Skype for Business and Deleted Accounts

Some companies have a bad policy where they delete AD accounts, but you know better than that right?  Well I have found many times that the deleted account did not get their SfB account disabled, and sometimes their mailbox too (but that is another article someday).  Then the Service Desk creates a new account with the same UPN of the old account and they enable the account, which works fine.  But the user can never log into the account because the SfB Account is tied to the deleted account.  SfB is not that smart that when an account is deleted to disable the SfB account.  That is because the account is never really deleted, it is just moved to an OU that you cannot see, but AD integrated services can see it.

This assumes that the UPN of the deleted user matches the one of the newly created user.  Replace <UPN> with the UPN of the user

First, if there is an active SfB enabled account, it must first be disabled, and you need to wait for replication into office 365 before completing.

Get-ADObject -Filter “UserPrincipalName -like ‘<UPN>'” -IncludeDeletedObjects -Properties * | select “msRTCSIP-PrimaryUserAddress”,ObjectGUID,isDeleted,DistinguishedName,samaccountname,name,userprincipalname

If this doesn’t return at least two objects then either there is no deleted object with that UPN or you don’t have permissions.  What we care about is if the msRTCPSIP has an entry, we need to restore each one of those.  If there is more than one, then restore them both and they both will need to be disabled in SfB, represented by the red arrow

To restore the object, you will need to restore to a specific location.  This requires that the object has a unique name and is restored to the previous location where it was last.

From here you need to know the following information

  • The Domain it was deleted from: Derived from the Distinguished Name
  • The Object GUID: Used to identify the specific object to restore
  • The Object SID: the last octect of the SID which we use for restoring the object to make sure no duplicates
  • Where to restore the object to: This should be the Disabled Users OU for that domain, or wherever you put them

In the below command the -Name attribute is the last octect of the username followed by the username.  This will ensure unique value  In this example <UPN> is replaced with Something Unique and the <GUID> replaced with 566f0421-dff9-49fc-b11c-e4ee44fcb224

The PowerShell command is the following

Restore-ADObject -Identity <GUID> -NewName “<UPN>” -TargetPath “OU=Disabled Users,DC=child,DC=domain,DC=com”

Once that is completed, you can then do a get-csuser and it should return that user you just restored.

get-csuser <UPN>

Then disable that user

Disable-CSUser <UPN>

When an object is restored, the account is activated automatically, so you need to de-active the account

disable-adaccount <GUID>

then you need to set a few other options to ensure no duplicates

the UPN is the same as the object name but with @domain.com for example: “UPN @domain.com”

SamAccountName UPN

DisplayName DisplayName

Set-ADUser -Identity <GUID> -UserPrincipalName “<UPN>” -SamAccountName <SAMA> -DisplayName <DisplayName> -CannotChangePassword:$true 

Then wait for replication into O365

Then re-create the user account in SfB

You can now delete the old account, or whatever crazy thing you do with your disabled users.