jdholston
asked on
Exchange 2010 activesync questions
We have one activesync mailbox policy which is, of course, the default and by default, it is enabled. Can i change the default policy so that new mailboxes that we create will have activesync disabled? If so, what impact will it have on mailboxes that are using the default policy and are already enabled for activesync? If i create a new policy, how do i make sure that mailboxes assigned to that policy are not enabled for activesync?
Thanks,
Johnny
Thanks,
Johnny
If you want to disable ActiveSync for new mailboxes without disable it on the mailboxes that already use it you can use cmdlet extension agent
http://social.technet.microsoft.com/Forums/exchange/en-US/729bfaf1-76ac-44e7-9b03-8730e7ff54a7/disable-owa-activesync-as-default-for-new-users?forum=exchange2010
There is a really very handy feature in Exchange 2010 that Microsoft have barely documented and therefore goes, for the most part, unused and forgotten, it is called the cmdlet extension agent.
You can look at the very sparse bit of Microsoft help in the form of the following file C:\Program Files\Microsoft\Exchange Server\V14\Bin\CmdletExtensionAgents \Scripting AgentConfi g.xml.SAMP LE, which gives you basic instructions to use as a base, all of which will confirm the instructions I give below.
To just disable Active-Sync, follow these 2 very simple steps, it should be very easy to modify this to include OWA by simply adding -owaenabled $false but I have not personally tested that so I won't add it to the code I post here, which I HAVE tested and verified myself.
1 : Copy and paste the code below into notepad, save the file as ScriptingAgentConfig.xml into the directory mentioned above
2 : run the following Exchange shell command. Enable-CmdletExtensionAgent "Scripting Agent"
Thats it. Hope this helps.
<?xml version="1.0" encoding="utf-8" ?>
<Configuration version="1.0">
<Feature Name="MailboxProvisioning"Cmdlets="enable-mailbox">
<ApiCall Name="OnComplete">
if($succeeded)
{
$user = (Get-User $provisioningHandler.UserSpecifiedPa rameters[" Identity"] ).distingu ishedName
Set-CASMailbox $user -ActiveSyncEnabled $false
}
</ApiCall>
</Feature>
<Feature Name="MailboxProvisioning"Cmdlets="new-mailbox">
<ApiCall Name="OnComplete">
if($succeeded)
{
$user = (Get-User $provisioningHandler.UserSpecifiedPa rameters[" Name"]).di stinguishe dName
Set-CASMailbox $user -ActiveSyncEnabled $false
}
</ApiCall>
</Feature>
</Configuration>
http://social.technet.microsoft.com/Forums/exchange/en-US/729bfaf1-76ac-44e7-9b03-8730e7ff54a7/disable-owa-activesync-as-default-for-new-users?forum=exchange2010
ASKER
Thanks, liorkr. I will try the script, but will have to wait until after hours, just in case we run into any issues. I was wondering which server(s) this needs to be installed on. I assume on my 2 mailbox servers, but does it also need to be on my CAS/HT servers?
Thanks,
Johnny
Thanks,
Johnny
To be honest I only used it on server's with all roles installed on one server, but I'm think that using it on the mailbox server should be enough, As for problems I used it many time without any problem hope that will be the case for you also
good luck.
good luck.
ASKER
liorkr:
I copied, pasted the script above and saved it as the .xml file as suggested and saved it in the location you listed. I ran the Enable-CmdletExtensionAgen t "Scripting Agent" and got no errors. When i created a new user, i received the below warning message. The account was created but activesync was enabled. Not sure if i missed something. Hopefully it is just a minor thing on my part...Any help is greatly appreciated...
Thanks,
Johnny
Summary: 1 item(s). 1 succeeded, 0 failed.
Elapsed time: 00:00:01
Public, John Q.
Completed
Warning:
The cmdlet extension agent with the index 5 has thrown an exception in OnComplete(). The exception is: Microsoft.Exchange.Provisi oning.Prov isioningEx ception: ScriptingAgent: Exception thrown while invoking scriptlet for OnComplete API: Cannot bind argument to parameter 'Identity' because it is null.. ---> System.Management.Automati on.Paramet erBindingV alidationE xception: Cannot bind argument to parameter 'Identity' because it is null.
