We help IT Professionals succeed at work.

Exchange 2010 ActiveSync & IIS

Sedgwick_County
Sedgwick_County asked
on
We are setting up Exchange 2010 but want to limit down the users who can sync with ActiveSync with just an AD group.  I have seen other solutions by using a powershell script but I would like to limit it down through IIS.  

I have tried to set permissions on the security tab on the Microsoft-Server-ActiveSync site directory as read only and removed the authenticated users.  We then tested and the user could get through without being in the group.  So I changed the authentication from basic authentication to windows authentication and it fails for everyone.

Any help would be greatly appreciated!  Thanks!
Comment
Watch Question

Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
but I would like to limit it down through IIS
Making changes through IIS is not the recommended approach. If you are messing with IIS you can completely mess up Exchange or your virtual directories.

Powershell is the correct way to do this.

You do not have to do this based on a group with users in it. You can do it based on OU or a CSV or Text file with Names in it. There are several ways to accomplish this but I would not recommend doing this via IIS.

ps. if you want help with a script let me know.

Will.

Author

Commented:
Could you give some different examples how to fix it a different way?   The issue is that Exchange puts users in ActiveSync enabled so we want that turned off.  So any help with a script would be greatly appreciated if that is the proper way to do it.
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
The default mailbox settings are built into Exchange and from the EMC when you create a new user it is enabled by default and you cannot change this.

If you want to disable this when creating new accounts you have to pipe the Set-Mailbox cmdlet to the end of the New-Mailbox command.

Now for Disabling ActiveSync for a single user
Set-CASMailbox -Identity <alias> -ActiveSyncEnabled $false

Open in new window


For multiple Users from a text file
$ASEnabled = get-content "c:\filename.txt"
ForEach ($user in $ASEnabled) {
Set-CASMailbox -Identity $user -ActiveSyncEnabled $false

Open in new window


For Multiple Users from a CSV (construct csv like below...)
Email
johndoe@domain.com
mikesmith@domain.com
etc....

$ASEnabled = import-csv "c:\filename.csv"
ForEach ($user in $ASEnabled) {
$user.Email
Set-CASMailbox -Identity $user.Email -ActiveSyncEnabled $False
}

Open in new window


And if you want to do this from a Security Group follow the link below which will provide this in more detail.

https://vnetwise.wordpress.com/2013/03/14/howto-exchange-2010-activesync-group-enable-and-disable-powershell-scripting/

Will.
Top Expert 2015

Commented:
Hi There,

If you want to disable activesync by default you can do this by using a scripting agent.

To do this:


Save the following as ScriptingAgentConfig.xml in %ExchangeInstall%\V14\Bin\CmdletExtensionAgents

<?xml version=”1.0″ encoding=”utf-8″ ?>
<Configuration version=”1.0“>
<Feature Name=”MailboxProvisioning” Cmdlets=”enable-mailbox“>
<ApiCall Name=”OnComplete“>
if($succeeded) {
$user = (Get-User $provisioningHandler.UserSpecifiedParameters[“Identity”]).distinguishedName
Set-CASMailbox $user -ActiveSyncEnabled $false
}
</ApiCall>
</Feature>
<Feature Name=”MailboxProvisioning” Cmdlets=”new-mailbox“>
<ApiCall Name=”OnComplete“>
if($succeeded) {
$user = (Get-User $provisioningHandler.UserSpecifiedParameters[“Name”]).distinguishedName
Set-CASMailbox $user -ActiveSyncEnabled $false
}
</ApiCall>
</Feature>
</Configuration>

Open in new window


Run Enable-CmdletExtensionAgent “Scripting Agent” in the Exchange Management Shell

Then by default, as soon as a user is created it will be disabled for activesync. To stop this default behaviour just run Disable-CmdletExtensionAgent “Scripting Agent”

Author

Commented:
I will probably use a combo of both with the scripts above and the ScriptingAgentConfig.  But when I try to do the Scripting Agent this is the error I receive:

Provisioning layer initialization failed: Scripting Agent initialization failed: Invalid configuration file C:\Program Files\Microsoft\Exchange Server\v14\Bin\CmdletExtensionAgents\ScriptingAgentConfig.xml:  cannot find node xml.

I opened Notepad and copied the script to it.  Then saved it exactly as you said and placed it in the location on the Exchange Server.
Top Expert 2015

Commented:
OH! Sorry Sedgwick....

I forgot to mention you need to copy that file to EVERY exchange server in the organization....
Top Expert 2015

Commented:
Hi Sedgwick...

Did you use the ScriptingAgentConfig by the way?