I start of my first blogpost with a PowerShell script.
My experience is that most Active Directory admins disable a user in AD and move them to an OU called “Disabled Users” and underlying OU named by the month they are disabled. Then they delete disabled users every 3 month or so. Most AD admins don’t know that they also need to disable the Skype for Business user on the front end server.
Skype for Business clients authenticate against the front end by a certificate that’s created the first time they log on from the computer in use. This certificate is valid for up to 6 months.
John Doe is fired from Contoso. He had Skype for Business on a non-company laptop that he used at home. His AD account is disabled. John is still able to log on to Skype for Business on his personal laptop. Therefore he can make phone calls and see previous colleague’s presence information. This is not good at all. Especially if he start working for a competitor.
Not sure why it is like this also in Skype for Business, but I see it as a huge security risk.
Remember to disable account in AD and Skype for Business!
I have therefore created a small script that takes care of this. The script can be downloaded from TechNet:
I will continue to develop this script to add features.