A reader sent in a Lync Server/Active Directory support request the other day. I responded, but they solved it without much input from us (a credit to their fast troubleshooting skills!).
Afterward, we discussed their solution, and I asked if I could publish the issue. They said yes. So here it is!
Deleted a User from Active Directory & Recreated – Now Lync Won’t Accept
Alex’s email started with:
“I’m having an issue with a Lync 2013 server. I hope you can help me with it.”
“I had to delete a user account from the AD and my Exchange 2010. After that I made a new account for the user with the same login ID and email address. After that I’m not able to enter the user into the Lync 2013 server. Is there anywhere in the Lync 2013 I have to remove the user, or what can I do?”
My initial thought was that both Lync and Active Directory had “ghost” user accounts now. The deleted user account still existed someplace, possibly within the Lync Front End server.
I asked Alex: “Did you remove the user from Lync, as well as AD? It’s possible that Lync retained a record of the user account from before, which it doesn’t now match up to the new account.”
“Look in Control Panel under Users. Remove this user, and recreate the user account. If that doesn’t work, you might try removing the user account from AD, Exchange and Lync in that order and re-creating it again. Tedious, I know, but that way Lync can re-establish its AD integration for the user.”
At this point Alex indicated that he’d resolved the issue. He’d done so “by changing the security settings on the AD account, so it is inheriting all security settings.”
Naturally I was curious for more details. How did he make the security change? Which specific permissions did he modify? Did he remove/recreate the user account first?
A Matter of Domain Administration
Alex was happy to provide. I’ve edited & reformatted his response slightly, below.
“On the domain controller, select the user’s profile. Select the Advanced view. Then I selected the Security tab, and could see that the group “Domain Admins” didn’t have any access to the account. I added the Domain Admins group, and then I made sure that all rights were inherited from the parent folder.”
“After this all my problem with Lync was solved. It also solved the problem we had with ActiveSync to Android Phones. ActiveSync to iPhone was working all the time, but not to Android before this operation.”
Makes sense. If the Domain Admins have no access to an account, they can’t authorize it for access to other services—like the Lync Server.
To check this myself, I went into our Active Directory through Active Directory Users and Computers. (This is not the exact way Alex indicated; I wanted to see if I could achieve the same end from another route.)
I made sure to select “Advanced Features” under the View menu. Then located a user, and opened the Properties window.
Sure enough, there’s a Security tab in this window. Click it, and you should see something like this:
(The login I used for this screenshot did not have full admin privileges; accordingly, it has grayed-out elements.)
This particular user is a member of Domain Admins, and has Full Control. Which means they are configured properly. If they were not, the highlighted line would not be present. Then I’d have to click the “Add” button and add permissions.
Unfortunately, I didn’t have an Android phone on hand to test the sync. But it’s always nice when a fix for one issue resolves another too!
If you do face a situation where you need to delete a user & re-enter them, I’d suggest creating a slightly different AD username first. That way you’re sure the new account has no “ghosts” lurking amid the servers. But if you do need to recreate the exact user account, I hope Alex’s quick fix helps you!
Thanks to Alex for agreeing to share his issue with us.
Have you encountered a similar issue between Active Directory and Lync Server/Skype for Business Server? If so, please comment or email. We’d love to hear the details!