Clean up user certificate in Lync Database for Deleted Account
Hi all,
I have a case in which several user accounts have been deleted from AD. And not like Exchange, deleted user from AD does not remove Lync data (i dont get it why they design it differently).
From lync server, get-csusercertificate and get-csuser for those deleted account has no result as expected.
But when i use dbanalyze /report:user for those deleted account, the user certificate is still there.
I run Update-CsUserDatabase -Force -FQDn xyz.domain.local still the user certificates are there.
How can i clean up those certificates instead of waiting them to be expired?
Thanks!
Thanks for the feedback.
Surely because of this issue, we need remove certificate on clients, and do the "proper" way for further account deletion.
If anyone curious about this case, I suggest everyone using Lync Server spend some time to try this scenario:
1. Create user on your AD (ie: [email protected] wait for replication or force it)
2. Enable Lync account for that user
3. Logon to a PC with Lync Client (i used Lync Client 2013), logon using the
[email protected] , DONT FORGET To Save Password - that's what user usually do. You may do chat, add contacts, etc.
4. From Lync server, with command prompt, go to Lync ResKit directory, run the following command dbanalyze.exe /report:user /user:[email protected] /sqlserver:<FQDN of Lync Server>\RTCLocal.
At the bottom of the report, there will be information about the invoked certificate with Device ID, Publication Time, and Expiration Time, and the certificate itself. There will be more than 1 certificate for test.user if you logon to another PC and save
the password too.
5. Now, from user PC, logoff from Lync Client. Logon to your AD, delete [email protected], wait for some time for replication.
6. Now go back to user PC, sign in with Lync Client. Amazingly you're still be able to sign in to Lync, do the chat, and everything, as long as you haven't delete the sign in info.
7. For admin perspective, you may use Get-CsUser for the [email protected], or Get-CsUserCertificate or any Get-CS command, there will be no [email protected] on your Lync Server, but if you use
dbanalyze, there will be a quite information about that user along with their certificate. <= This is the one i haven't figure any way to clean it up.
8. Funny thing is, if you ever notice on your Lync Server, the normal user account who logon and logoff using IM client app, will be logged on Lync Server eventviewer (Windows Log - Security). But the
[email protected] will not be logged on the eventviewer, therefore you won't know where they are login from (what PC), like a ghost account.
I am expecting at least there is some kind of other ResKit to clean up this junk data from server database.
Similar Messages
-
Need Help to query Lync Database for User Information
Need Help to Query the lync database to retrieve below user information.
1. SIP Address of the registered user
2. Phone Number configured to the particular account.
3. IP Address
4. Last Logged in time.
I am trying to pull the above information from rtc database for all the registered users. Please let me know if this is possible and it would be great if you can throw some light on what tables to look for the data. Thank You.Hi,
For SIP address and Phone number you can check RTC database.
IP Address:
You can refer to the link below to query IP address:
http://h30499.www3.hp.com/t5/Business-Service-Management-BAC/Monitoring-Lync-with-the-User-Registrations-Viewer-Free-NMC-tool/ba-p/5961497#.UtOU43mIrwo
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Last Logged in time:
You can refer to the link below:
http://blogs.technet.com/b/dodeitte/archive/2011/05/11/how-to-get-the-last-time-a-user-registered-with-a-front-end.aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Security review your database for default accounts with known passwords
Hi,
I have just added a new free tool to my web site that will test your
database for known default users and more importantly for known default
passwords. The tool is a set of PL/SQL scripts that loads a list of 474
known default users to a table. A package procedure is then used to loop
through all of the databases users to test if they are default and have
known passwords.
The list of passwords and users is supplied in a spreadsheet that
includes details of what most of the users are used for as well as a
severity rating for them. This is probably the biggest list of default
users available on the net.
The scripts were written by Marcel-Jan Krijgsman and are available from
http://www.petefinnigan.com/default/default_password_checker.htm
Kind regards
Pete
Pete Finnigan (email:[email protected])
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.Thanks, now I understand why the wifi keeps dropping. On my personal wireless network, it also seems the distance from the access point is not good compared to my laptop. At work our network & exchange teams don't seem to have the desire to struggle with this "toy" until customers start forcing its adoption. I am using OWA and it works fine over EDGE. I will share your posting with them.
Thank you again.
Dell Windows XP Pro -
SDK service using domain user trying to set SPN for computer account
I have a SDK service running under a domain user account, but it tries to register the SPN for the computer account of the machine?!
Therefore I get the following alert:
The System Center Data Access service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/WIN-9IAJC0HS9RJ and MSOMSdkSvc/WIN-9IAJC0HS9RJ.domainxx.local to the servicePrincipalName of CN=WIN-9IAJC0HS9RJ,CN=Computers,DC=domainxx,DC=local
Which makes sense because it has not the permissions to do that.
