Solved

Disable Exchange OWA by default for all users (HTTP Protocol for mailbox setting)

Posted on 2003-11-12
8
874 Views
Last Modified: 2008-02-01
I am looking for a way to disable all user's Exchange property that allows them to use the HTTP protocol.  In other words, I want to deny them access to use Outlook Web Access (OWA) by default unless I explicitly go in and give them access.  I know where to change this setting on each user's profile in AD, but of course this would take me days to turn off for everyone.

I am in no way skilled in writing any kind of scripts.  (although everyday I am seeing more and more of a need to learn)

We are a single domain environment, running Active Directory.

I would really appreciate help with this, as well as maybe pointing me to where the newbiest of newbies can go to get his feet wet in the world of scripting.

Thx...Eric
0
Comment
Question by:ericmalone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 100 total points
ID: 9736340
OWA requires web access - correct?

Change the permissions on the IIS Server to allow a Security Group the access necessary for OWA.  Add the users to that group as you see fit.  All others should get denied.

The only other way to disable this is to remove the HTTP Protocol in Exchange System Manager from the list of protocols in use.

Hope this helps.
0
 
LVL 1

Expert Comment

by:Xylian
ID: 9736448
0
 

Author Comment

by:ericmalone
ID: 9743290
Netman66,

Great idea and I ran with it, but it also poses problems.  I'm not sure exactly what you meant by:

"Change the permissions on the IIS Server to allow a Security Group the access necessary for OWA"

since there is no place in IIS MMC to assign directory permissions to a security group. But it did give me the idea to set up 2 security groups ("OWA Denied" and "OWA Allowed") on the "EXCHWEB" folder on the Exchange server(\Exchsrvr\exchweb).  However, when I tried to log in as a user in the "OWA Denied" group,  portions of the OWA interface were still accessible.

This leads me to believe that some of the files used for the OWA interface exist in other directories other than "EXCHWEB".

Ideally, I would rather just have the denied user not be allowed any access to OWA.  There are plenty of users who I want to be able to utilize OWA, so removing or disabling the HTTP Protocol is not an option.

Again, I am looking for a way to change the "Enable For Mailbox" property under "Exchange Advanced tab" >> "Protocol Settings" >> "HTTP" on ALL user profiles.  Then I could go in and selectively turn the setting back on for authorized users.

Hopefully this clarifies what I need.  Maybe your idea will work if you know where in IIS security groups can be applied.

Otherwise, anyone have any other ideas.  I am upping the points to 500.

Eric
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 51

Expert Comment

by:Netman66
ID: 9744371
Ok...I've got an idea.


Using the same Security Groups as I mentioned before try this:

On the server, open the default Domain Security Policy.
Expand Security Settings>Local Polciies>User rights Assignment
On the right pane under Deny log on Locally - enable the policy and add the Security Group you do not want OWA to work for.

Advise the outcome.

0
 

Author Comment

by:ericmalone
ID: 9749493
I tried this and the denied user(s) does have full access to OWA.  

But this seems to make sense to me in that users are not normally allowed the right to logon to a domain controller anyway.

The search goes on.....
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9750095
Ok, what's happening is that OWA is using the IUSER_WAM account to log in anonymously to the web site before prompting for user credentials.

You'll need to work will the site permissions on the Virtual Directory for OWA.  This will allow you the ability to allow or deny access to the site itself.

There are a few articles on this in TechNet.

I will try to give you more detailed directions later this weekend when I can look at my server and determine where you should focus your effort.


This is possible.
0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 400 total points
ID: 9757950
You can use admodify to disable this in bulk at the user level.  This way you still have the option of enabling it on select users.  The tool can be found here:  

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify
0
 

Author Comment

by:ericmalone
ID: 9775251
Thanks marc, the ADModify was just what I needed.

Netman, I learned a lot starting with your suggestions.  thanks!


Eric
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question