Exchange 2010 ActiveSync & IIS

We are setting up Exchange 2010 but want to limit down the users who can sync with ActiveSync with just an AD group.  I have seen other solutions by using a powershell script but I would like to limit it down through IIS.  

I have tried to set permissions on the security tab on the Microsoft-Server-ActiveSync site directory as read only and removed the authenticated users.  We then tested and the user could get through without being in the group.  So I changed the authentication from basic authentication to windows authentication and it fails for everyone.

Any help would be greatly appreciated!  Thanks!
Sedgwick_CountyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
but I would like to limit it down through IIS
Making changes through IIS is not the recommended approach. If you are messing with IIS you can completely mess up Exchange or your virtual directories.

Powershell is the correct way to do this.

You do not have to do this based on a group with users in it. You can do it based on OU or a CSV or Text file with Names in it. There are several ways to accomplish this but I would not recommend doing this via IIS.

ps. if you want help with a script let me know.

Will.
0
Sedgwick_CountyAuthor Commented:
Could you give some different examples how to fix it a different way?   The issue is that Exchange puts users in ActiveSync enabled so we want that turned off.  So any help with a script would be greatly appreciated if that is the proper way to do it.
0
Will SzymkowskiSenior Solution ArchitectCommented:
The default mailbox settings are built into Exchange and from the EMC when you create a new user it is enabled by default and you cannot change this.

If you want to disable this when creating new accounts you have to pipe the Set-Mailbox cmdlet to the end of the New-Mailbox command.

Now for Disabling ActiveSync for a single user
Set-CASMailbox -Identity <alias> -ActiveSyncEnabled $false

Open in new window


For multiple Users from a text file
$ASEnabled = get-content "c:\filename.txt"
ForEach ($user in $ASEnabled) {
Set-CASMailbox -Identity $user -ActiveSyncEnabled $false

Open in new window


For Multiple Users from a CSV (construct csv like below...)
Email
johndoe@domain.com
mikesmith@domain.com
etc....

$ASEnabled = import-csv "c:\filename.csv"
ForEach ($user in $ASEnabled) {
$user.Email
Set-CASMailbox -Identity $user.Email -ActiveSyncEnabled $False
}

Open in new window


And if you want to do this from a Security Group follow the link below which will provide this in more detail.

https://vnetwise.wordpress.com/2013/03/14/howto-exchange-2010-activesync-group-enable-and-disable-powershell-scripting/

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Guy LidbetterCommented:
Hi There,

If you want to disable activesync by default you can do this by using a scripting agent.

To do this:


Save the following as ScriptingAgentConfig.xml in %ExchangeInstall%\V14\Bin\CmdletExtensionAgents

<?xml version=”1.0″ encoding=”utf-8″ ?>
<Configuration version=”1.0“>
<Feature Name=”MailboxProvisioning” Cmdlets=”enable-mailbox“>
<ApiCall Name=”OnComplete“>
if($succeeded) {
$user = (Get-User $provisioningHandler.UserSpecifiedParameters[“Identity”]).distinguishedName
Set-CASMailbox $user -ActiveSyncEnabled $false
}
</ApiCall>
</Feature>
<Feature Name=”MailboxProvisioning” Cmdlets=”new-mailbox“>
<ApiCall Name=”OnComplete“>
if($succeeded) {
$user = (Get-User $provisioningHandler.UserSpecifiedParameters[“Name”]).distinguishedName
Set-CASMailbox $user -ActiveSyncEnabled $false
}
</ApiCall>
</Feature>
</Configuration>

Open in new window


Run Enable-CmdletExtensionAgent “Scripting Agent” in the Exchange Management Shell

Then by default, as soon as a user is created it will be disabled for activesync. To stop this default behaviour just run Disable-CmdletExtensionAgent “Scripting Agent”
0
Sedgwick_CountyAuthor Commented:
I will probably use a combo of both with the scripts above and the ScriptingAgentConfig.  But when I try to do the Scripting Agent this is the error I receive:

Provisioning layer initialization failed: Scripting Agent initialization failed: Invalid configuration file C:\Program Files\Microsoft\Exchange Server\v14\Bin\CmdletExtensionAgents\ScriptingAgentConfig.xml:  cannot find node xml.

I opened Notepad and copied the script to it.  Then saved it exactly as you said and placed it in the location on the Exchange Server.
0
Guy LidbetterCommented:
OH! Sorry Sedgwick....

I forgot to mention you need to copy that file to EVERY exchange server in the organization....
0
Guy LidbetterCommented:
Hi Sedgwick...

Did you use the ScriptingAgentConfig by the way?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.