Solved

Disable Exchange OWA by default for all users (HTTP Protocol for mailbox setting)

Posted on 2003-11-12
8
870 Views
Last Modified: 2008-02-01
I am looking for a way to disable all user's Exchange property that allows them to use the HTTP protocol.  In other words, I want to deny them access to use Outlook Web Access (OWA) by default unless I explicitly go in and give them access.  I know where to change this setting on each user's profile in AD, but of course this would take me days to turn off for everyone.

I am in no way skilled in writing any kind of scripts.  (although everyday I am seeing more and more of a need to learn)

We are a single domain environment, running Active Directory.

I would really appreciate help with this, as well as maybe pointing me to where the newbiest of newbies can go to get his feet wet in the world of scripting.

Thx...Eric
0
Comment
Question by:ericmalone
8 Comments
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 100 total points
ID: 9736340
OWA requires web access - correct?

Change the permissions on the IIS Server to allow a Security Group the access necessary for OWA.  Add the users to that group as you see fit.  All others should get denied.

The only other way to disable this is to remove the HTTP Protocol in Exchange System Manager from the list of protocols in use.

Hope this helps.
0
 
LVL 1

Expert Comment

by:Xylian
ID: 9736448
0
 

Author Comment

by:ericmalone
ID: 9743290
Netman66,

Great idea and I ran with it, but it also poses problems.  I'm not sure exactly what you meant by:

"Change the permissions on the IIS Server to allow a Security Group the access necessary for OWA"

since there is no place in IIS MMC to assign directory permissions to a security group. But it did give me the idea to set up 2 security groups ("OWA Denied" and "OWA Allowed") on the "EXCHWEB" folder on the Exchange server(\Exchsrvr\exchweb).  However, when I tried to log in as a user in the "OWA Denied" group,  portions of the OWA interface were still accessible.

This leads me to believe that some of the files used for the OWA interface exist in other directories other than "EXCHWEB".

Ideally, I would rather just have the denied user not be allowed any access to OWA.  There are plenty of users who I want to be able to utilize OWA, so removing or disabling the HTTP Protocol is not an option.

Again, I am looking for a way to change the "Enable For Mailbox" property under "Exchange Advanced tab" >> "Protocol Settings" >> "HTTP" on ALL user profiles.  Then I could go in and selectively turn the setting back on for authorized users.

Hopefully this clarifies what I need.  Maybe your idea will work if you know where in IIS security groups can be applied.

Otherwise, anyone have any other ideas.  I am upping the points to 500.

Eric
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9744371
Ok...I've got an idea.


Using the same Security Groups as I mentioned before try this:

On the server, open the default Domain Security Policy.
Expand Security Settings>Local Polciies>User rights Assignment
On the right pane under Deny log on Locally - enable the policy and add the Security Group you do not want OWA to work for.

Advise the outcome.

0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:ericmalone
ID: 9749493
I tried this and the denied user(s) does have full access to OWA.  

But this seems to make sense to me in that users are not normally allowed the right to logon to a domain controller anyway.

The search goes on.....
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9750095
Ok, what's happening is that OWA is using the IUSER_WAM account to log in anonymously to the web site before prompting for user credentials.

You'll need to work will the site permissions on the Virtual Directory for OWA.  This will allow you the ability to allow or deny access to the site itself.

There are a few articles on this in TechNet.

I will try to give you more detailed directions later this weekend when I can look at my server and determine where you should focus your effort.


This is possible.
0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 400 total points
ID: 9757950
You can use admodify to disable this in bulk at the user level.  This way you still have the option of enabling it on select users.  The tool can be found here:  

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify
0
 

Author Comment

by:ericmalone
ID: 9775251
Thanks marc, the ADModify was just what I needed.

Netman, I learned a lot starting with your suggestions.  thanks!


Eric
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now