Disabled AD User Account can still login to Lync

A disabled AD User Account can still login to Microsoft Lync 2013.

There is a certain behaviour with Microsoft Lync 2013 (and 2010 I believe) and authentication that could mean that when you disable an account in Active Directory, the user can
still login to the Lync client. This isn’t ideal as the user is able to continue using services on the Lync platform - including Enterprise Voice - for the whole time they are connected, regardless if their account is enabled or not within Active Directory.

Doesn’t sound great does it! The reasoning behind it is to do with the way that authentication is handled by the Lync client. If a user logs in to their Lync account and selects ‘Save my Password’, Lync will generate a certificate and this certificate will be installed in the user’s certificate store - this certificate is then used to authenticate.


If you look at the certificate that is generated for the user you can see that it’s often quite a large time period set for its validity:


In my demo environment for example you can see validity is some 6 months! As long as this certificate is valid the client will still be able to login to Lync regardless of whether their Active Directory account is enabled or not....seems kinda crazy doesn’t it?

In reality, as part of the administrative process for disabling a user account you should include the step of physically disabling the Lync user account too, either within the Lync Control Panel or with the PowerShell Management shell for Lync. Of course you can also add this option to your Active Directory Users & Computers plug-in and do it all at the same time! Why not - it makes admin far, far simpler.

For examples on that bit see here:

Automating Common Administrative Tasks

The video below shows you the effects of this login process, and why you need to be aware of it.
Click here for the hi-def version.

blog comments powered by Disqus