Automatically enable users in a particular OU for Lync 2010

In Lync 2010 we now have to use either the Lync Server Management Shell  or the web-based Lync Control Panel most of the administrators now have to use two different interfaces for creating users and enabling them for Lync. This is too cumbersome for many admins, especially in situations where almost everyone in an organization has to be enabled for Lync. I have received various requests for automating the process and I thought I will document it here for all. The idea is to schedule a task which will automatically Lync-enable any users in an OU who has not been enabled yet by running a PowerShell commandlet. Here is a quick and dirty way to get it ‘done’.

First we create the script which will enable the users for a specific OU, copy and paste the following two lines in a notepad and save it as “'C:\Program Files\Common Files\Microsoft Lync Server 2010\EnableUsersForLync.PS1” (you can chose any other suitable location):

import-module 'C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1'
get-csaduser -filter {Enabled -ne $True} -OU "ou=Employees,dc=treyresearch,dc=net" | Enable-CsUser -RegistrarPool -SipAddressType EmailAddress

Let’s break it down line-by-line (since there is just two of them, and I have time to kill), in the first-line we are basically importing the Lync Module into PowerShell, since the Module does not sit in the usual location for PS modules you have to specify the complete path to the file.

The second line is made up of two separate commands, the first part get-csaduser -filter {Enabled -ne $True} -OU "ou=Employees,dc=treyresearch,dc=net" is to search for all users in a particular OU who have note yet been enabled for Lync 2010, the second half enables that user for a particular Pool using Email-Address of the user as their SIP Address.

Now that we have a script, we need to make sure that we can run it on the server. To do so, you need to either “Sign” the script or disable script signing on the server, since this is a “get-it-done” post I chose the easy way by disabling script signing. Just head over to PowerShell and type in the following command:

Set-ExecutionPolicy RemoteSigned

Next, go to Task Scheduler ( Start > Run > taskschd.msc ) and “Create Basic Task…”

And assign a Name and Description and then click on Next.


Choose how often you would like to run the task and Click next (I chose a Daily task)


Choose when you would like to run the task and click on Next.


Select “Start a program” and then click on Next again


Browse to the powershell.exe on your system and provide the script created earlier as an argument (-File “C:\Program Files\Common Files\Microsoft Lync Server 2010\EnableUsersForLync.ps1”)


Click on Finish to complete the wizard.


Running PowerShell Scripts
Configuring Scheduled Tasks

Comments (12)

  1. Hi,

    I have used your script in my deployment and created a scheduled task.  The task is set to run  every night using a service account to run the task (service account has RTCUniversalUserAdmins rights).

    However, on checking AD the next day new users are not enabled for Lync (no SIP address).  If I manually run the .PS1 file in powershell on the server, it enables users fine, so I know it's not the script 😉

    If I run the task manually from the server, it does not work- but the task scheduler history reports the task as being completed succesfully (manual or scheduled).

    Have you any ideas where I may be going wrong?

    A cheeky additional question too if I may!  Is there also a way to exclude accounts that have been disabled in AD?

    Thanks in advance

  2. Anthony says:

    I'm having the exact same issue as @D Clayton.

  3. Anthony says:

    Oh I found the problem I was having.  I had copied and pasted “C:Program FilesCommon FilesMicrosoft Lync Server 2010EnableUsersForLync.ps1” from above and edited the text for my script.  The quote marks have to be replaced in scheduler or the script won't run.  Thanks for the article!

  4. Akshat N says:

    @Anthony : Thanks for posting the solution!

    @D Clayton: Hope you have figured out the automatic scheduling issue by now.

    To exclude disabled AD accounts use the following script:

    import-module 'C:Program FilesCommon FilesMicrosoft Lync Server 2010ModulesLyncLync.psd1'

    get-csaduser -LdapFilter "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(msRTCSIP-UserEnabled=TRUE)))" | Enable-CsUser -RegistrarPool -SipAddressType EmailAddress

    PS: There may be a better way to write this query

  5. Stefan says:

    Hi there, what if I woul'd like to enable users that are member of a group instead? How should that script look like?

  6. Akshat N says:

    @Stefan : You can use the buit-in ActiveDirectory  module in powershell or Quest Active-directory Cmdlets (…/activeroles-server.aspx) to evaluate groups and then pass it to  Enable-csuser.

    The script will look something as follows (I have not tested it) :

    Import-Module Lync

    Import-Module ActiveDirectory

    Get-ADGroupMember -Identity <ADGroup> | Enable-CsUser -RegistrarPool -SipAddressType EmailAddress

    For Quest module:

    Get-QADGroupMember -Identity <ADGroup> | Enable-CsUser -RegistrarPool -SipAddressType EmailAddress

    Let me know if this doesn't help, I can probably do a more detailed blog post for this.

  7. Brian says:

    how do you use this to also enable for enterprise voice?

  8. Phil K says:

    I need to enable all users in AD not just a single OU. I cannot seem to get the proper code for that… any help would be greatly appreciated.

  9. D Clayton says:

    Replaced the quote marks and it's working a treat!  Can't believe it was that simple!


  10. Wyrdone says:

    Here is the Lync Group Enable script I came up with. (Pretty quick and dirty.)

    import-module "<your path here>Lync.psd1"

    import-module activedirectory

    $ad_lync_name = Get-ADGroupMember -Identity LyncEnabled

    foreach ($objitem in $ad_lync_name){

    $lync_user = Get-CSAdUser -Identity $

    If ($lync_user.Enabled -eq $False){

    Enable-CsUser -Identity $ -RegistrarPool -SipAddressType EmailAddress

    Grant-CsClientPolicy -Identity $ -PolicyName YourClientPolicy



  11. i3laze says:

    When you skip -OU parameter at Get-CsAdUser, you get all users in the Forest!

    Mbe someone will find this useful:

    $OUUsers = &{Get-CsAdUser -Filter {Enabled -ne $True} | Where-Object {$_.UserAccountControl -notlike "*AccountDisabled*"} | Where-Object {$_.WindowsEmailAddress -ne ""} | Where-Object {$_.SIPAddress -eq ""} };

    $OUUsers | Foreach-Object {Enable-CsUser -Identity $_.UserPrincipalName -RegistrarPool $LyncServer -SipAddressType EmailAddress}

  12. soccerguru says:

    This script was much easier and simpler that the one my customer had.

    This was indeed helpful. Thank you Akshat for your good work!

Skip to main content