Solved

Disable Exchange OWA by default for all users (HTTP Protocol for mailbox setting)

Posted on 2003-11-12
8
872 Views
Last Modified: 2008-02-01
I am looking for a way to disable all user's Exchange property that allows them to use the HTTP protocol.  In other words, I want to deny them access to use Outlook Web Access (OWA) by default unless I explicitly go in and give them access.  I know where to change this setting on each user's profile in AD, but of course this would take me days to turn off for everyone.

I am in no way skilled in writing any kind of scripts.  (although everyday I am seeing more and more of a need to learn)

We are a single domain environment, running Active Directory.

I would really appreciate help with this, as well as maybe pointing me to where the newbiest of newbies can go to get his feet wet in the world of scripting.

Thx...Eric
0
Comment
Question by:ericmalone
8 Comments
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 100 total points
ID: 9736340
OWA requires web access - correct?

Change the permissions on the IIS Server to allow a Security Group the access necessary for OWA.  Add the users to that group as you see fit.  All others should get denied.

The only other way to disable this is to remove the HTTP Protocol in Exchange System Manager from the list of protocols in use.

Hope this helps.
0
 
LVL 1

Expert Comment

by:Xylian
ID: 9736448
0
 

Author Comment

by:ericmalone
ID: 9743290
Netman66,

Great idea and I ran with it, but it also poses problems.  I'm not sure exactly what you meant by:

"Change the permissions on the IIS Server to allow a Security Group the access necessary for OWA"

since there is no place in IIS MMC to assign directory permissions to a security group. But it did give me the idea to set up 2 security groups ("OWA Denied" and "OWA Allowed") on the "EXCHWEB" folder on the Exchange server(\Exchsrvr\exchweb).  However, when I tried to log in as a user in the "OWA Denied" group,  portions of the OWA interface were still accessible.

This leads me to believe that some of the files used for the OWA interface exist in other directories other than "EXCHWEB".

Ideally, I would rather just have the denied user not be allowed any access to OWA.  There are plenty of users who I want to be able to utilize OWA, so removing or disabling the HTTP Protocol is not an option.

Again, I am looking for a way to change the "Enable For Mailbox" property under "Exchange Advanced tab" >> "Protocol Settings" >> "HTTP" on ALL user profiles.  Then I could go in and selectively turn the setting back on for authorized users.

Hopefully this clarifies what I need.  Maybe your idea will work if you know where in IIS security groups can be applied.

Otherwise, anyone have any other ideas.  I am upping the points to 500.

Eric
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 51

Expert Comment

by:Netman66
ID: 9744371
Ok...I've got an idea.


Using the same Security Groups as I mentioned before try this:

On the server, open the default Domain Security Policy.
Expand Security Settings>Local Polciies>User rights Assignment
On the right pane under Deny log on Locally - enable the policy and add the Security Group you do not want OWA to work for.

Advise the outcome.

0
 

Author Comment

by:ericmalone
ID: 9749493
I tried this and the denied user(s) does have full access to OWA.  

But this seems to make sense to me in that users are not normally allowed the right to logon to a domain controller anyway.

The search goes on.....
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9750095
Ok, what's happening is that OWA is using the IUSER_WAM account to log in anonymously to the web site before prompting for user credentials.

You'll need to work will the site permissions on the Virtual Directory for OWA.  This will allow you the ability to allow or deny access to the site itself.

There are a few articles on this in TechNet.

I will try to give you more detailed directions later this weekend when I can look at my server and determine where you should focus your effort.


This is possible.
0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 400 total points
ID: 9757950
You can use admodify to disable this in bulk at the user level.  This way you still have the option of enabling it on select users.  The tool can be found here:  

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify
0
 

Author Comment

by:ericmalone
ID: 9775251
Thanks marc, the ADModify was just what I needed.

Netman, I learned a lot starting with your suggestions.  thanks!


Eric
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Building a successful professional career is a long and difficult journey, especially in case if your decisions are not chosen carefully. For example, if you think that you can get to the desired position without experience and apply for it, your ch…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question