Skype for Business 2015: Auto Enable Users with PowerShell

If you’re new to deploying Skype for Business 2015, or upgrading/migrating a previous Lync Business environment, you will quickly discover that in this version there is no method in the GUI provided (Skype for Business Server Control Panel) to easily mass-enable all users in your organization, or portion of organization, beyond the old Shift/Ctrl – Multi-Select. Nothing! In a similar manner there is no method in the GUI to automate enable users when they are created and no auto-tie-in process from Exchange 2013 (or other versions of Exchange) when the Exchange mailbox is created to kick this off, leaving it as a manual process by default. I’ll note that I run and schedule task these scripts from the Skype Front End server itself, not my workstation.

To resolve this, today we’re going to go over the details to:

  1. PowerShell the Enable-Users command from an AD Organizational Unit (OU) – (You can use AD Groups, etc. as well if you need)
  2. PowerShell the Disable-Users command from an AD Organizational Unit (OU) – We have a dedicated “Terminated Users” OU
  3. Create Scheduled Tasks to run both of these automatically and send notifications via e-mail in summary form for review


PowerShell Script to Enable Skype Users in an AD Organizational Unit

First up, we need to import the required modules in our script:

Import-Module activedirectory
Import-Module lync

Then we’re going to fill a variable in PowerShell with the users from the OU specified, to get the full OU Path as below for your chosen OU, in your AD Users and Computers console, right-click on the OU and select Properties > Attribute Editor, and you’re looking for the distinguishedName field:

$Users = Get-ADUser -Filter * -SearchBase "OU=UsersOU,DC=Domain,DC=Com"

The next step is the largest portion of the script, I’ll display it all below and then walk through a few of the steps we’re doing:

foreach ($member in $Users)
$aduser = Get-CsAdUser -Identity $member.UserPrincipalName | Where-Object {$_.enabled -ne "true"}

if($aduser -ne $())
$aduser.UserPrincipalName | Out-File C:\LogFileFolder\SkypeEnabledUsers.txt -Append
$Today = Get-Date
$OutPut = ((" Added to Skype On ") + ($Today))
$OutPut | Out-File C:\LogFileFolder\SkypeEnabledUsers.txt -Append
Enable-CsUser -identity $aduser.identity -RegistrarPool -SipAddressType UserPrincipalName

In the core of the script above, in the blue lines we’re starting our loop process, and for each User account found in the OU specified, we’re getting the Users “User Principal Name (UPN)”, which is the AD property which usually appears as, and then in the where-object command we’re seeing if they already exist in Skype for Business. (Aka: -ne is “not equal” to True (Enabled) – Our filter to only bother getting users that don’t yet exist in Skype)

The next red portion of the script is the other essential component if you don’t care about logging the results, the if statement is only true against a user account if it does not exist in Skype yet (as it’s checking if the $aduser variable is “not blank”), if it has a User Principal Name contained in it, then it jumps into the statement and runs the Enable-CsUser command, you just need to specify your Skype server DNS name in place of “”.

The intermediate green section of script in the process I use for both testing and sanity checks down the road to create some kind of logging of users that were enabled by the script. It is already nested as part of the if statement and so grabs the UPN passed into the script and writes that out to a text file (yes you could use a .CSV excel or delimited file as well if you prefer). Then it grabs the date and time and appends that to the same test file with the Username. In the case of this script I had to for some reason grab the date into a variable first and then write it out, using the Get-Date command directly in the $OutPut or Out-File commands was failing, but this achieves the same results.

Finally, because I don’t feel like navigating to the folder I’ve been creating the log file, in the same script I chose to have it e-mail me after running with the text log file attached, and have created a separate scheduled task to periodically (weekly for me) delete the text file so I’m getting a “Users Enabled This Week” e-mail daily. I’m not going to explain this piece of code much as it’s fairly self-explanatory and really easy to Google “E-Mail from PowerShell” if you have issues: (I’m sure clever scriptwriters can make this more efficient, but it does the job for my e-mail generation)

$obj = new-object psObject

function sendmail($body)
 $SmtpClient = new-object
 $MailMessage = New-Object
 $SmtpClient.Host = ""
 $mailmessage.from = ""
 $mailmessage.Subject = “Skype Users Enabled This Week: Attached.”
 $MailMessage.IsBodyHtml = $false
 $mailmessage.Body = $body
 $file = "C:\LogFileFolder\SkypeEnabledUsers.txt"
 $att = new-object Net.Mail.Attachment($file)

sendmail $obj

From this command we’re simply creating a basic e-mail via PowerShell, attaching the text file and sending it my way, you can have as many “$” recipients as you like if you need multiples.

