Is there any way to have new users created with the Exchange features (other than MAPI and OWA) disabled by default so that we can enable them only on accounts where they are needed. I realize that be default these are all enabled. I also realize I can have a powershell script go through and disable all but the accounts we want to be enabled, but I was hoping there was a way that we could make this the default setting for all newly created users. Otherwise we need to keep a living script that gets modified every time weadd a new user in which case we could just as well go in and manually disable these featuers in EMC. Any ideas or thoughts are appreciated. Thanks!

No way to set this globally as a default to disabled.

Hello, Yes agree with John, there isnt any way to make those disable by default for new users and you need to stick with the powershell script schedule. You may refer below thread for scheduling a script to disable those everynight for new users. http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3811652&SiteID=17

Thanks for the info. In this case can the powershell script compare or use a group in AD rather than an OU for determining who should have the feature enabled? Then I could just have our helpdesk put people in a group called POP Enabled or Outlook Anywhere Enabled?

Yes exactly, you can filter your query with -Filter parameter and with MemberOfGroup filter (you need to give DN of group to get it filtered). Filterable Properties for the -Filter Parameter in Exchange 2007 SP1 http://technet.microsoft.com/en-us/library/bb738155(EXCHG.80).aspx Then let helpdesk people add/remove users from the DL based on the requirement of any feature and inform that it will be affected at the time when you havescheduled the script.

So I think I figured it out with your help.. Please let me know if the following makes sense... What I will do is begin by creating a group for POP3 USERS. I will add all users that I want to allow to use POP3 to this group. Then once I have the group populated, intially I will disable everyone for POP3 by running this code: Add-PSSnapin Microsoft.Exchange.Management.PowerShell.AdminGet-Mailbox -Server "ServerName" | Set-CASMailbox -POPEnabled $false Then I will enable individuals for POP3 based on group membership to the POP3 USERS group by running this code: Add-PSSnapin Microsoft.Exchange.Management.PowerShell.AdminGet-User -Filter {MemberOfGroup -eq "cn=POP3 USERS,ou=xxx,ou=xxx,,dc=domain,dc=local"} | Set-CASMailbox -POPEnabled $True Then after that, each night I will run the script that disables POP3 for all users added within the last day and follow that up with the script that enables users for POP3 based on whether or not they are in the group POP3 USERS. This way I do not remove access from new users thatmay need to have POP3 enabled. Add-PSSnapin Microsoft.Exchange.Management.PowerShell.AdminGet-User -ResultSize Unlimited | Where {($_.WhenCreated -gt (get-date).adddays(-1))} | Set-CASMailbox -POPEnabled $false Get-User -Filter {MemberOfGroup -eq "cn=POP3 USERS,ou=xxx,ou=xxx,,dc=domain,dc=local"} | Set-CASMailbox -POPEnabled $True I think this will work. I have two questions. One, do Ineed to use single or double quotes around the CN for the group? Two, I noticed in the other examples you specified the version of Outlook in your filter. Was there a reason for that? Thanks and hope this helps others out there (if it is right).

Hello, I just tested and both (single& double quote) worked for me so it doesn't matter. I added exchange version in my example because it separate Exchange 2007 user mailboxes in coexistence mode and doesnt touch Exchange 2003 mailboxes. Please use Get-Mailbox instead of Get-User so it will not touch all other non-mailbox users. I used it in the command to find the users which are created in last one day because WhenCreate property is only available with get-user. While filtering with memberofgroup property you can use Get-Mailbox. So your final script would be like this Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin Get-User -ResultSize Unlimited | Where {($_.WhenCreated -gt (get-date).adddays(-1))} | Set-CASMailbox -POPEnabled $false Get-Mailbox -Filter {MemberOfGroup -eq "cn=POP3 USERS,ou=xxx,ou=xxx,,dc=domain,dc=local"} | Set-CASMailbox -POPEnabled $True Supplement: Q: What happen if you want to disable pop feature in future by just removing the person from the PopEnabled group. A: Add this line in the script. This will search the mailboxes which is not member of PopEnabled group but still POP feature is enabled and disable this feature. Get-Mailbox -Filter {MemberOfGroup -ne "cn=POP3 USERS,ou=xxx,ou=xxx,,dc=domain,dc=local"} | Get-CASMailbox | Where{$_.POPEnabled eq $true } | Set-CASMailbox -POPEnabled $false Hope this helps ...

This looks like exactly what I want to do. Too bad there isn't just a way to have these features disabled by default, but since they aren't this is a good way to do it. Thanks much for your help!

After working with this a bit I tried to add back in the part that selects on the version of Exchange mailbox of -like '0.1*' and even though I have many mailboxes on Exchange 2007 they don't list out. Even if I run Get-Mailbox -WhereObject {($_.ExchangeVersion -like '0.1*')} I get no results. I was going to add it into all three of the entries above so I'm not affecting our Exchange 2003 clients in any way. Sorry for the follow-up question. The rest works great. Thanks

Ok, let me just create a syntax for you. Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin Get-User -ResultSize Unlimited | Where {($_.WhenCreated -gt (get-date).adddays(-1))} | Set-CASMailbox -POPEnabled $false Get-Mailbox -ResultSize Unlimited -Filter {MemberOfGroup -eq "cn=POP3 USERS,ou=xxx,ou=xxx,,dc=domain,dc=local"} | Where {$_.ExchangeVersion like 0.1*} | Set-CASMailbox -POPEnabled $True Get-Mailbox -ResultSize Unlimited -Filter {MemberOfGroup -ne "cn=POP3 USERS,ou=xxx,ou=xxx,,dc=domain,dc=local"} | Where {$_.ExchangeVersion like 0.1*} | Get-CASMailbox | Where{$_.POPEnabled eq $true } | Set-CASMailbox -POPEnabled $false Try these...