Sedgwick_County
asked on
Exchange 2010 ActiveSync & IIS
We are setting up Exchange 2010 but want to limit down the users who can sync with ActiveSync with just an AD group. I have seen other solutions by using a powershell script but I would like to limit it down through IIS.
I have tried to set permissions on the security tab on the Microsoft-Server-ActiveSyn c site directory as read only and removed the authenticated users. We then tested and the user could get through without being in the group. So I changed the authentication from basic authentication to windows authentication and it fails for everyone.
Any help would be greatly appreciated! Thanks!
I have tried to set permissions on the security tab on the Microsoft-Server-ActiveSyn
Any help would be greatly appreciated! Thanks!
ASKER
Could you give some different examples how to fix it a different way? The issue is that Exchange puts users in ActiveSync enabled so we want that turned off. So any help with a script would be greatly appreciated if that is the proper way to do it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi There,
If you want to disable activesync by default you can do this by using a scripting agent.
To do this:
Save the following as ScriptingAgentConfig.xml in %ExchangeInstall%\V14\Bin\ CmdletExte nsionAgent s
Run Enable-CmdletExtensionAgen t “Scripting Agent” in the Exchange Management Shell
Then by default, as soon as a user is created it will be disabled for activesync. To stop this default behaviour just run Disable-CmdletExtensionAge nt “Scripting Agent”
If you want to disable activesync by default you can do this by using a scripting agent.
To do this:
Save the following as ScriptingAgentConfig.xml in %ExchangeInstall%\V14\Bin\
<?xml version=”1.0″ encoding=”utf-8″ ?>
<Configuration version=”1.0“>
<Feature Name=”MailboxProvisioning” Cmdlets=”enable-mailbox“>
<ApiCall Name=”OnComplete“>
if($succeeded) {
$user = (Get-User $provisioningHandler.UserSpecifiedParameters[“Identity”]).distinguishedName
Set-CASMailbox $user -ActiveSyncEnabled $false
}
</ApiCall>
</Feature>
<Feature Name=”MailboxProvisioning” Cmdlets=”new-mailbox“>
<ApiCall Name=”OnComplete“>
if($succeeded) {
$user = (Get-User $provisioningHandler.UserSpecifiedParameters[“Name”]).distinguishedName
Set-CASMailbox $user -ActiveSyncEnabled $false
}
</ApiCall>
</Feature>
</Configuration>
Run Enable-CmdletExtensionAgen
Then by default, as soon as a user is created it will be disabled for activesync. To stop this default behaviour just run Disable-CmdletExtensionAge
ASKER
I will probably use a combo of both with the scripts above and the ScriptingAgentConfig. But when I try to do the Scripting Agent this is the error I receive:
I opened Notepad and copied the script to it. Then saved it exactly as you said and placed it in the location on the Exchange Server.
Provisioning layer initialization failed: Scripting Agent initialization failed: Invalid configuration file C:\Program Files\Microsoft\Exchange Server\v14\Bin\CmdletExtensionAgents \Scripting AgentConfi g.xml: cannot find node xml.
I opened Notepad and copied the script to it. Then saved it exactly as you said and placed it in the location on the Exchange Server.
OH! Sorry Sedgwick....
I forgot to mention you need to copy that file to EVERY exchange server in the organization....
I forgot to mention you need to copy that file to EVERY exchange server in the organization....
Hi Sedgwick...
Did you use the ScriptingAgentConfig by the way?
Did you use the ScriptingAgentConfig by the way?
Powershell is the correct way to do this.
You do not have to do this based on a group with users in it. You can do it based on OU or a CSV or Text file with Names in it. There are several ways to accomplish this but I would not recommend doing this via IIS.
ps. if you want help with a script let me know.
Will.