That’s it! For the script at least, run this and everyone in the AD OU you specify that is not already enabled in Skype for Business will be enabled within a few minutes. Keep in mind while it should not be that intensive, if you have a huge organization and you pick an OU that gathers most users you may slow down your Skype server, or even AD, if the script has to work a while to enable everyone. This is why in the Scheduled Task section of this article I run the task late at night “just in case”. Next up, we’ll modify (shorten) the script a little and Disable users that are no longer needed, if your AD is structured in such a way to allow it.


PowerShell Script to Disable Skype Users in an AD Organizational Unit

First up, the way we use this script is based of our best practice, which depends who you talk to, of disabling but not deleting users in Active Directory. I’ve heard some call it a Microsoft Best Practice, but search results don’t seem to say for certain. In short, the core idea is that when you delete an account from AD completely you left behind a “behind the scenes” unique identifier “SID”. Most of you have seen this when looking at groups or folder permission as it resolves all the names of people except for a few that just have a really long number. If your ever in some form of security audit process this is an issue as you now have unidentified accounts (or account remains) listed…where you could have a name that resolves and simply make it part of the termination process to update the user description (the part that resolves) to “Disabled – User Name” or “Not Active – User Name”. As a result, my organization follows this practice and puts these “Inactive Users” into its own top-level OU called just that.

With that out-of-the-way, the script is fairly similar, mostly looking at this Inactive Users OU, essentially we’re just looking for all users in this OU, checking to see if they are enabled (red on the changes from the script above, no need to re-explain the whole process), and then run and log via the Disable-CsUser command. You’ll notice we don’t have to specify the Skype server this time, at least not in my scenario as we’re running these scripts on the Skype Server itself:

Import-Module activedirectory
Import-Module lync

$DisableUsers = Get-ADUser -Filter * -SearchBase "OU=Inactive Users,DC=domain,DC=com"
foreach ($member in $DisabledUsers)
$aduser = Get-CsAdUser -Identity $member.UserPrincipalName | Where-Object {$_.enabled -eq "true"}

if($aduser -ne $())
$aduser.UserPrincipalName | Out-File C:\LogFileFolder\SkypeDisabledUsers.txt -Append
$Today = Get-Date
$OutPut = ((" Removed from Skype On ") + ($Today))
$OutPut | Out-File C:\LogFileFolder\SkypeDisabledUsers.txt -Append
Disable-CsUser -identity $aduser.identity

As you’ll see above, it’s mostly variable name changes, on the Where-Object line we’ve changed the -ne to -eq as now we want to gather users that are enabled from that OU, so they can subsequently be disabled. Beyond that I output the results to a different log file, and then we run the Disable-CsUser command. I won’t repeat it from above, but I use the same e-mail command at the end of this script and just change the attachment, as well as the subject line.

Now we’ve both created scripts to Enable and Disable Skype users based on an Organization Unit, finally we’re schedule them as tasks, in my case daily overnight, so we only have to check the e-mails each day to verify they are working.


Creating a PowerShell Scheduled Task to Automate Skype Enable Users

This same process works for any PowerShell script you want to create as a scheduled task to run, it’s straight forward but worth mentioning here. I run these as a service admin account that has access to AD to modify users and is in the Skype admin groups, you can test with your own Admin ID to verify the access necessary. On your server in Scheduled Tasks, when you create new task, the only unique requirement for a Powershell script is you can’t call them directly like a .Bat file, so you need this for the “Action”, where you call Powershell and then pass it the argument of your .PS1 script file:


In the picture above the key paths are:

Program/script: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

Add arguments: -command "C:\ScriptFolder\Script.PS1"

That’s it, set the scheduled task up like any other scheduled task on whatever schedule you would like and you won’t have to manually enable or disable Skype for Business users anymore! It will just take care of itself and if you use the feature, you’ll get an e-mail summary each time the script runs with the contents of the log file. In my implementation I titled the subjects of the e-mail “Users Enabled/Disabled This Week” because I run a script once every weekend as a scheduled PowerShell task to remove the log file which is simply: Remove-Item “C:\LogFileFolder\LogFile.txt”


Please follow and like us: