Topic Last Modified: 2011-03-16

To allow single sign in when a disabled user account is enabled for a Microsoft Exchange Server mailbox, use the SID Mapping Tool to map the security identifier (SID) of a disabled user account in the resource forest to the corresponding primary user account in the user forest. The SID Mapping Tool is delivered as part of the Lync Server 2010 Resource Kit.

To map the SID of a disabled user account

  1. Log on to a server joined to an Active Directory domain in the resource forest using an account that is a member of the DomainAdmins group.

  2. At the command prompt, run the following command to configure the Windows operating system Scripting Host to use cscript:

    wscript //h:cscript

  3. In the confirmation box, click OK.

  4. Change the path of the command prompt by running the following command:

    cd %programfiles%\Microsoft Lync Server 2010\Reskit\LCSSync

  5. Review the resource forest accounts that will be updated by running the following command:

    sidmap.wsf /OU:<DN of container with disabled user accounts> /query

    where:

    • /OU specifies the distinguished name (DN) of the container with the disable user accounts.

      To represent the DN, use the following format:

    OU=<name>,DC=<domain name>,DC=<subdomain name>

    For example, OU=Accounting,DC=contoso,DC=com

    • /query limits the SID Mapping Tool to only query the resource forest and not populate the attributes.

    The command returns a list of disabled user accounts in the resource forest.

  6. Populate the attributes in the resource forest by running the following command:

    sidmap.wsf /OU:<DN of container with disabled user accounts> [/logfile:<path\filename>]

    Where /logfile is an optional parameter that saves the results of your operation to a file for your records. This log file is automatically populated with a list of logon-disabled and Lync Server-enabled users.