Remove Lync from Active Directory

Stories from the Lync Test Bench: Cleaning up Active Directory

As with any new, non-trivial, upgrade, we spend a lot of time performing test installs on our test bench. (Yes, sometimes the test bench is production… but we do try to avoid testing in production… usually). There are times were we need to clean Lync from the Active Directory. Normally, we would restore the domain controller from ice, but there are occasions where restoring / rebuilding the test domain is not practical.

This document covers the steps for “cleaning” your Active Directory of Lync “stuff” in order to allow for a brand new install.

Step#1: Remove permissions
This step removes the original Lync permissions from the active director.

  1. Open Active Directory Users and Computers
  2. Right click on your top level domain being cleaned and select Properties
  3. From the Properties windows, select the Security tab.
  4. Remove all security users titled RTC*
    These are usually
    – RTCUniversalServerReadOnlyGroup
    – RTCUniversalUserReadOnlyGroup
    – RTCUniversalUniversalServices
    – RTCUniversalUserAdmins
  5. Repeat the same steps for each of the following AD Folders and OUs
    NOTE: Not all RTC permissions will exist in each AD Folder or OU, but these three OUs do:
    – Domain Controllers
    – System
    – Users

Step#2: Remove the RTC Services branch

  1. Open ADSI Edit
    New to ADSI? See this link:
  2. Open the Naming Context Configuration for the domain being cleaned
  3. Drill down to the following path:
    CN=Configuration[ your domain] CN=Services
  4. Delete the CN=RTC Service entry


Step#3: Additional AD cleanup

  1. Open Active Directory Users and Computers
  2. Drill down as follows
    [Your Domain] Program Data Distributed KeyMan
  3. Delete LyncCertificates
    NOTE: This may not exist in all scenarios.
  4. Drill down as follows
    [Your Domain] Users
  5. Delete all RTC* and CS* users created by Lync
    I.E. CSAdministrator, CSHelpDesk, RTCComponentUniversalServices, Etc.


Step#4: Cleanup existing users
This steps resets Lync attributes for any domain users and contacts.

Manual Method

  1. Open Active Directory Users and Computers
  2. Click View from the menu and activate Advanced Features
  3. Right click on your domain and select Find
  4. Set the Find: option to Custom Search
  5. Select the Advance Tab
  6. Enter the following LDAP Query: (msRTCSIP-PrimaryHomeServer=*)
  7. Click Find Now
  8. Note each returned user or object
  9. Close Find
  10. Right click on each user or object found in the search
  11. Select Properties
  12. Select the Attribute Editor tab
  13. Find and reset all msRTCSIP* attributes for the user/object

Automatic Method
For those who love PowerShell:
Important: Remember to launch PowerShell as an Administrator

Import-Module ActiveDirectory ; Get-ADObject -LDAPFilter “(msRTCSIP-PrimaryHomeServer=*)” | ForEach-Object {Set-ADObject -Identity $_.DistinguishedName -Clear “msRTCSIP-DeploymentLocator”, “msRTCSIP-FederationEnabled”, “msRTCSIP-InternetAccessEnabled”, “msRTCSIP-OptionFlags”, “msRTCSIP-PrimaryUserAddress”, “msRTCSIP-UserEnabled”, “msRTCSIP-UserPolicies”, “msRTCSIP-UserRoutingGroupId”, “msRTCSIP-PrimaryHomeServer”; “Cleaned $($_)”}

Final “user cleanup” considerations:

· The scripts and methods are current as of Lync 2013 (March 2013). Review your particular implementation to determine if more or less attributes needs to be cleaned.

· If you have integrated with Exchange Unified Messaging (UM), you will have two contacts specifically setup for the Unified Messaging. Consider deleting these contacts as they will most likely be recreated during the next Lync server installation and setup.


Step#5: Prepare Current Forest Impacts

Manually cleaning Lync from your Active Directory will result in some issues when preparing the Active Directory during Lync install. If you receive the following error on Step 3: Prepare Current Forest under the Prepare Active Directory for Lync Server wizard:

Command execution failed: Active Directory operation failed on “[your Lync Server]”. You cannot retry this operation: “Directory object not found [domain specific text]”


Result: Create permissions for Configuration delete objects container
TaskFailed: Task execution failed

Use the following steps to manually prepare the forest:

  1. Launch Lync Server Management Shell from the start menu
    Important: Remember to run as an administrator
  2. Enter the following PowerShell command
    Enable-CSAdForest -GlobalCatalog [fully qualified domain server name] -Force
    Enable-CSAdForest -GlobalCatalog DC.YourDomain.COM –Force
  3. Refresh the wizard. The green checkbox should now be displayed on Step 3.
  4. Continue the wizard as normal.

8 thoughts on “Remove Lync from Active Directory

  1. Jason H


    What is the best way to Query AD for all users who have been enabled for PIC, aka the msRTCSIP-optionflags set to 256 I believe (I think it could also be above 256 if they had other options enabled)?


  2. Lanio do Nascimento

    Thank you so math for your help, my problem is solved now! I executed this process exacly this and sucess.

  3. Steve

    The below needs to be added before step 1 or you will not see the security tab to delete the security users:

    Open Active Directory Users and Computers
    Click View from the menu and activate Advanced Features

    Otherwise great document.

  4. Frank James Wilson

    Thank you so much! I’ve been racking my brain for last week trying to figure out to do this proper.
    Also, it solved a lot of others issues I was experiencing post Lync removal.

  5. Balal Ahmad

    very nice information, but if anyone can help me with below query how i can filter users from only specific Group ? for example security group |HeadOffice”


  6. Lindsey Yale

    Do you know what to do when receiving this error: “Length of the access control list exceed the allowed maximum”

    I have completely cleared all RTC and CS groups from my AD, CN=RTC has been deleted, and I have tried the Enable-CSAdForest command above and still continue to receive this error.
    I am unsure how else to completely get rid of Skype for Business 2019 to be able to reinstall it with the same DC1.

Leave a Reply

Your email address will not be published. Required fields are marked *