This has come up a few times in different engagements in the past, and I decided it would be worth publishing some guidance around how to set this up.
Why would I want to hide users?
Perhaps you have members of the organisation that you don’t want contacted by everybody else. Say if you have a strict communications policy that the CEO shouldn’t be directly contactable, you could hide them from appearing in the address book.
Another example is if you have resource accounts setup that are enabled for Lync whose purposes is for only making calls, there’s no need for these to be discoverable in the address book. Or perhaps you don’t want them searchable because they are private numbers or are in private areas, you would hide these from the Lync Address Book.
How it’s done
First, on one of your Lync Front End servers, install the Lync Server 2010 Resource Kit. You can download it here.
Next, on the server using Windows Explorer, browse to C:\Program Files\Microsoft Lync Server 2010\ResKit and double click the application named ABSConfig. You’ll be presented with the UI below.
Firstly, you’ll see a list of AD Attribute Names. To achieve this, we need to create a new one and specify the AD Attribute we want to use to filter accounts. Here I’ve specified the AD Attribute comment, but you can use whatever takes your fancy.
Next, you need to specify where it says Which users do you want to include in the ABS files? whether you want to:
- Only include users that have a value for the AD attribute you specify or;
- Exclude all users who have a value for the AD attribute you specify.
For this blog post, we’re going to select Exclude all users who have a value for this AD attribute. In the field next to this, we’re going to type the name of the AD attribute (comment) that we specified above. In each user account we want to hide, we will use this AD attribute to populate with a data value.
Once you’re done, hit Apply changes and you’re good to go. Changes will take affect next time the Address Book processes do their thing (by default, this happens at 1:30am each night).
Now, whenever the Lync User Replicator process sees a user with a value for the attribute you specified, it will exclude it from the Address Book and that user will not appear when you search for them in the Lync client.
Pingback: How to hide users from the Lync Address Book | Justin Morris on UC « JC’s Blog-O-Gibberish
Pingback: Como “esconder” usuários do Lync Address Book (LAB) « Rodrigo Rodrigues .:. www.andersonpatricio.org
I followed your directions but still do not see my new attribute listed in AD. Where do I make the actual change to the user profile to remove them from the address book in Lync?? thanks
Hi Craig,
Did you populate the attribute using ADSIEdit?
no, where do I do that?
You can use either ADSI Edit or the Attribute Editor tab in ADUC
http://policelli.com/blog/archive/2008/08/28/built-in-attribute-editor-in-windows-server-2008/
ok-I am in the ADSIEdit but don’t know what class to choose. thanks in advance for your help. I used the word hide for as my attribute name in AD.
Does anyone know of a way to restrict visibility by OU? Essentially, what I’m trying to do is keep users from doing a lookup on anyone in another Organizational Unit.
There used to be a way to do this with OCS 2007 for Hosted Messaging and Collaboration (HMC) – http://blogs.technet.com/b/provtest/archive/2009/07/20/troubleshooting-hmc-ocs-s-address-book-segregation.aspx
Not sure if it still works with Lync Server however.
Is it possible to configure such as
1. Child1 doesn’t see certain group of users in Child2.
2. Child2 sees all users (Child1&Child2 include those group that hidden for Child2)
Note:
a. root and multiple child domain
b. Child1 domain is using OCS2007R2 whereas child2 domain is using Lynce.
Perhaps create 2 different location for ABS
1. \\ocs\ABS – for ocs users
2. \\Lync\ABS – for Lync users
Hi. What about in Lync 2013, where ABSConfig is not included in the reskit?
Not sure what the solution will be for Lync 2013 just yet. Watch this space. 🙂
I am trying to use the AD Attribute (it already exists in AD) of msExchHomeServer to filter that db since disabled users lose the value in this field. But I am getting an error when I go to apply the filter.
ee the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
************** Exception Text **************
System.IndexOutOfRangeException: Index was outside the bounds of the array.
at ABSConfig.MainForm.UpdateOccurances(String name)
at ABSConfig.MainForm.ValidateAttrConfig(String filterValue, String adAttrName)
at ABSConfig.MainForm.Save_Click(Object sender, EventArgs e)
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
Sorry, that is not the whole message, but didn’t want to paste to much. I’ve just been cancelling but should I continue?
Hi Lorna, I am getting the same error when saving the changes. Did you find out what the issue was?
Any update to this blog? I am getting the same error and something appears to be missing in the documentation.
Hi Rico, I haven’t had a chance or need to look at this with any newer versions, so can’t provide any guidance unfortunately
We recently populated phone numbers for users in a child domain, and now they’re being included in the Lync address book (they show up in searches). I want to exclude all users in the child domain, so I used AbsConfig to include only users that have a value in the msRTCSIP-PrimaryUserAddress attribute, but that seems to have no effect. This is a Lync 2010 environment. Is there any way to exclude everyone from the child domain?
I don’t think so unfortunately.
Pingback: Disabled (AD) users still searchable in Lync/SfB – A random blog from a sysadmin
Thanks for the article. seems I am bit late here. My query is if we hide this user using ABSConfig. Then can anyone still search him using his SIP address and chat? Or no one can search him at all?
Yes they can still be found by typing the full SIP URI in