Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Disable Exchange OWA by default for all users (HTTP Protocol for mailbox setting)

Posted on 2003-11-12
8
Medium Priority
?
878 Views
Last Modified: 2008-02-01
I am looking for a way to disable all user's Exchange property that allows them to use the HTTP protocol.  In other words, I want to deny them access to use Outlook Web Access (OWA) by default unless I explicitly go in and give them access.  I know where to change this setting on each user's profile in AD, but of course this would take me days to turn off for everyone.

I am in no way skilled in writing any kind of scripts.  (although everyday I am seeing more and more of a need to learn)

We are a single domain environment, running Active Directory.

I would really appreciate help with this, as well as maybe pointing me to where the newbiest of newbies can go to get his feet wet in the world of scripting.

Thx...Eric
0
Comment
Question by:ericmalone
8 Comments
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 400 total points
ID: 9736340
OWA requires web access - correct?

Change the permissions on the IIS Server to allow a Security Group the access necessary for OWA.  Add the users to that group as you see fit.  All others should get denied.

The only other way to disable this is to remove the HTTP Protocol in Exchange System Manager from the list of protocols in use.

Hope this helps.
0
 
LVL 1

Expert Comment

by:Xylian
ID: 9736448
0
 

Author Comment

by:ericmalone
ID: 9743290
Netman66,

Great idea and I ran with it, but it also poses problems.  I'm not sure exactly what you meant by:

"Change the permissions on the IIS Server to allow a Security Group the access necessary for OWA"

since there is no place in IIS MMC to assign directory permissions to a security group. But it did give me the idea to set up 2 security groups ("OWA Denied" and "OWA Allowed") on the "EXCHWEB" folder on the Exchange server(\Exchsrvr\exchweb).  However, when I tried to log in as a user in the "OWA Denied" group,  portions of the OWA interface were still accessible.

This leads me to believe that some of the files used for the OWA interface exist in other directories other than "EXCHWEB".

Ideally, I would rather just have the denied user not be allowed any access to OWA.  There are plenty of users who I want to be able to utilize OWA, so removing or disabling the HTTP Protocol is not an option.

Again, I am looking for a way to change the "Enable For Mailbox" property under "Exchange Advanced tab" >> "Protocol Settings" >> "HTTP" on ALL user profiles.  Then I could go in and selectively turn the setting back on for authorized users.

Hopefully this clarifies what I need.  Maybe your idea will work if you know where in IIS security groups can be applied.

Otherwise, anyone have any other ideas.  I am upping the points to 500.

Eric
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 51

Expert Comment

by:Netman66
ID: 9744371
Ok...I've got an idea.


Using the same Security Groups as I mentioned before try this:

On the server, open the default Domain Security Policy.
Expand Security Settings>Local Polciies>User rights Assignment
On the right pane under Deny log on Locally - enable the policy and add the Security Group you do not want OWA to work for.

Advise the outcome.

0
 

Author Comment

by:ericmalone
ID: 9749493
I tried this and the denied user(s) does have full access to OWA.  

But this seems to make sense to me in that users are not normally allowed the right to logon to a domain controller anyway.

The search goes on.....
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9750095
Ok, what's happening is that OWA is using the IUSER_WAM account to log in anonymously to the web site before prompting for user credentials.

You'll need to work will the site permissions on the Virtual Directory for OWA.  This will allow you the ability to allow or deny access to the site itself.

There are a few articles on this in TechNet.

I will try to give you more detailed directions later this weekend when I can look at my server and determine where you should focus your effort.


This is possible.
0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 1600 total points
ID: 9757950
You can use admodify to disable this in bulk at the user level.  This way you still have the option of enabling it on select users.  The tool can be found here:  

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify
0
 

Author Comment

by:ericmalone
ID: 9775251
Thanks marc, the ADModify was just what I needed.

Netman, I learned a lot starting with your suggestions.  thanks!


Eric
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Microsoft Access has a limit of 255 columns in a single table; SQL Server allows tables with over 255 columns, but reading that data is not necessarily simple.  The final solution for this task involved creating a custom text parser and then reading…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question