Powershell/EMS script to disable Active Sync on unauthorized users
I've got a problem, the company I work for has tens of thousands of user mailboxes, and hires up to several hundred people every day. I need to find all users who do *not* have a specific Custom Attribute set to PDA-EAS but do have ActiveSyncEnabled set to $true, and then set ActiveSyncEnabled to $false on those users. In Exchange 2003/Windows 2003 this was easy with a custom LDAP query in the ADUC: (&(objectClass=user)(msExchHomeServerName=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!extensionAttribute15=PDA-EAS)(|(!msExchOmaAdminWirelessEnable=*)(msExchOmaAdminWirelessEnable=0)(msExchOmaAdminWirelessEnable=3)(msExchOmaAdminWirelessEnable=5))) This saved query will find all enabled user objects with mailboxes that don't have CA15 set to PDA-EAS but do have ActiveSync enabled. then you just select all and run the Exchange Tasks wizard. Well, you can't do this anymore since the ADUC no longer has an ability to modify Exchange attributes in Exchange 2007. I've been playing around with get-mailbox and get-CASmailbox and found that you can use get-mailbox to find all mailbox users who don't have CA15 set to PDA-EAS, but you can't use it to find out if ActiveSyncEnabled is set to $true. On the other hand, you can use get-CASmailbox to find all users who have ActiveSyncEnabled set to $true, but you can't see any Custom Attributes with that command. To make matters even worse, contrary to the design philosophy of Powershell, you *cannot* pipe the results of one of these commands into the other one, i.e. you can't do this: get-mailbox -filter {CustomAttribute15 -ne 'PDA-EAS'} | get-CASmailbox -filter {ActiveSyncEnabled -eq $true} So now I'm stuck trying to find a way to turn off ActiveSync for new hires that shouldn't have it turned on, without having to resort running a set-CASmailbox -ActiveSyncEnabled $false on tens of thousands of mailboxes every day that don't need it, just to catch the few hundred who do have it turned on that shouldn't. Anyone got any ideas on how to easily do this?
August 4th, 2009 1:30am

Would you like trying this cmdlet?... :) Get-Mailbox -ResultSize Unlimited | Where{$_.CustomAttribute15 -ne "PDA-EAS"} | Get-CasMailbox -ResultSize Unlimited | Where{$_.ActiveSyncEnabled -eq $true} | Set-CasMailbox -ActiveSyncEnabled $False First where clause filters the mailboxes which are not having customattribute15 "PDA-EAS", second where clause filters the result of get-mailbox cmdlet with ActiveSync enabled mailboxes and set-casmailbox cmdlet disable the active sync for the filtered AS enabled users with CA15 not having PDA-EAS value... Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2009 6:20am

Would you like trying this cmdlet?... :) Get-Mailbox -ResultSize Unlimited | Where{$_.CustomAttribute15 -ne "PDA-EAS"} | Get-CasMailbox -ResultSize Unlimited | Where{$_.ActiveSyncEnabled -eq $true} | Set-CasMailbox -ActiveSyncEnabled $False First where clause filters the mailboxes which are not having customattribute15 "PDA-EAS", second where clause filters the result of get-mailbox cmdlet with ActiveSync enabled mailboxes and set-casmailbox cmdlet disable the active sync for the filtered AS enabled users with CA15 not having PDA-EAS value... Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com That worked! Why did that work but get-mailbox -filter {CustomAttribute15 -ne 'PDA-EAS'} | get-CASmailbox -filter {ActiveSyncEnabled -eq $true} not work? When I run that one I get the following error on each object it finds:Get-CASMailbox : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
August 4th, 2009 6:36pm

AFAIK pipeline input doesn't work with server side filtering (-Filter parameter) cmdlet and need to go for client side filtering (with Where clause)...Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2009 6:57pm

Hello all, that works great for exch2010 users, but what about when you're in mixed mode. The script wont work for exch 2003 users ... Any idea of what ps script we courld use for exch 2003 users. Thanks
September 2nd, 2011 11:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics