• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Powershell/EMS script to disable Active Sync on unauthorized users

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Management >> Powershell/EMS script to disable Active Sync on unauthorized users Page: [1]
Login
Message << Older Topic   Newer Topic >>
Powershell/EMS script to disable Active Sync on unautho... - 3.Aug.2009 6:31:29 PM   
sbq

 

Posts: 21
Joined: 16.Jun.2008
Status: offline
I've got a problem, the company I work for has tens of thousands of user mailboxes, and hires up to several hundred people every day.  I need to find all users who do *not* have a specific Custom Attribute set to PDA-EAS but do have ActiveSyncEnabled set to $true, and then set ActiveSyncEnabled to $false on those users.  In Exchange 2003/Windows 2003 this was easy with a custom LDAP query in the ADUC:

(&(objectClass=user)(msExchHomeServerName=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!extensionAttribute15=PDA-EAS)(|(!msExchOmaAdminWirelessEnable=*)(msExchOmaAdminWirelessEnable=0)(msExchOmaAdminWirelessEnable=3)(msExchOmaAdminWirelessEnable=5)))

This saved query will find all enabled user objects with mailboxes that don't have CA15 set to PDA-EAS but do have ActiveSync enabled.  then you just select all and run the Exchange Tasks wizard.  Well, you can't do this anymore since the ADUC no longer has an ability to modify Exchange attributes in Exchange 2007.  I've been playing around with get-mailbox and get-CASmailbox and found that you can use get-mailbox to find all mailbox users who don't have CA15 set to PDA-EAS, but you can't use it to find out if ActiveSyncEnabled is set to $true.  On the other hand, you can use get-CASmailbox to find all users who have ActiveSyncEnabled set to $true, but you can't see any Custom Attributes with that command.  To make matters even worse, contrary to the design philosophy of Powershell, you *cannot* pipe the results of one of these commands into the other one, i.e. you can't do this:

get-mailbox -filter {CustomAttribute15 -ne 'PDA-EAS'} | get-CASmailbox -filter {ActiveSyncEnabled -eq $true}

So now I'm stuck trying to find a way to turn off ActiveSync for new hires that shouldn't have it turned on, without having to resort running a set-CASmailbox -ActiveSyncEnabled $false on tens of thousands of mailboxes every day that don't need it, just to catch the few hundred who do have it turned on that shouldn't.  Anyone got any ideas on how to easily do this?
Post #: 1
RE: Powershell/EMS script to disable Active Sync on una... - 4.Aug.2009 2:59:54 AM   
loreggiap

 

Posts: 19
Joined: 10.Mar.2009
Status: offline
Hi sbq

You could try this:
get-mailbox | where { $_.CustomAttribute15 -ne 'PDA-EAS'} | foreach { get-CASmailbox -id $_  | where { $_.ActiveSyncEnabled -eq $true } }
and to disable ActiveSync:
get-mailbox | where { $_.CustomAttribute15 -ne 'PDA-EAS'} | foreach { get-CASmailbox -id $_  | where { $_.ActiveSyncEnabled -eq $true }
| set-CASmailbox -ActiveSyncEnabled $false -whatif }
and if you execute it without -whatif, it would actually set it.

Ciao ... Pierangelo "Gigi" Loreggia

(in reply to sbq)
Post #: 2
RE: Powershell/EMS script to disable Active Sync on una... - 4.Aug.2009 11:45:58 AM   
sbq

 

Posts: 21
Joined: 16.Jun.2008
Status: offline
Ok, someone on the Microsoft Exchange 2007 newsgroups answered, and amazingly it's just a variation on what I had been trying:

Get-Mailbox -ResultSize Unlimited | Where{$_.CustomAttribute15 -ne "PDA-EAS"} | Get-CasMailbox -ResultSize Unlimited | Where{$_.ActiveSyncEnabled -eq $true} | Set-CasMailbox -ActiveSyncEnabled $False

This works, even though get-mailbox -filter {CustomAttribute15 -ne 'PDA-EAS'} | get-CASmailbox -filter {ActiveSyncEnabled -eq $true} doesn't.

EDIT: found out why that one doesn't work, if you use server side filtering (the -filter) then pipelining doesn't work.

< Message edited by sbq -- 4.Aug.2009 12:17:33 PM >

(in reply to sbq)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Management >> Powershell/EMS script to disable Active Sync on unauthorized users Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter