Thursday, September 19, 2013

Disabling Lync access for Disabled AD Users

When you see this Topic you will get this question do I need to really need to disable Lync Access separately for a user  if I am disabling his/her AD account? the Answer is YES.

Today I saw the latest post from Ehlo World blog posted by Lync Server MVP Pat Richard on the Topic "Finding AD Disabled Accounts Who are Still Lync Enabled" this was quite informative for Admins because we normally thought when a user AD account is disabled it automatically disables his Lync access, but this was not the real case and disabled AD user can still access the Lync for about 6 months. Quite amazed when I heard this and wanted to share the same for the readers.


In his blog post Pat referenced the article posted by Exchange Server MVP Jeff Guillet on his "The EXPTA" blog titled "Disabling a User in AD Does Not Disable the User In Lync" in here Jeff clearly explains the reason behind the Lync sign-in access available for users even after their AD account is disabled.

Below is the extracted information from the blog post,

When User logs in to Lync Client and select Save My Password option, Lync server will generate an X.509 certificate for the user.  Lync will publish the certificate to Lync RTC database and distribute it, along with the private key, to the personal certificate store to the user on the local computer.  The certificate expires 180 days from the publication date and is used for further authentication for that user from that computer, Certificate authentication is convenient and speeds up the sign-in process significantly, but it means that Lync doesn't check the AD user account to see if it's disabled.  If a disabled user signs into Lync using certificate authentication, they will still have access to all Lync features including IM, web conferencing and Enterprise Voice until the certificate expire.

Read this blog to know more on how to fix this issue by revoking the certificate for the user and also disable the Lync access for that user.

Read here : http://www.expta.com/2011/03/disabling-user-in-ad-does-not-disable.html

Check this new Excellent Article on this topic from MVP Andre Morpeth with real time demo and show us how this behavior actually works .

Check here: Lync Users Can Login After Domain Account Is Disabled 

It's now mandate that we disable users Lync access and also revoke this certificate when the user leaves the Organization along with our regular account termination procedures which safeguards the information security of the Organization.

Finally, Let's come to Pat's Post on "Finding AD Disabled Accounts Who are Still Lync Enabled" where he provides us with One liner Lync shell scripts that can help us Identify the users who's AD account is disabled and still enabled for Lync access and disable their access all at once on our environment.

Read here : http://www.ehloworld.com/265

These posts are great and gives us an opportunity to understand this potential issue and take right steps in mere future when we have this scenario, and perform the appropriate action to get things fixed at the right time as guide lined and Thus, maintaining the Information Security for our Organization.

No comments:

Post a Comment