Prevent contacts sync between Lync and Outlook

Hi all,

I have weird Lync Server/client issue which is for us huge data privacy and security issue.

Recently some users complained how they have this annoying contacts in Lync contact search. First i thought they are contacts from outlook...but then we discovered that also users from AD are visible in search.  

Although I can praise Microsoft in crazy speed when you type 'a' in search box and you get 2000 contacts in one or two sec, still I think it's a very bad idea to use that as default option.

Anyway, I tried with this known solution: set-CsClientPolicy -Identity global -ExcludedContactFolders "Contact;Contacts;IPM.Contact;Suggested Contacts" 

Then I read on this forum that I need CU5 at least for this policy change to applied, but again no luck. 

I'm using Lync Server 2010 with latest update rollup from March 2013. Also there is Exchange 2010 on premise. 

Any ideas?

Thx

June 19th, 2013 8:35pm

Update...

Even more crazier that also Disabled Users from AD are showing up. 

Everything that has an email address in AD is showing up. 

I guess this is not normal behavior? 


  • Edited by SrdjanManas Thursday, June 20, 2013 9:12 AM update
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2013 9:06am

Update...

Even more crazier that also Disabled Users from AD are showing up. 

Everything that has an email address in AD is showing up. 

I guess this is not normal behavior? 


  • Edited by SrdjanManas Thursday, June 20, 2013 9:12 AM update
June 20th, 2013 9:06am

Update...

Even more crazier that also Disabled Users from AD are showing up. 

Everything that has an email address in AD is showing up. 

I guess this is not normal behavior? 


  • Edited by SrdjanManas Thursday, June 20, 2013 9:12 AM update
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2013 9:06am

Update...

Even more crazier that also Disabled Users from AD are showing up. 

Everything that has an email address in AD is showing up. 

I guess this is not normal behavior? 


  • Edited by SrdjanManas Thursday, June 20, 2013 9:12 AM update
June 20th, 2013 9:06am

The parameter ExcludedContactFolders Indicates which Microsoft Outlook contact folders (if any) should not be searched any time Lync searches for new contacts. As there are AD contacts. The command wont help.

I think you were saying AD users and not Lync-enabled.

Lync aggregates contact data from Exchange GAL, outlook and Lync server. It is not correct behavior to represent the AD users with Lync-enabled.

When did this issue begin?

Please check whether these users can search all the AD users or just a part of that.

Check the event view of Lync on your Lync Front End Server.

Free Windows Admin Tool Kit Click here and download it now
June 20th, 2013 10:26am

Hi Lisa,

that's exactly what I meant...Lync users can search AD users which are not lync enabled.

I can't confirm that all lync users can search literally every user from AD, because for that to answer I need more time...

GAL is ok, because all Exchange users are also Lync enabled.

But this morning I can confirm at least some change. Only contacts from outlook with emails are listed in search. This is new :). So if contact in outlook have an email, it is visible in search as 'presence unknown'. If it's only phone number, then it's not shown.

I'm not really sure when this thing start to occur because it only got my attention when my security officer start to complain.

I only tested on Lync 2013 clients, i'll check 2010 client as well and get back with result.

Thx     

June 20th, 2013 11:04am

Update...

Even more crazier that also Disabled Users from AD are showing up. 

Everything that has an email address in AD is showing up. 

I guess this is not normal behavior? 


Free Windows Admin Tool Kit Click here and download it now
June 20th, 2013 12:06pm

It is not normal behavior.

These disabled Lync user and non-Lync enabled users shouldnt be searched.

Please check whether you can search these users in Lync Control Panel.

Check there if there are any errors on Lync Front End Server and DCs.

June 26th, 2013 10:19am

Hi Lisa,

sorry for late response. 

I'm not sure we are on the same line here. I'm talking about users from AD that are NOT lync enabled. So, of course i cant search them in control panel...only if i want to add them as lync enabled users then I can search them. That's OK.

What's not ok is, I can search all AD users, contacts, groups etc...from my Lync client 2010\2013. And not only me, but all other clients. After some research I found that all objects in AD if they have valid PHONE and EMAIL address in attributes, will be visible in search for every Lync client. That is a fact. Probably from Microsoft point of view that behavior is ok, that's the point of having Unified Communication, right? But it will be good idea to inform customers about that, somehow. For my company it is a huge security issue.

