Disable Mailbox Features for Except for Select Group's and OU's

Hello, I am weak in PowerShell and I am cleaning up a messy Exchange 2010 environment. Management wants OWA, IMAP, POP3, and ActiveSync disabled for all users in the domain. However they want one security group of VIP's and another OU with many subfolders to have OWA and ActiveSync enabled. What I have so far would disable the features for all then turn on the features for the select group and OU's. Is there a way to exclude the "ON" users from being disabled in the first place?  Thank you.

Disables Features for all mailboxes.
Get-mailbox -OrganizationalUnit "DC=MyCompany,DC=com" | Set-CasMailbox -OWAEnabled $False
Get-mailbox -OrganizationalUnit "DC=MyCompany,DC=com" | Set-CasMailbox -ActiveSyncEnabled $False
Get-mailbox -OrganizationalUnit "DC=MyCompany,DC=com" | Set-CasMailbox -ImapEnabled $False
Get-mailbox -OrganizationalUnit "DC=MyCompany,DC=com" | Set-CasMailbox -PopEnabled $False

Enabled for users in the VipUsers users group.
Get-ADGroup -filter {name -like 'VipUsers'} | Get-ADGroupMember -Recursive | Get-ADUser -Properties MailNickName | select -ExpandProperty MailNickName | Set-CasMailbox -OWAEnabled $true
Get-ADGroup -filter {name -like 'VipUsers'} | Get-ADGroupMember -Recursive | Get-ADUser -Properties MailNickName | select -ExpandProperty MailNickName | Set-CasMailbox -ActiveSyncEnabled $true

Enabled for users in the TravelingUsers OU.
Get-mailbox -OrganizationalUnit "OU=TravelingUsers,OU=Users,DC=MyCompany,DC=com" | Set-CasMailbox -OWAEnabled $True
Get-mailbox -OrganizationalUnit "OU=TravelingUsers,OU=Users,DC=MyCompany,DC=com" | Set-CasMailbox -ActiveSyncEnabled $True
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason CrawfordTransport NinjaCommented:
There's several ways to do this.  Here's one:

Import-Module ActiveDirectory

$vips = Get-ADGroup -Filter {name -like 'VIPUsers'} | Get-ADGroupMember -Recursive
$travelers = Get-Mailbox -OrganizationalUnit 'OU=TravelingUsers,OU=Users,DC=MyCompany,DC=com'

Get-Mailbox -ResultSize $unlimited | Set-CasMailbox -OWAEnabled $false -ActiveSyncEnabled $false -ImapEnabled $false -PopEnabled $false

foreach ($vip in $vips) {
    Set-CASMailbox $vip.samaccountname -OWAEnabled $true -ActiveSyncEnabled $true -WhatIf

foreach ($traveler in $travelers) {
    Set-CASMailbox $traveler.samaccountname -OWAEnabled $true -ActiveSyncEnabled $true -WhatIf

Open in new window

Note I added two -WhatIf properties in the foreach loops.  Remove them if you want to actually write the new values.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
matt160Author Commented:
Thank you, it is much cleaner than what I had.
Jason CrawfordTransport NinjaCommented:
My pleasure.  Have a good one :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.