When I make the domain user account member of domain admins it has the concerning permissions and it indeed registers that SPN to the computer account. But why?? The SPN should be registered to the domain user account instead (and therefore I had given the
domain user account the read/write permissions to itself to do that).
I have the following SPN registered now for the computer and domain user account:
setspn -l WIN-9IAJC0HS9RJ
Registered ServicePrincipalNames for CN=WIN-9IAJC0HS9RJ,CN=Computers,DC=domainxx
DC=local:
MSOMSdkSvc/WIN-9IAJC0HS9RJ
MSOMSdkSvc/WIN-9IAJC0HS9RJ.domainxx.local
MSOMHSvc/WIN-9IAJC0HS9RJ
MSOMHSvc/WIN-9IAJC0HS9RJ.domainxx.local
TERMSRV/WIN-9IAJC0HS9RJ
TERMSRV/WIN-9IAJC0HS9RJ.domainxx.local
WSMAN/WIN-9IAJC0HS9RJ
WSMAN/WIN-9IAJC0HS9RJ.domainxx.local
RestrictedKrbHost/WIN-9IAJC0HS9RJ
HOST/WIN-9IAJC0HS9RJ
RestrictedKrbHost/WIN-9IAJC0HS9RJ.domainxx.local
HOST/WIN-9IAJC0HS9RJ.domainxx.local
setspn -l domainxx\omdas
Registered ServicePrincipalNames for CN=OMDAS,CN=Users,DC=domainxx,DC=local:
none for this account
I don't get it. Anyone?
I am using SCOM 2012 R2
Pls help.
Thanx in advance.
Regards
ChrisSCOM SDK service really tries to set its SPN to the computer account (although the SDK service is running using a domain user account). The alert is no bug!
I know this for sure because I gave the SDK service permission to do it - by making the domain user account member of the domain admins security group - and it indeed sets the SPN on the computer account.
The latter is the actual bug I would say! It should try to set the SPN for the domain user account the sdk service is running with.
Then again, nog having the SPN been set correctly to this domain user account, does not seem to bother SCOM at all indeed. Perhaps it uses NTLM instead in this scenario.
Can anyone comfirm? -
Apple Mail files for deleted account?
After I delete one of my Gmail accounts in Apple Mail, there still remains a folder at:
~/Library/Mail/V2/IMAP- (and then the email address of the removed/deleted account)
Does that make sense? I thought it deleted all data files.
Thanks for any info.No, it doesn't remove the mbox data from deleted accounts. As to why, my best guess would be that if you are to add the email account again, the slow process of downloading and caching all the data from the email host server again is avoided. If you want to completely remove the IMAP account, you can safely delete the mentioned path.
-
Yahoo Contact Sync Alert for Deleted Account
I keep getting a yahoo contact sync alert every thirty minutes or so - most annoying as I don't want to sync any contacts, and it wants to sync with a deleted account. This happened after the upgrade to Lion.
I don't see anywhere in iCloud where I can delete the account. I do maintain the account in Mail, but I looked in there before I posted anything here and it's not set to sync contacts. This is the only thing I have a problem with is that it's trying to sync contacts. I don't want to do this anymore and haven't done it for a while. I would just tell it OK and be done with it, but the contacts on Yahoo don't match up with the contacts on my Mac/on iCloud...and the only options are to replace with the Yahoo contacts or merge the contacts. I don't want to do either, and there's no option to replace the Yahoo contacts. One other thing that I didn't note before is that it's only doing it on my MacBook Air. It's not doing it on any of my other Macs which were also set to sync with Yahoo at one time, but had the sync turned off.
-
Clean out user table in LiveCycle Database
I need to clear out the users from the the EDCPrincipalUserEntity database. Are there any scripts that can do this since the guids are tied to other tables?
Thanks,
JohnI checked with our User Manager guys. Unfortuntely, this is not possible without messing up things.
-
User Defined CoA Level 6 for Active Accounts
I have not selected indian CoA. Through User defined i have created entire CoA. There, i have given Active Accounts as Level 6 instead of Level 5 . Will it create Problem.
Rakesh NHi,
Absolutely no problem. Levels are only for COA grouping. IN B1 Upto 10 levels you can group your COAs.
Regards,
Venkatesan G. -
Clean up groupwise POA - data still big after delete account
Hi guys,
I migrated antest groupwise sytem from my production.
My POA data is too big (around 80GB) , so i deleted most of mailbox and keep only 10 mailboxes with small size.
but the POA data is still big ( around 80GB ) .
do you know why my POA data is too big after delete? or any step i missed?
or any command to purge my POA?
tks all.Originally Posted by konecnya
I
It is similar to when you delete a file on the computer, it isn't really
gone at first, just the pointers to it removed.
