Topic Last Modified: 2010-10-27

Modifies the Active Directory account of the specified user or users; this modification prevents users from using Microsoft Lync Server 2010 clients such as Microsoft Lync 2010. Disable-CsUser only restricts activity related to Lync Server 2010; it does not disable or remove a user’s Active Directory account.


Disable-CsUser -Identity <UserIdParameter> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-PassThru <SwitchParameter>] [-WhatIf [<SwitchParameter>]]


Parameter Required Type Description




Indicates the Identity of the user account to be disabled. User Identities can be specified by using one of four formats: 1) the user's SIP address; 2) the user's user principal name (UPN); 3) the user's domain name and logon name, in the form domain\logon (for example, litwareinc\kenmyer); and, 4) the user's Active Directory display name (for example, Ken Myer). You can also reference a user account by using the Active Directory distinguished name.

You can use the asterisk (*) wildcard character when using the Display Name as the user Identity. For example, the Identity "* Smith" returns all the users who have a display name that ends with the string value " Smith".




Enables you to connect to the specified domain controller in order to disable a user account. To connect to a particular domain controller, include the DomainController parameter followed by the computer name (for example, atl-cs-001) or its fully qualified domain name (FQDN) (for example,



Switch Parameter

Enables you to pass a user object through the pipeline that represents the user account being disabled. By default, the Disable-CsUser cmdlet does not pass objects through the pipeline.



Switch Parameter

Prompts you for confirmation before executing the command.



Switch Parameter

Describes what would happen if you executed the command without actually executing the command.

Detailed Description

The Disable-CsUser cmdlet deletes all the attribute information related to Lync Server from an Active Directory user account; this prevents the user from logging on to Lync Server. When you run Disable-CsUser all the Lync Server-related attributes are removed from an account, including the Identities of any per-user policies that have been assigned to that account. You can later re-enable the account by using the Enable-CsUser cmdlet. However, all the Lync Server-related information (such as policy assignments) previously associated with that account will have to be re-created. If you want to prevent a user from logging on to Lync Server, but do not want to lose all of their account information, use Set-CsUser instead. For details, see the Set-CsUser help topic.

After an account has been disabled with Disable-CsUser, the affected user will no longer be returned by the Get-CsUser cmdlet; that’s because that user no longer has a valid Lync Server account. To retrieve information for the disabled user account, use Get-CsAdUser.

In addition, user data belonging to the deleted user account will be removed from the backend databases; for example, the user will be removed from Contacts lists in the organization, and any conferences scheduled by that user will be deleted.

Who can run this cmdlet: By default, members of the following groups are authorized to run the Disable-CsUser cmdlet locally: RTCUniversalUserAdmins. To return a list of all the role-based access control (RBAC) roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself), run the following command from the Windows PowerShell prompt:

Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Disable-CsUser"}

Input Types

String or Microsoft.Rtc.Management.ADConnect.Schema.ADUser object. Disable-CsUser accepts a pipelined string value representing the Identity of a user account that has been enabled for Lync Server. The cmdlet also accepts pipelined instances of the Active Directory user object.

Return Types

Disable-CsUser does not return a value or object. Instead, the cmdlet configures instances of the Microsoft.Rtc.Management.ADConnect.Schema.ADUser object.


-------------------------- Example 1 --------------------------

Copy Code
Disable-CsUser -Identity "Ken Myer"

The preceding Example disables the Lync Server account for the user Ken Myer. In this example, the user's display name is used to indicate his Identity.

-------------------------- Example 2 --------------------------

Copy Code
Get-CsUser -LDAPFilter "Department=Finance" | Disable-CsUser

In Example 2, all the users in the Finance department have their Lync Server accounts disabled. To carry out this task, the command first uses the Get-CsUser cmdlet and the LDAPFilter parameter to return a collection of all the users who belong to the Finance department. That collection is then piped to Disable-CsUser, which disables each account in the collection.

-------------------------- Example 3 --------------------------

Copy Code
Get-CsUser -UnassignedUser | Disable-CsUser

In the preceding example, all the user accounts not currently assigned to a Registrar pool are disabled. To do this, Get-CsUser is called, along with the UnassignedUser parameter. This parameter restricts the returned data to users who have valid user accounts but are not assigned to a Registrar pool. That collection is then piped to Disable-CsUser, which disables each account in the collection.

See Also

Other Resources