related attributes are removed from an account, including the Identities of any per-user policies that have been assigned to that account. You can later re-enable the account by using the Enable-CsUser cmdlet. However, all the Lync Server-related information (such as policy assignments) previously associated with that account will have to be re-created. If you want to prevent a user from logging on to Lync Server, but do not want to lose all of their account information, use Set-CsUser instead. For details, see the Set-CsUser help topic.
After an account has been disabled with Disable-CsUser, the affected user will no longer be returned by the Get-CsUser cmdlet; that’s because that user no longer has a valid Lync Server account. To retrieve information for the disabled user account, use Get-CsAdUser.
In addition, user data belonging to the deleted user account will be removed from the backend databases; for example, the user will be removed from Contacts lists in the organization, and any conferences scheduled by that user will be deleted.
Who can run this cmdlet: By default, members of the following groups are authorized to run the Disable-CsUser cmdlet locally: RTCUniversalUserAdmins. To return a list of all the role-based access control (RBAC) roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself), run the following command from the Windows PowerShell prompt:
Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Disable-CsUser"}
Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
Identity |
Required |
UserIdParameter |
Indicates the Identity of the user account to be disabled. User Identities can be specified by using one of four formats: 1) the user's SIP address; 2) the user's user principal name (UPN); 3) the user's domain name and logon name, in the form domain\logon (for example, litwareinc\kenmyer); and, 4) the user's Active Directory display name (for example, Ken Myer). You can also reference a user account by using the Active Directory distinguished name. You can use the asterisk (*) wildcard character when using the Display Name as the user Identity. For example, the Identity "* Smith" returns all the users who have a display name that ends with the string value " Smith". |
DomainController |
Optional |
String |
Enables you to connect to the specified domain controller in order to disable a user account. To connect to a particular domain controller, include the DomainController parameter followed by the computer name (for example, atl-cs-001) or its fully qualified domain name (FQDN) (for example, atl-cs-001.litwareinc.com). |
PassThru |
Optional |
Switch Parameter |
Enables you to pass a user object through the pipeline that represents the user account being disabled. By default, the Disable-CsUser cmdlet does not pass objects through the pipeline. |
Confirm |
Optional |
Switch Parameter |
Prompts you for confirmation before executing the command. |
WhatIf |
Optional |
Switch Parameter |
Describes what would happen if you executed the command without actually executing the command. |
Input Types
String or Microsoft.Rtc.Management.ADConnect.Schema.ADUser object. Disable-CsUser accepts a pipelined string value representing the Identity of a user account that has been enabled for Lync Server. The cmdlet also accepts pipelined instances of the Active Directory user object.
Return Types
Disable-CsUser does not return a value or object. Instead, the cmdlet configures instances of the Microsoft.Rtc.Management.ADConnect.Schema.ADUser object.
Example
-------------------------- Example 1 --------------------------
Disable-CsUser -Identity "Ken Myer"
The preceding Example disables the Lync Server account for the user Ken Myer. In this example, the user's display name is used to indicate his Identity.
-------------------------- Example 2 --------------------------
Get-CsUser -LDAPFilter "Department=Finance" | Disable-CsUser
In Example 2, all the users in the Finance department have their Lync Server accounts disabled. To carry out this task, the command first uses the Get-CsUser cmdlet and the LDAPFilter parameter to return a collection of all the users who belong to the Finance department. That collection is then piped to Disable-CsUser, which disables each account in the collection.
-------------------------- Example 3 --------------------------
Get-CsUser -UnassignedUser | Disable-CsUser
In the preceding example, all the user accounts not currently assigned to a Registrar pool are disabled. To do this, Get-CsUser is called, along with the UnassignedUser parameter. This parameter restricts the returned data to users who have valid user accounts but are not assigned to a Registrar pool. That collection is then piped to Disable-CsUser, which disables each account in the collection.