Expired User in AD still able to login to Lync RRS feed

  • Question

  • Hi,

    We have a client who had a large number of associate workers who operate on short-term contracts. They normally set user accounts in AD to expire on the date that the piece of work completes.

    They have observed behaviour whereby even when an account has expired within AD the user is still able to log in to Lync and use all features including placing calls. If the account is actively marked as disabled in AD then this behaviour does not occur.

    Can someone confirm whether this is a bug or a "feature"? If the latter - would be intrigued to know why this behaviour was chosen.

    Many thanks,


    Thursday, August 25, 2011 2:02 PM

All replies

  • The expired account is most likely using a Lync client certificate to authenticate instead of AD credentials (which are disabled at this point).  I suppose it's possible that expired accounts are not specifically prevented from using client certs for auth in Lync, which I'd hope is an oversight.

    I would open a ticket with PSS to get that issue tracked and resolved if it is in fact a bug.

    Jeff Schertz, Microsoft Solutions Architect - Polycom | Lync MVP
    Thursday, August 25, 2011 3:46 PM
  • I can confirm this behavior is expected - we went through this scenario in my MCM rotation. Disabling a user in AD does not revoke the Lync certificate so a user can still use it to authenticate. It comes down to a process thing - you need to be sure to disable the user in Lync in addition to disabling the AD user account.

    I imagine you could also write a Powershell script that searches for expired accounts and disables their Lync account.

    Thursday, September 1, 2011 12:47 AM
  • The similar problem is explained in this article http://www.expta.com/2011/03/disabling-user-in-ad-does-not-disable.html

    Friday, September 23, 2011 8:47 AM
  • Here is a short powershell script I came up with to handle this issue:

    Import-Module ac*
    $disabled_users = Search-ADAccount -SearchBase "OU=Users,DC=domain,DC=local" -AccountDisabled -UsersOnly
    foreach ($user in $disabled_users) {
    	If (Get-CSUser $user.SamAccountName -ErrorAction SilentlyContinue) {
    		Write-Host "Disabling User: "$user.SamAccountName
    		Disable-CSUser -Identity $user.SamAccountName
    	Else {
    		Write-Host "Disabled: "$user.SamAccountName

    Monday, January 2, 2012 9:34 PM