at System.Management.Automati on.Paramet erBinderBa se.Validat eNullOrEmp tyArgument (CommandPa rameterInt ernal parameter, CompiledCommandParameter parameterMetadata, Type argumentType, Object parameterValue, Boolean recurseIntoCollections)
at System.Management.Automati on.Paramet erBinderBa se.BindPar ameter(Com mandParame terInterna l parameter, CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags)
at System.Management.Automati on.CmdletP arameterBi nderContro ller.BindP arameter(C ommandPara meterInter nal argument, MergedCompiledCommandParam eter parameter, ParameterBindingFlags flags)
at System.Management.Automati on.CmdletP arameterBi nderContro ller.BindP arameter(U Int32 parameterSets, CommandParameterInternal argument, MergedCompiledCommandParam eter parameter, ParameterBindingFlags flags)
at System.Management.Automati on.Paramet erBinderCo ntroller.B indPositio nalParamet ersInSet(U Int32 validParameterSets, Dictionary`2 nextPositionalParameters, CommandParameterInternal argument, ParameterBindingFlags flags, ParameterBindingException& bindingException)
at System.Management.Automati on.Paramet erBinderCo ntroller.B indPositio nalParamet ers(Collec tion`1 unboundArguments, UInt32 validParameterSets, UInt32 defaultParameterSet, Boolean ignoreArgumentsThatLookLik eParameter s, ParameterBindingException& outgoingBindingException)
at System.Management.Automati on.CmdletP arameterBi nderContro ller.BindC ommandLine Parameters NoValidati on(Collect ion`1 arguments)
at System.Management.Automati on.CmdletP arameterBi nderContro ller.BindC ommandLine Parameters (Collectio n`1 arguments)
at System.Management.Automati on.Command Processor. BindComman dLineParam eters(Comm andParamet erInternal [] parameters)
at System.Management.Automati on.Command Processor. Prepare(Co mmandParam eterIntern al[] parameters)
at System.Management.Automati on.Command ProcessorB ase.DoPrep are(Comman dParameter Internal[] parameters)
at System.Management.Automati on.Interna l.Pipeline Processor. Start(Bool ean incomingStream)
at System.Management.Automati on.Interna l.Pipeline Processor. Synchronou sExecuteEn umerate(Ob ject input, Hashtable errorResults, Boolean enumerate)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Provisi oningAgent .Scripting AgentHandl er.OnCompl ete(Boolea n succeeded, Exception e)
at Microsoft.Exchange.Provisi oning.Prov isioningLa yer.OnComp lete(Task task, Boolean succeeded, Exception exception)
Exchange Management Shell command completed:
New-Mailbox -Name 'Public, John Q.' -Alias 'JQPublic' -OrganizationalUnit 'kennedy-center.org/Users' -UserPrincipalName 'JQPublic@kennedy-center.o rg' -SamAccountName 'JQPublic' -FirstName 'John' -Initials 'Q' -LastName 'Public' -Password 'System.Security.SecureStr ing' -ResetPasswordOnNextLogon $false -Database 'DB09'
Elapsed Time: 00:00:01
I copied, pasted the script above and saved it as the .xml file as suggested and saved it in the location you listed. I ran the Enable-CmdletExtensionAgen
Thanks,
Johnny
Summary: 1 item(s). 1 succeeded, 0 failed.
Elapsed time: 00:00:01
Public, John Q.
Completed
Warning:
The cmdlet extension agent with the index 5 has thrown an exception in OnComplete(). The exception is: Microsoft.Exchange.Provisi
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
at System.Management.Automati
--- End of inner exception stack trace ---
at Microsoft.Exchange.Provisi
at Microsoft.Exchange.Provisi
Exchange Management Shell command completed:
New-Mailbox -Name 'Public, John Q.' -Alias 'JQPublic' -OrganizationalUnit 'kennedy-center.org/Users'
Elapsed Time: 00:00:01
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
liorkr,
I finally got it working. Had to edit the AgentConfig.xml.sample file and then copied it to the mailbox servers. I still got the warning message. I then copied the file to the CAS/HT servers and still got the errors. Lastly, and I don't know why this made it work, I copied the file to my UM servers and then ran the Enable-CmdletExtentionAgen t "Scripting Agent" and created a new user and there were no warnings and the user had ActiveSync disabled.
Whew!!! Thanks for your assist on this...
I finally got it working. Had to edit the AgentConfig.xml.sample file and then copied it to the mailbox servers. I still got the warning message. I then copied the file to the CAS/HT servers and still got the errors. Lastly, and I don't know why this made it work, I copied the file to my UM servers and then ran the Enable-CmdletExtentionAgen
Whew!!! Thanks for your assist on this...
There's no way to disable ActiveSync by using the ActiveSync policies (Though you could seriously hinder ActiveSync this way.)
What you want to do is leave the policy as is, then disable ActiveSync on a user-by-user basis. Here's the Powershell line we use when we create users -
set-qaduser [USERID] -ObjectAttributes @{ msExchOmaAdminWirelessEnab
You would need to have the Quest powershell tools for this one.