I manage to fix this issue with adding new custom AD attribute and then include users with only that attribute to CSUserDatabase and CSAddressBook. Done with ABSConfig.exe (Great tool).

My guess is that Microsoft invent this tool for problems like this one, or similar??    

So, issue with AD objects (users, contacts, groups) showing at Lync Client search is solved.

But, i'm still stuck with showing contacts from Outlook. This PS command is still without result.

set-CsClientPolicy -Identity global -ExcludedContactFolders "Contact;Contacts;IPM.Contact;Suggested Contacts"


Free Windows Admin Tool Kit Click here and download it now
July 1st, 2013 4:20pm

As I posted in another question, that value (ExcludedContactFolders) does not have any effect on the way the Lync 2013 Client and Skype for Business 2015 client work. If there are contact anywhere in the Outlook Contacts folder, including subfolders, it has the potential to give a presence unknown or show presence but then not be able to send IM messages. The bad/old contact data must be clean out; typically manually.

Microsoft is currently working on a way to exclude the Outlook Contacts Folder from being read by the Lync\Skype client, but this is in development and may not be released until 2016.


  • Proposed as answer by mrblinddog 17 hours 3 minutes ago
  • Edited by mrblinddog 17 hours 3 minutes ago
September 3rd, 2015 10:24am

As I posted in another question, that value (ExcludedContactFolders) does not have any effect on the way the Lync 2013 Client and Skype for Business 2015 client work. If there are contact anywhere in the Outlook Contacts folder, including subfolders, it has the potential to give a presence unknown or show presence but then not be able to send IM messages. The bad/old contact data must be clean out; typically manually.

Microsoft is currently working on a way to exclude the Outlook Contacts Folder from being read by the Lync\Skype client, but this is in development and may not be released until 2016.


  • Proposed as answer by mrblinddog Thursday, September 03, 2015 2:23 PM
  • Edited by mrblinddog Thursday, September 03, 2015 2:23 PM
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2015 2:22pm

As I posted in another question, that value (ExcludedContactFolders) does not have any effect on the way the Lync 2013 Client and Skype for Business 2015 client work. If there are contact anywhere in the Outlook Contacts folder, including subfolders, it has the potential to give a presence unknown or show presence but then not be able to send IM messages. The bad/old contact data must be clean out; typically manually.

Microsoft is currently working on a way to exclude the Outlook Contacts Folder from being read by the Lync\Skype client, but this is in development and may not be released until 2016.


  • Proposed as answer by mrblinddog Thursday, September 03, 2015 2:23 PM
  • Edited by mrblinddog Thursday, September 03, 2015 2:23 PM
September 3rd, 2015 2:22pm

As I posted in another question, that value (ExcludedContactFolders) does not have any effect on the way the Lync 2013 Client and Skype for Business 2015 client work. If there are contact anywhere in the Outlook Contacts folder, including subfolders, it has the potential to give a presence unknown or show presence but then not be able to send IM messages. The bad/old contact data must be clean out; typically manually.

Microsoft is currently working on a way to exclude the Outlook Contacts Folder from being read by the Lync\Skype client, but this is in development and may not be released until 2016.


  • Proposed as answer by mrblinddog Thursday, September 03, 2015 2:23 PM
  • Edited by mrblinddog Thursday, September 03, 2015 2:23 PM
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2015 2:22pm

As I posted in another question, that value (ExcludedContactFolders) does not have any effect on the way the Lync 2013 Client and Skype for Business 2015 client work. If there are contact anywhere in the Outlook Contacts folder, including subfolders, it has the potential to give a presence unknown or show presence but then not be able to send IM messages. The bad/old contact data must be clean out; typically manually.

Microsoft is currently working on a way to exclude the Outlook Contacts Folder from being read by the Lync\Skype client, but this is in development and may not be released until 2016.


  • Proposed as answer by mrblinddog Thursday, September 03, 2015 2:23 PM
  • Edited by mrblinddog Thursday, September 03, 2015 2:23 PM
September 3rd, 2015 2:22pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics