en Passant
Mass Enable/Disable ActiveSync services based on Group Membership
The ISO recently found that a number of people had been using their iPhones and connecting to the Email system to check their email. This was quite a surprise and actually caused some surprised screaming by said ISO. The solution was to disable all those users that did not belong to a security group.
This script uses the Quest Active Roles cmd-lets, plus Exchange 2007 cmdlets. It uses a Security group "Exchange ActiveSync Opt-in" as the primary security group, containing the mailbox objects. I have not mail enabled this group (hence the use of the Quest tools). The script does not check to see if the group exists, so you could potentially disable all your mailboxes using this script.
Processing 70,000 mailboxes took around 4 hours for the first run. The majority of the work being the Exchange cmdlet to disable ActiveSync. Subsequent runs only take about a minute as it only touches differences. New Mailboxes? Additional Members to the Opt-in list? Should catch them...
$strFilter = "(&(objectClass=User)(objectCategory=Person)(mailNickname=*)(!cn=SystemMailbox{*)(|(!msExchOmaAdminWirelessEnable=*)(&(msExchOmaAdminWirelessEnable=*)(!msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4))))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$objSearcher.PropertiesToLoad.Add("distinguishedname") | out-Null
$colResults = $objSearcher.FindAll()
$mbxes = $colresults | select @{Name="DN";Expression={$_.properties.distinguishedname}}
return $mbxes
<#
.SYNOPSIS
Return the DN for all objects that have ActiveSync enabled.
.EXAMPLE
Get-ActiveSyncEnabledMailboxes
.NOTES
.LINK
http://social.technet.microsoft.com/forums/en-us/exchangesvradmin/thread/855A485F-A327-49C1-8184-9A9D6D1FE9DB
#>
}
$enabledUsers = Get-ActiveSyncEnabledMailboxes | sort DN
$OptIn = Get-QADGroupMember -Indirect "Exchange ActiveSync Opt-In" -SizeLimit 0 -Type user | select DN | sort dn
$MissMatch = compare -ReferenceObject $enabledusers -DifferenceObject $optin -Property DN #-IncludeEqual
$index =0
$max = $missmatch.count
Get-Date | Out-File -FilePath ".\ASReport.txt"
foreach ($Overload in $MissMatch) {
$index++
if ($max -gt 0) {
$statusStr = "in progress "+$index+" of "+$max
write-progress -activity "Processing ActiveSync Opt-In List" -status $statusStr -percentcomplete (($index/$max)*100)
}
$mbxDN = $overload.DN
#Mailboxes enabled for activesync, but not in optin
if ($overload.SideIndicator -eq "<=") {
Write-Host "- disable user" $mbxDN
"disabled: "+$mbxdn | Out-File -FilePath ".\ASReport.txt" -Append
Set-CASMailbox $mbxDN -ActiveSyncEnabled $false -ErrorAction SilentlyCOntinue
}
#Mailboxes in Optin, not enabled for ActiveSync
if ($overload.SideIndicator -eq "=>") {
Write-Host "+ enable user" $mbxDN
"enabled: "+$mbxdn | Out-File -FilePath ".\ASReport.txt" -Append
Set-CASMailbox -identity $mbxDN -ActiveSyncEnabled $true -ErrorAction SilentlyCOntinue
}
#Allowed ActiveSync Enabled mailboxes. Use to set policy?
if ($overload.SideIndicator -eq "==" ) {
Write-Host "Already Enabled user" $mbxDN
#Set-CASMailbox -identity $mbxDN -ActiveSyncEnabled $true
}
}
if ($max -gt 0) {
write-progress -activity "Processing ActiveSync Opt-In List" -status "complete" -completed
}
Comments
Post new comment