By default, POP and IMAP are enabled on users when they are Mailbox Enabled in Exchange 2007. While this is OK, if you have a blanket restriction on POP and IMAP and can shut down the services on the Client Access Server, it’s not so great if you need POP/IMAP for specific purposes like monitoring or application drop-box, but due to security concerns want to restrict POP/IMAP for the general population.
Fortunately, Exchange 2007/2010 allows you to enable or disable most supported protocols on a per user basis. This fact combined with PowerShells use of the native .NET libraries for managing Exchange will give you great flexibility and ease when faced configuring protocols on a per user basis.
To start, create an Active Directory Group. Add members to this group that are exceptions and will remain POP and IMAP enabled. The code will parse the membership of this group and then execute some specific PowerShell cmdlets that will enact the appropriate setting.
First, we make an ADSI call to get the Exception Group. We also variablize the groups members.
$gmbr = [ADSI]"LDAP://cn=PopEnabled,OU=groups,DC=c8nl,DC=com" #Edit the Group Name Only
$mbr = $gmbr.member
Next, get each CAS Mailbox. Essentially, the Get-CASMailbox cmdlet will get all Exchange Mailboxes and allow us to enumerate the CAS settings specific for Exchange mailboxes, i.e., Protocols, OWA settings, etc. We’ll loop through each returned object using ForEach-Object and then compare the returned distinguished name against the DNs returned from the Group Membership call above. If the results match, then we call –PopEnabled and –ImapEnabled $true, otherwise, we set it the $false.
Get-CASMailbox -ResultSize unlimited | ForEach-Object {
if($mbr -contains $_.DistinguishedName) {
$_|Set-CASMailbox -PopEnabled $true
$_|Set-CASMailbox -ImapEnabled $true }
else {
$_|Set-CASMailbox -PopEnabled $false
$_|Set-CASMailbox -ImapEnabled $false }
}
So a quick and handy way to use Active Directory Groups to modify Exchange settings. There are several options for running this code. It can be done manually, as needed, or it can be scheduled using a cron job. Or if you really want to get fancy, you could run this as a Windows Service. A future blog will focus on that method. Until then.
D.
No comments:
Post a Comment