If you have a good set of routine maintenance running, it will get down
to size before long. Just the default of Emptying the trash being
automatic after 7 days will help. The other part of the puzzle is having
GWChecks on Contents run on a regular basis (weekly) as that will get rid
of the rest of the bits.
For more details on a good set of routine maintenance, see
GroupWise Maintenance
Andy Konecny
Knowledge Partner (voluntary SysOp)
KonecnyConsulting.ca in Toronto
Andy's Profile: View Profile: konecnya - Novell Forums
I ran and got an error "MAINT_IN_PROGRESS (0xC057)" and nothing changed
any more ideas, andy? -
Lync 2011 for MAC and Lync 2013 Server Std
Hello,
We are using a Lync 2013 Std (single-server) as a POC. It works fine for Windows-clients but I cannot connect using Lync 2011 for MAC from any MAC machine.
Using automatic configuration, I cannot connect to the Lync server.
Using manual configuration (I tried putting in just the server name and adding port 5061 to it, both to no avail) I keep getting 'Sign in to Lync failed. Please verify your credentials and try again.'.
Lync server is on the latest CU version with all components, MAC clients are on update 140321.
I noticed that Lync tries to create the OC_keycontainer_username@domain, but it seems not te be created. It flashes by and disappears again when the client fails to login. I have imported the Lync server certificate, issued by our windows 2012
root CA, on the Mac clients and have stored it in the 'Login' container.
Does anybody know if Lync2011 for Mac is supported for use with Lync server 2013 Std?
CheersHi,
To clear cached data and corrupted certificates in Lync, you can do the following steps:
First, delete the following folders:
Users/Home Folder/Library/Caches/com.microsoft.Lync
Users/Home Folder/Documents/Microsoft User Data/Microsoft Lync History
Then, delete any corrupted or cached certificates. To do this, follow these steps:
1. Open the Keychain Access certificate management utility. To do this, in Finder, click Applications, click Utilities, and then click Keychain Access. Or, search for Keychain Access by using Spotlight.
2. In the left pane, click login, and then click Certificates.
3. In the right pane, find a certificate that's named Unknown or Communications Server, select it, and then delete it.
Note: You may have to unlock your keychain by using your password.
4. Close Keychain Access.
5. Restart Lync for Mac.
You can refer to Lync Mac for Lync Server online, but similar for Lync on-premises:
http://support.microsoft.com/kb/2629861
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Plist file over written when Lync 2011 for MAC starts
Hi I’m running into a very frustrating issue where the plist file is overwritten when Lync starts,
Trying this - to get Lync working with
http://technet.microsoft.com/en-us/library/jj945442(v=office.14).aspx
It can be done on Windows....
Ive Quit the Lync app from the task bar menu, Force quit from the apple menu, forced quit from Activity Monitor.
I’m using PlistEdit Pro. I have selected Save and then quit, reopened the plist to confirm changes are saved – yes.
launch lync and files/changes are over written……
Any suggestions?
Cheers
MikeFirst, delete the following folders:
Users/Home Folder/Library/Caches/com.microsoft.Lync
Users/Home Folder/Documents/Microsoft User Data/Microsoft Lync History
Then, delete any corrupted or cached certificates. To do this, follow these steps:
Open the Keychain Access certificate management utility. To do this, in Finder, click
Applications, click Utilities, and then click
Keychain Access. Or, search for Keychain Access by using Spotlight.
In the left pane, click login, and then click Certificates.
In the right pane, find a certificate that's named Unknown or
Communications Server, select it, and then delete it.
Note You may have to unlock your keychain by using your password.
Close Keychain Access.
Restart Lync for Mac.
Important Before you perform the next step, try reproduce the issue by using a new test user account. If the issue doesn't repeat in the new account, then follow these steps:
Open Keychain Access Preferences, and then click Reset My Default Keychain.
Open Finder, locate the following folders, and then delete them:
/Users/Home Folder/Documents/Microsoft User Data/Microsoft Lync Data
/Users/Home Folder/Documents/Microsoft User Data/Microsoft Lync History
For more Please refer
http://support2.microsoft.com/kb/2629861
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph -
Disable the entry to a database for update
Hi,
I have database uses by business program.
When I want to upgrade the database, no one else can log in. But for upgrade the software use multithread.
For prepare upgrade, first I write message for users, who uses the database, for logout. But someone come back before i can start upgrade. Ex. not used it when i send mail.
So I thought for deny login for users to successfully upgrade. But deny only for this database! The other database must be accessible! And the database must be accessible for me, and for program I'm started from my local computer!
How can i solve this problem?
GyulaBut the program use same SQL login for user and for update too. Therefore, if I run the program for update, it use owner SQL login. If the user want to use the software, it use owner SQL login too.
The different only the IP_Address, or Host Name (System_User is the softwer used user).
