Mass-enabling or disabling Outlook Mobile Access permissions

When you first set up Exchange 2003, all users have OMA enabled in their Active Directory account properties. But the Outlook Mobile Access option -- which controls whether or not those AD properties are used, -- is disabled. Since users' OMA settings in AD are not activated, if OMA is enabled in Exchange System Manager (in Global Settings -> Mobile Services), all users will have OMA turned on.

If you're in an organization with a lot of users, you probably do not want to give OMA usage permissions to everyone. But you also don't want to have to go through AD and manually disable OMA for each person you don't want to allow mobile access.

There is a faster and easier way to selectively allow OMA access though. The first -- and hardest -- step is turning off OMA by default for all users in Active Directory. One quick way to do this is through the following VB script, which sets the msExchOmaAdminWirelessEnable property in AD for each user to 7 (the value meaning "disabled").

Set xDSE = GetObject("LDAP://rootDSE")
Set xUsers = GetObject("LDAP://cn=Users," & xDSE.Get("defaultNamingContext"))
For Each xUser In xUsers
xUser.Put "msExchOmaAdminWirelessEnable", "7"
xUser.setinfo
Next

You can then enable OMA for certain users through Active Directory Users and Computers with a tool like ADModify, which allows you to bulk-modify the msExchOmaAdminWirelessEnable property for a list of users or by user-group names. This usually requires two passes, though -- one pass to disable OMA access for everyone (as above),...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Devices Top 5 Exchange ActiveSync tips Windows Mobile 6.5 touts Internet Explorer, OWA improvements Windows Mobile 6.5 touts ActiveSync and Outlook Mobile improvements What are your options for sending text messages from Outlook 2007? Using Mobile Device Manager 2008 server roles in Exchange 2007 Understanding Exchange Server 2007 SP1 mobile security settings Synchronized Exchange mobile device showing deleted appointment Which ActiveSync authentication method is best for your mobile device? Disable ActiveSync in bulk with Exchange Management Shell commands Configuring ActiveSync authentication in Exchange Server 2007 Microsoft Exchange Server Permissions Exchange users receiving email addressed to legacy users Restrict access to Outlook Web Access via Exchange System Manager Why you should secure Exchange 2007 using administrative policies Editing Exchange Server public folder permissions Can't delete old Microsoft Outlook public folders Why can't I grant users permissions to an Exchange public folder? Exchange public folder calendar can't be opened in Microsoft Outlook Grant or deny permissions to access a user's Exchange 2007 mailbox Set Outlook calendar permissions for group to view private meetings Exchange Admin 101: Exchange 2003 and Exchange 2007 admin privileges Exchange Server Administration Tips Remove Exchange 2003 objects from AD to install Exchange 2010 Is your Exchange 2007 hub transport server healthy? Avoid Outlook 2007 performance issues during repairs Developing an Exchange 2007 server role DR plan How DSAccess service improves Exchange Server 2007 reliability An introduction to the Exchange Remote Connectivity Analyzer tool Monitor Exchange 2007 with disk- and RPC-related counters DPM 2007 replica inconsistencies in Exchange databases Track Exchange 2007 mailbox server health using database counters Digging deeper into Exchange Server 2010

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary privilege  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

and then another pass to enable it for selected users.

About the author: Serdar Yegulalp is editor of Windows Insight.

MEMBER FEEDBACK TO THIS OMA TIP

What about users that are created after you've disabled Outlook Web Access for a selective few? Will OWA still be enabled for them by default?
—Mark A.

******************************************

I haven't yet been able to find a definitive answer, but I believe Outlook Web Access will still be enabled for new users by default. My own Exchange installation is currently toast or I'd try it out myself, but I suspect this is what will happen.
—Serdar Yegulalp, tip author

******************************************

To disable only OMA, the correct value is "2" not "7." The "7" value will disable OMA, ActiveSync and push technology. Please refer to the table below.

msExchOmaAdminWirelessEnable OMA User Initiated
Synchronization Up-to-date
Notification
0 [IMAGE][IMAGE][IMAGE]
1 [IMAGE][IMAGE] 
2   [IMAGE][IMAGE]
3   [IMAGE] 
4 [IMAGE]  [IMAGE]
5 [IMAGE]   
6     [IMAGE]
7      

—Juan U.

******************************************

Great article; I was not aware of the bulk tool ADModify previously. However, when I try to cut and paste the VB extract to a text document and rename it 'disable.vbs,' I get the following error:

[IMAGE]

I am running native Windows Server 2003 AD (R2) and Exchange 2003 SP2.

I am unsure from the article whether the script was meant to disable OWA by default, or whether it does it individually per already-created-user (looking at the script I would guess the latter).

If there is a way of disabling users by default, it would save the admins that create users from forgetting to set this each time.
—Graham S.

******************************************

The script disables existing users. A number of people have asked if it's possible to do this for all users by default, which I'm not sure of yet (although I'm looking into ways to do that).

As for the error you're getting, I'm not sure about that either. Although one possible reason is that you're running it in the context of a user account that doesn't allow such objects to be modified.
—Serdar Yegulalp, tip author

******************************************

Our organization would like to be able to change the default behavior for Microsoft Exchange regarding OMA. We don't want to run a script and then have all new users after the script is run be set to allow OMA access. What an administrative nightmare!

We have hundreds of new users created every month. We want to control who gets permission to use OMA access. Running the script today isn't going to help control the 200+ new accounts created every month thereafter!
—Melissa A.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip is via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank you gift.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.