Is there a way to create an LDAP-query that returns all active sync users in Exchange 2007? I know that i can use powershell but in my web project that will be a problem for various reasons.

Of course you can...just look for the appropiate attibute that a user with AS is enabled...you can compare a user enabled and disable AS at the adsiedit to find the attribute..Hpe this helpCapecolMCSA - MCTS Exchange Server 2007 - 2010

Is there a way to create an LDAP-query that returns all active sync users in Exchange 2007? I know that i can use powershell but in my web project that will be a problem for various reasons. I don't think LDAP will give you the information you really want. There are six Active Sync related attributes:msExchMobileAllowedDeviceIDsmsExchMobileBlockedDeviceIDsmsExchMobileDebugLoggingmsExchMobileMailboxFlagsmsExchMobileMailboxPolicyLinkmsExchMobileSettingsmsExchMobileMailboxFlags will be 0 if the user has Active Sync disabled and 1 if it is enabled. However, this doesn't mean they are using Active Sync - it only means that it is set as enabled on their account.msExchMobileMailboxPolicy link is somewhat more useful as its value is the DN of the Active Sync policy applied to their account, if any.Since you are doing a web project and don't want to worry about powershell voodoo, I would recommend you use Exchange Web Services to get the information you are after.

Hi again I only need to know who has ActiveSync enabled. Not who uses it. I tried querying for msExchMobileMailboxFlags=1 but it doesn't return all users with ActiveSync... Sure, I could use Exhange web services but I'd much rather use ldap-query if possible.

Hi again I only need to know who has ActiveSync enabled. Not who uses it. I tried querying for msExchMobileMailboxFlags=1 but it doesn't return all users with ActiveSync... Sure, I could use Exhange web services but I'd much rather use ldap-query if possible. I did some more digging on this (a lot more actually) and discovered the following: The ActiveSyncEnabled attribute property correlates to a bit flag stored in the MobileFeaturesEnabled attribute, which is the msExchOmaAdminWirelessEnable attribute in LDAP. It's the third least significant bit of the property. If the property is null, ActiveSyncEnabled is true So, to determine via LDAP if ActiveSync is enabled for a user, query the msExchOmaAdminWirelessEnable attribute. If it is null, ActiveSync is enabled. If it is not null, compute (msExchOmaAdminWirelessEnable & 4L) != 0. If this is true, ActiveSync is enabled. Otherwise ActiveSync is disabled. I'm pretty sure this is correct, it matches the results in my environment.

On Fri, 15-Jan-10 22:30:48 GMT, Neil Frick wrote:>Hi again I only need to know who has ActiveSync enabled. Not who uses it. I tried querying for msExchMobileMailboxFlags=1 but it doesn't return all users with ActiveSync... Sure, I could use Exhange web services but I'd much rather use ldap-query if possible.I did some more digging on this (a lot more actually) and discovered the following: The ActiveSyncEnabled attribute property correlates to a bit flag stored in the MobileFeaturesEnabled attribute, which is the msExchOmaAdminWirelessEnable attribute in LDAP. It's the third least significant bit of the property. If the property is null, ActiveSyncEnabled is true So, to determine via LDAP if ActiveSync is enabled for a user, query the msExchOmaAdminWirelessEnable attribute. If it is null, ActiveSync is enabled. If it is not null, compute (msExchOmaAdminWirelessEnable & 4L) != 0. If this is true, ActiveSync is enabled. Otherwise ActiveSync is disabled. I'm pretty sure this is correct, it matches the results in my environment. You can do a bit-wise LDAP query using this syntax:(msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4)The two interesting OIDs for this are:1.2.840.113556.1.4.803 = bit-wise AND1.2.840.113556.1.4.804 = bit-wise ORhttp://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi again I only need to know who has ActiveSync enabled. Not who uses it. I tried querying for msExchMobileMailboxFlags=1 but it doesn't return all users with ActiveSync... Sure, I could use Exhange web services but I'd much rather use ldap-query if possible. I did some more digging on this (a lot more actually) and discovered the following: The ActiveSyncEnabled attribute property correlates to a bit flag stored in the MobileFeaturesEnabled attribute, which is the msExchOmaAdminWirelessEnable attribute in LDAP. It's the third least significant bit of the property. If the property is null, ActiveSyncEnabled is true So, to determine via LDAP if ActiveSync is enabled for a user, query the msExchOmaAdminWirelessEnable attribute. If it is null, ActiveSync is enabled. If it is not null, compute (msExchOmaAdminWirelessEnable & 4L) != 0. If this is true, ActiveSync is enabled. Otherwise ActiveSync is disabled. I'm pretty sure this is correct, it matches the results in my environment. Thanks for all your help! Not sure what you mean by "(msExchOmaAdminWirelessEnable & 4L) != 0". What is 4L?