You could mess with a login trigger, but I don't like that since the login trigger is on server level.
Rather I think that you should have different logins. The login for the application should have plain rights, like db_datareader/writer and EXECUTE on stored procedures. The login for the upgrade should be db_owner.
An alternative is to have a table that application looks at when the user logs in which says "Upgrade in progress, please try later". To kick out the users you would flip to SINGLE_USER WITH ROLLBACK IMMEDIATE, set this flag, and then switch back
to MULTI_USER.
Erland Sommarskog, SQL Server MVP, [email protected] -
Certificate Authority User Certificate one time autoenrollment
Hi Guys,
I am implementing EAP-TLS NPS solution for WiFi network, and I have a requirement for non exportable user certificates to be issued for a user group. Is there a way to autoenroll users with a user certificate, and if it is compromised at some point, they
would not be able to request another one, and only domain admin would be able to enroll them again? I am not an expert, i managed to create a non exportable user certificate template, and configure autoenrollment but i want it to be more secure lets say in
a case when a laptop would be stolen while user is logged on, i need to revoke cert and i dont want user to be able to enroll again.
I hope you understand my question,
Please help
Cheers
VKHi VK,
To enable the auto enrollment, pleae refer to the link below:
https://technet.microsoft.com/en-us/library/dd379539(v=ws.10).aspx
>> they would not be able to request another one
We can set the permission in the security of the certificate template.
Here is the screenshot of my lab server:
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
How do I tell if a user profile is marked for deletion?
This is likely a question with a simple answer, but searching through Google and here hasn't helped.
How do I tell if a user profile has been marked for deletion?
Will it appear in the "Manager User Profiles" area of the User Profile Service Application management?
Do I need to look somewhere else?
This is probably obvious, and I just have looking disease, but your assistance is most appreciated!As Paul said you can see that on UP admin page. also you can use powershell to get the list of all use in powershell.
Follow this blog:
http://iedaddy.com/2012/02/sharepoint-2010user-information-lists-and-user-profile-cleanup/
$upa = Get-spserviceapplication <identity>
Set-SPProfileServiceApplication $upa -GetNonImportedObjects $false
Set-SPProfileServiceApplication
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
Info Record Flagged for deletion
Dear Friends,
I am not sure if should raise this question in MM or PS area as error message is related to MM and occurring into PS area.
Issue Description In my company (building construction) we create Project/Network which would have hundreds of activities. Each network activity will have some component (materials). At component it contains info like Material number, Purchase Org, Vendor, Info record etc. Under clean up process info record is flagged for deletion because we donu2019t buy the component from that vendor any more then procurement dept flag that info record and create a new info record with the new vendor.
If we try to update any data through either CJ20N or CN22 it gives error message u201CInfo record flagged for deletionu201D , message number is CN 766 and it doesnu2019t allow to save the project or network as this message is set with category u201CErroru201D. This is quite annoying for the business users.
Requirement I want to know about u201CHow to make this error message informationalu201D??
My effort to find the solution I tried to use transaction OBA5, OBMSG through which we can change the configuration so that message will be only informational, but the issue is that I couldnu2019t find the application area CN with Message number 766.
It would be a great help if any one of you could suggest me a possible solution for this issue.
Regards,
SunnyPurpose of deletion flag is not to control which vendor is a valid source of supply in relation to one material. It is in connection with archiving process....
In info record (ME12 --> "Purch. Org. Data 1.") you can set "Available from" (EINA-LIFAB) and "Available to" (EINA-LIFBI) in "Supply Option" section. Message 06681 belongs to it which can be controlled in:
SPRO > Materials Management > Purchasing > Environment Data > Define Attributes of System Messages
Please consider this option...(you can also use source list (ME01) but it is too strict control in my opinion)
Maybe you are looking for
-
Safari won't open window and crashes
Earlier tonight I downloaded a program called Frostwire. It slowed down my computer and I immediately got rid of it and there is no sign of it on my computer. But ever since every time I try to open Safari no window comes up and it ends up quitting i
-
Firefox 33.0.2 on Windows 8.1 64 bit. Since upgrading Firefox, it no longer accepts URLs in the URL bar - it works if I have a bookmark, a link or from History, but not if I enter or paste a URL and hit <enter>, in which case nothing happens at all.
-
Program running in the background
Hello! I am wondering if it is possible to create a java program that runs in the background on a mobile phone. I.E can it run without beeing interuppted by a call or the locking of the key pad. Is it possible to let the program run without interferi
-
How to stop a windows process?
How do I get hold of a running process/program under WindowsXP? How do I stop this process? # Johannes
-
How to merge documents in Pages
Hi, My question is how do you merge documents the way you do in Microsoft Word 2008. I have two pages document I want to merge together without having to do it manually through copy and paste. I assume if there is way to merge documents in pages I co