Disable Exchange OWA by default for all users (HTTP Protocol for mailbox setting)

I am looking for a way to disable all user's Exchange property that allows them to use the HTTP protocol.  In other words, I want to deny them access to use Outlook Web Access (OWA) by default unless I explicitly go in and give them access.  I know where to change this setting on each user's profile in AD, but of course this would take me days to turn off for everyone.

I am in no way skilled in writing any kind of scripts.  (although everyday I am seeing more and more of a need to learn)

We are a single domain environment, running Active Directory.

I would really appreciate help with this, as well as maybe pointing me to where the newbiest of newbies can go to get his feet wet in the world of scripting.

Thx...Eric
ericmaloneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Netman66Commented:
OWA requires web access - correct?

Change the permissions on the IIS Server to allow a Security Group the access necessary for OWA.  Add the users to that group as you see fit.  All others should get denied.

The only other way to disable this is to remove the HTTP Protocol in Exchange System Manager from the list of protocols in use.

Hope this helps.
0
XylianCommented:
0
ericmaloneAuthor Commented:
Netman66,

Great idea and I ran with it, but it also poses problems.  I'm not sure exactly what you meant by:

"Change the permissions on the IIS Server to allow a Security Group the access necessary for OWA"

since there is no place in IIS MMC to assign directory permissions to a security group. But it did give me the idea to set up 2 security groups ("OWA Denied" and "OWA Allowed") on the "EXCHWEB" folder on the Exchange server(\Exchsrvr\exchweb).  However, when I tried to log in as a user in the "OWA Denied" group,  portions of the OWA interface were still accessible.

This leads me to believe that some of the files used for the OWA interface exist in other directories other than "EXCHWEB".

Ideally, I would rather just have the denied user not be allowed any access to OWA.  There are plenty of users who I want to be able to utilize OWA, so removing or disabling the HTTP Protocol is not an option.

Again, I am looking for a way to change the "Enable For Mailbox" property under "Exchange Advanced tab" >> "Protocol Settings" >> "HTTP" on ALL user profiles.  Then I could go in and selectively turn the setting back on for authorized users.

Hopefully this clarifies what I need.  Maybe your idea will work if you know where in IIS security groups can be applied.

Otherwise, anyone have any other ideas.  I am upping the points to 500.

Eric
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Netman66Commented:
Ok...I've got an idea.


Using the same Security Groups as I mentioned before try this:

On the server, open the default Domain Security Policy.
Expand Security Settings>Local Polciies>User rights Assignment
On the right pane under Deny log on Locally - enable the policy and add the Security Group you do not want OWA to work for.

Advise the outcome.

0
ericmaloneAuthor Commented:
I tried this and the denied user(s) does have full access to OWA.  

But this seems to make sense to me in that users are not normally allowed the right to logon to a domain controller anyway.

The search goes on.....
0
Netman66Commented:
Ok, what's happening is that OWA is using the IUSER_WAM account to log in anonymously to the web site before prompting for user credentials.

You'll need to work will the site permissions on the Virtual Directory for OWA.  This will allow you the ability to allow or deny access to the site itself.

There are a few articles on this in TechNet.

I will try to give you more detailed directions later this weekend when I can look at my server and determine where you should focus your effort.


This is possible.
0
marc_nivensCommented:
You can use admodify to disable this in bulk at the user level.  This way you still have the option of enabling it on select users.  The tool can be found here:  

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ericmaloneAuthor Commented:
Thanks marc, the ADModify was just what I needed.

Netman, I learned a lot starting with your suggestions.  thanks!


Eric
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.