On Fri, 15-Jan-10 22:30:48 GMT, Neil Frick wrote: >Hi again I only need to know who has ActiveSync enabled. Not who uses it. I tried querying for msExchMobileMailboxFlags=1 but it doesn't return all users with ActiveSync... Sure, I could use Exhange web services but I'd much rather use ldap-query if possible.I did some more digging on this (a lot more actually) and discovered the following: The ActiveSyncEnabled attribute property correlates to a bit flag stored in the MobileFeaturesEnabled attribute, which is the msExchOmaAdminWirelessEnable attribute in LDAP. It's the third least significant bit of the property. If the property is null, ActiveSyncEnabled is true So, to determine via LDAP if ActiveSync is enabled for a user, query the msExchOmaAdminWirelessEnable attribute. If it is null, ActiveSync is enabled. If it is not null, compute (msExchOmaAdminWirelessEnable & 4L) != 0. If this is true, ActiveSync is enabled. Otherwise ActiveSync is disabled. I'm pretty sure this is correct, it matches the results in my environment. You can do a bit-wise LDAP query using this syntax: (msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4) The two interesting OIDs for this are: 1.2.840.113556.1.4.803 = bit-wise AND 1.2.840.113556.1.4.804 = bit-wise OR http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP Could you be a little more specific? Is "(msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4)" the only query I need to do?

On Mon, 18-Jan-10 08:10:36 GMT, Pezmannen wrote:>On Fri, 15-Jan-10 22:30:48 GMT, Neil Frick wrote: >Hi again I only need to know who has ActiveSync enabled. Not who uses it. I tried querying for msExchMobileMailboxFlags=1 but it doesn't return all users with ActiveSync... Sure, I could use Exhange web services but I'd much rather use ldap-query if possible.I did some more digging on this (a lot more actually) and discovered the following: The ActiveSyncEnabled attribute property correlates to a bit flag stored in the MobileFeaturesEnabled attribute, which is the msExchOmaAdminWirelessEnable attribute in LDAP. It's the third least significant bit of the property. If the property is null, ActiveSyncEnabled is true So, to determine via LDAP if ActiveSync is enabled for a user, query the msExchOmaAdminWirelessEnable attribute. If it is null, ActiveSync is enabled. If it is not null, compute (msExchOmaAdminWirelessEnable & 4L) != 0. If this is true, ActiveSync is enabled. Otherwise ActiveSync is disabled. I'm pretty sure this is>correct, it matches the results in my environment. You can do a bit-wise LDAP query using this syntax: (msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4) The two interesting OIDs for this are: 1.2.840.113556.1.4.803 = bit-wise AND 1.2.840.113556.1.4.804 = bit-wise OR http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx --- Rich Matheisen MCSE+I, Exchange MVP >--- Rich Matheisen MCSE+I, Exchange MVPCould you be a little more specific? Is "(msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4)" the only query I need to do? It is if you don't want any other criteria.---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks for all your help! Not sure what you mean by "(msExchOmaAdminWirelessEnable & 4L) != 0". What is 4L? Hi, Rich's suggestion is the way to go. I forgot there are OID's for bitwise operators in LDAP. Good stuff!

On Mon, 18-Jan-10 08:10:36 GMT, Pezmannen wrote: >On Fri, 15-Jan-10 22:30:48 GMT, Neil Frick wrote: >Hi again I only need to know who has ActiveSync enabled. Not who uses it. I tried querying for msExchMobileMailboxFlags=1 but it doesn't return all users with ActiveSync... Sure, I could use Exhange web services but I'd much rather use ldap-query if possible.I did some more digging on this (a lot more actually) and discovered the following: The ActiveSyncEnabled attribute property correlates to a bit flag stored in the MobileFeaturesEnabled attribute, which is the msExchOmaAdminWirelessEnable attribute in LDAP. It's the third least significant bit of the property. If the property is null, ActiveSyncEnabled is true So, to determine via LDAP if ActiveSync is enabled for a user, query the msExchOmaAdminWirelessEnable attribute. If it is null, ActiveSync is enabled. If it is not null, compute (msExchOmaAdminWirelessEnable & 4L) != 0. If this is true, ActiveSync is enabled. Otherwise ActiveSync is disabled. I'm pretty sure this is >correct, it matches the results in my environment. You can do a bit-wise LDAP query using this syntax: (msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4) The two interesting OIDs for this are: 1.2.840.113556.1.4.803 = bit-wise AND 1.2.840.113556.1.4.804 = bit-wise OR http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx --- Rich Matheisen MCSE+I, Exchange MVP >--- Rich Matheisen MCSE+I, Exchange MVPCould you be a little more specific? Is "(msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4)" the only query I need to do? It is if you don't want any other criteria. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP Sorry for being a bit slow here :) It would be nice to understand what I'm doing though Why does (msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4) return all Active Sync accounts? What does "4" mean?

On Mon, 18-Jan-10 08:10:36 GMT, Pezmannen wrote: Sorry for being a bit slow here :) It would be nice to understand what I'm doing though Why does (msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4) return all Active Sync accounts? What does "4" mean? The 4 represents the bit in the msExchOmaAdminWirelessEnable attribute that represents if ActiveSync is disabled. So, for a person who has this disabled the field in binary will look something like ...000100. 100 in binary is 4. If the person has ActiveSync enabled, this will be zero (or the entire attribute will not be populated), and will look something like ...000000. The LDAP syntax that Rich gave will just check to see if that bit that represents ActiveSync status is set or is not set.

On Tue, 19-Jan-10 08:45:44 GMT, Pezmannen wrote:>On Mon, 18-Jan-10 08:10:36 GMT, Pezmannen wrote: >On Fri, 15-Jan-10 22:30:48 GMT, Neil Frick wrote: >Hi again I only need to know who has ActiveSync enabled. Not who uses it. I tried querying for msExchMobileMailboxFlags=1 but it doesn't return all users with ActiveSync... Sure, I could use Exhange web services but I'd much rather use ldap-query if possible.I did some more digging on this (a lot more actually) and discovered the following: The ActiveSyncEnabled attribute property correlates to a bit flag stored in the MobileFeaturesEnabled attribute, which is the msExchOmaAdminWirelessEnable attribute in LDAP. It's the third least significant bit of the property. If the property is null, ActiveSyncEnabled is true So, to determine via LDAP if ActiveSync is enabled for a user, query the msExchOmaAdminWirelessEnable attribute. If it is null, ActiveSync is enabled. If it is not null, compute (msExchOmaAdminWirelessEnable & 4L) != 0. If this is true, ActiveSync is enabled. Otherwise>ActiveSync is disabled. I'm pretty sure this is >correct, it matches the results in my environment. You can do a bit-wise LDAP query using this syntax: (msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4) The two interesting OIDs for this are: 1.2.840.113556.1.4.803 = bit-wise AND 1.2.840.113556.1.4.804 = bit-wise OR http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx --- Rich Matheisen MCSE+I, Exchange MVP >--- Rich Matheisen MCSE+I, Exchange MVPCould you be a little more specific? Is "(msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4)" the only query I need to do? It is if you don't want any other criteria. --- Rich Matheisen MCSE+I, Exchange MVP >--- Rich Matheisen MCSE+I, Exchange MVPSorry for being a bit slow here :) It would be nice to understand what I'm doing though Why does (msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4) return all Active Sync accounts? What does "4" mean? Sorry for not checking if the suggested LDAP query was correct (it'snot). The method of doing bit-wise operations was correct, though.If you want to find all the AD objects that are ALLOWED to useActiveSync the query should be something like this:(&(objectClass=User)(objectCategory=Person)(mailNickname=*)(!cn=SystemMailbox{*)(|(!msExchOmaAdminWirelessEnable=*)(&(msExchOmaAdminWirelessEnable=*)(!msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4))))The query says:1. What you're looking for are mailboxes belonging to people2. You don't want the "System{*" mailboxes3. If the msExchOmaAdminWirelessEnable attribute is NOT present thenall the wireless features are enabled -- you want this object4. If the msExchOmaAdminWirelessEnable is present AND bit 3 (countingfrom the right and starting from 1) is NOT a 1 -- you want this objectThe msExchOmaAdminWirelessEnable property breaks down this way:0 = All Enabled1 = Up-to-date Notifications not allowed2 = OMA not allowed4 = User Initiated Synchronization (ActiveSync) not allowed5 = User Initiated Synchronization & Up-to-date Notifications notallowedIf a bit is "1" the feature is DISabled, so you have to check for azero instead of a 1.---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Tue, 19-Jan-10 08:45:44 GMT, Pezmannen wrote: >On Mon, 18-Jan-10 08:10:36 GMT, Pezmannen wrote: >On Fri, 15-Jan-10 22:30:48 GMT, Neil Frick wrote: >Hi again I only need to know who has ActiveSync enabled. Not who uses it. I tried querying for msExchMobileMailboxFlags=1 but it doesn't return all users with ActiveSync... Sure, I could use Exhange web services but I'd much rather use ldap-query if possible.I did some more digging on this (a lot more actually) and discovered the following: The ActiveSyncEnabled attribute property correlates to a bit flag stored in the MobileFeaturesEnabled attribute, which is the msExchOmaAdminWirelessEnable attribute in LDAP. It's the third least significant bit of the property. If the property is null, ActiveSyncEnabled is true So, to determine via LDAP if ActiveSync is enabled for a user, query the msExchOmaAdminWirelessEnable attribute. If it is null, ActiveSync is enabled. If it is not null, compute (msExchOmaAdminWirelessEnable & 4L) != 0. If this is true, ActiveSync is enabled. Otherwise >ActiveSync is disabled. I'm pretty sure this is >correct, it matches the results in my environment. You can do a bit-wise LDAP query using this syntax: (msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4) The two interesting OIDs for this are: 1.2.840.113556.1.4.803 = bit-wise AND 1.2.840.113556.1.4.804 = bit-wise OR http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx --- Rich Matheisen MCSE+I, Exchange MVP >--- Rich Matheisen MCSE+I, Exchange MVPCould you be a little more specific? Is "(msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4)" the only query I need to do? It is if you don't want any other criteria. --- Rich Matheisen MCSE+I, Exchange MVP >--- Rich Matheisen MCSE+I, Exchange MVPSorry for being a bit slow here :) It would be nice to understand what I'm doing though Why does (msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4) return all Active Sync accounts? What does "4" mean? Sorry for not checking if the suggested LDAP query was correct (it's not). The method of doing bit-wise operations was correct, though. If you want to find all the AD objects that are ALLOWED to use ActiveSync the query should be something like this: (&(objectClass=User)(objectCategory=Person)(mailNickname=*)(!cn=SystemMailbox{*) (|(!msExchOmaAdminWirelessEnable=*)(&(msExchOmaAdminWirelessEnable=*)(!msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4)))) The query says: 1. What you're looking for are mailboxes belonging to people 2. You don't want the "System{*" mailboxes 3. If the msExchOmaAdminWirelessEnable attribute is NOT present then all the wireless features are enabled -- you want this object 4. If the msExchOmaAdminWirelessEnable is present AND bit 3 (counting from the right and starting from 1) is NOT a 1 -- you want this object The msExchOmaAdminWirelessEnable property breaks down this way: 0 = All Enabled 1 = Up-to-date Notifications not allowed 2 = OMA not allowed 4 = User Initiated Synchronization (ActiveSync) not allowed 5 = User Initiated Synchronization & Up-to-date Notifications not allowed If a bit is "1" the feature is DISabled, so you have to check for a zero instead of a 1. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP Hi again. It still doesn't work but I think we are getting close :) It returns at least one user that have Exchange Active Sync set to disabled

Sorry, it seems to work just fine! The problem was that when I pasted the query in Active Directory Users and Computers tool it added (&( by it self. So, when creating a custom search paste this.... (objectClass=User)(objectCategory=Person)(mailNickname=*)(!cn=SystemMailbox{*)(|(!msExchOmaAdminWirelessEnable=*)(&(msExchOmaAdminWirelessEnable=*)(!msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4))) ...and it will display the correct users.

My experience has been that it is not only significant to look at disabled and enabled ActiveSync users, as there are varying states of "Enabled", within the msExchOmaAdminWirelessEnable attribute. The attribute values are as follows: msExchOmaAdminWirelessEnable OMA User Inititated Synchronization Up-to-date-notification 0 x x x 1 x x 2 x x 3 x 4 x x 5 x 6 x 7 References 'http://searchexchange.techtarget.com/tip/0,289483,sid43_gci1179958,00.html 'http://technet.microsoft.com/en-us/library/cc182235.aspx I am having trouble verifying this works for Exchange 2007, however. It works for prior versions.