Export (0) Print
Expand All
Expand Minimize



Topic Last Modified: 2013-02-22

Modifies the Active Directory account of the specified user or users; this modification prevents users from using Lync Server clients such as Lync 2013. The Disable-CsUser cmdlet only restricts activity related to Lync Server; it does not disable or remove a user’s Active Directory account. This cmdlet was introduced in Lync Server 2010.

Disable-CsUser -Identity <UserIdParameter> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-PassThru <SwitchParameter>] [-WhatIf [<SwitchParameter>]]

Example 1 disables the Lync Server account for the user Ken Myer. In this example, the user's display name is used to indicate his Identity.

Disable-CsUser -Identity "Ken Myer"

In Example 2, all the users in the Finance department have their Lync Server accounts disabled. To carry out this task, the command first uses the Get-CsUser cmdlet and the LdapFilter parameter to return a collection of all the users who belong to the Finance department. That collection is then piped to the Disable-CsUser cmdlet, which disables each account in the collection.

Get-CsUser -LdapFilter "Department=Finance" | Disable-CsUser

In this example, all the user accounts not currently assigned to a Registrar pool are disabled. To do this, the Get-CsUser cmdlet is called, along with the UnassignedUser parameter. This parameter restricts the returned data to users who have valid user accounts but are not assigned to a Registrar pool. That collection is then piped to the Disable-CsUser cmdlet, which disables each account in the collection.

Get-CsUser -UnassignedUser | Disable-CsUser

The Disable-CsUser cmdlet deletes all the attribute information related to Lync Server from an Active Directory user account; this prevents the user from logging on to Lync Server. When you run the Disable-CsUser cmdlet all the Lync Server-related attributes are removed from an account, including the Identities of any per-user policies that have been assigned to that account. You can later re-enable the account by using the Enable-CsUser cmdlet. However, all the Lync Server-related information (such as policy assignments) previously associated with that account will have to be re-created. If you want to prevent a user from logging on to Lync Server, but do not want to lose all of their account information, use the Set-CsUser cmdlet instead. For details, see the Set-CsUser cmdlet help topic.

After an account has been disabled with the Disable-CsUser cmdlet, the affected user will no longer be returned by the Get-CsUser cmdlet; that’s because that user no longer has a valid Lync Server account. To retrieve information for the disabled user account, use the Get-CsAdUser cmdlet.

In addition, user data belonging to the deleted user account will be removed from the backend databases; for example, the user will be removed from Contacts lists in the organization, and any conferences scheduled by that user will be deleted.

Who can run this cmdlet: By default, members of the following groups are authorized to run the Disable-CsUser cmdlet locally: RTCUniversalUserAdmins. To return a list of all the role-based access control (RBAC) roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself), run the following command from the Windows PowerShell prompt:

Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Disable-CsUser"}


Parameter Required Type Description




Indicates the Identity of the user account to be disabled. User Identities can be specified by using one of four formats: 1) the user's SIP address; 2) the user's user principal name (UPN); 3) the user's domain name and logon name, in the form domain\logon (for example, litwareinc\kenmyer); and, 4) the user's Active Directory display name (for example, Ken Myer). You can also reference a user account by using the Active Directory distinguished name.

You can use the asterisk (*) wildcard character when using the Display Name as the user Identity. For example, the Identity "* Smith" returns all the users who have a display name that ends with the string value " Smith".




Prompts you for confirmation before executing the command.




Enables you to connect to the specified domain controller in order to disable a user account. To connect to a particular domain controller, include the DomainController parameter followed by the computer name (for example, atl-cs-001) or its fully qualified domain name (FQDN) (for example, atl-cs-001.litwareinc.com).




Enables you to pass a user object through the pipeline that represents the user account being disabled. By default, the Disable-CsUser cmdlet does not pass objects through the pipeline.




Describes what would happen if you executed the command without actually executing the command.

String or Microsoft.Rtc.Management.ADConnect.Schema.ADUser object. The Disable-CsUser cmdlet accepts a pipelined string value representing the Identity of a user account that has been enabled for Lync Server. The cmdlet also accepts pipelined instances of the Active Directory user object.

The Disable-CsUser cmdlet does not return a value or object. Instead, the cmdlet configures instances of the Microsoft.Rtc.Management.ADConnect.Schema.ADUser object.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft