Hello, Please could someone help me. We would like to disable ActiveSync on all mailboxes except for users which are members of a security group "ActiveSync Allowed". I have had some success by scheduling powershell script to run on a daily basis to disable activesync for any users which may have been added/enabled during the previous day. I have managed to get this working by scheduleding the following:Get-User -ResultSize Unlimited | Where {($_.WhenCreated -gt (get-date).adddays(-1))} | Set-CASMailbox –ActiveSyncEnabled $falseHowever I would like this to exclude a number of users. These users are a member of a security group "ActiveSync Allowed" Is it possible to somehow get all users in the Exchange 2007 environment but exclude members of this group from the above powershell? Alternativley any other methods would be welcome.Many ThanksMark

On Tue, 19-Jan-10 22:40:22 GMT, dmxop11 wrote:>Hello, Please could someone help me. We would like to disable ActiveSync on all mailboxes except for users which are members of a security group "ActiveSync Allowed". I have had some success by scheduling powershell script to run on a daily basis to disable activesync for any users which may have been added/enabled during the previous day. I have managed to get this working by scheduleding the following:Get-User -ResultSize Unlimited | Where {($_.WhenCreated -gt (get-date).adddays(-1))} | Set-CASMailbox ?ActiveSyncEnabled $falseHowever I would like this to exclude a number of users. These users are a member of a security group "ActiveSync Allowed" Is it possible to somehow get all users in the Exchange 2007 environment but exclude members of this group from the above powershell? Alternativley any other methods would be welcome.Many ThanksMark Try this:$m = Get-DistributionGroupMember "Group-Name";get-mailbox -resultsizeunlimited | where {$m -notcontains $_.name} | set-casmailbox etc.What this WON'T do is to enable ActiveSync for the members of thegroup.---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Tue, 19-Jan-10 22:40:22 GMT, dmxop11 wrote:>Hello, Please could someone help me. We would like to disable ActiveSync on all mailboxes except for users which are members of a security group "ActiveSync Allowed". I have had some success by scheduling powershell script to run on a daily basis to disable activesync for any users which may have been added/enabled during the previous day. I have managed to get this working by scheduleding the following:Get-User -ResultSize Unlimited | Where {($_.WhenCreated -gt (get-date).adddays(-1))} | Set-CASMailbox ?ActiveSyncEnabled $falseHowever I would like this to exclude a number of users. These users are a member of a security group "ActiveSync Allowed" Is it possible to somehow get all users in the Exchange 2007 environment but exclude members of this group from the above powershell? Alternativley any other methods would be welcome.Many ThanksMark Try this:$m = Get-DistributionGroupMember "Group-Name";get-mailbox -resultsizeunlimited | where {$m -notcontains $_.name} | set-casmailbox etc.What this WON'T do is to enable ActiveSync for the members of thegroup.---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

This should work for enabling your group of allowed ActiveSync users. Save the commands in a text file with the extension .PS1 and run the script from a PowerShell command line, such as: [PS] C:\Scripts>.\allow-activesync.ps1 --------------- SCRIPT ------------- # Clear screen (used for testing purposes) Clear-Host # Assign all members of the DG to the dynamic array $allMembers = Get-DistributionGroupMember -Identity ' ActiveSync Allowed' # Loop through the array foreach ($member in $allMembers) { # Set ActiveSync for each member of the array $member | Set-CASMailbox –ActiveSyncEnabled $true # Remove the # sign in front of the Get-CASMailbox statement for status information # Get-CASMailbox $member.Name | Select-Object Name, ActiveSyncEnabled } MCTS: Messaging | MCSE: S+M | Small Business Specialist

Question: Would these need to be 2 separate scripts? Or is it possible to disable activesync global and only need to run the script to enable AS based on group membership? Thanks, Matt

Question: Would these need to be 2 separate scripts? Or is it possible to disable activesync global and only need to run the script to enable AS based on group membership? Thanks, Matt

I'm also looking for the same sort of script. Sort of an If part of the "ActiveSync Allowed" group, then enable activesync Else Disable ActiveSync Thanks, Ryan

I'm also looking for the same sort of script. Sort of an If part of the "ActiveSync Allowed" group, then enable activesync Else Disable ActiveSync Thanks, Ryan

Has anyone run this script? How has it worked for you? I'm curious if this script has to be run after a new account is created? I'd like to find a way that new accounts are by default set to activesync disabled and only someone manually allowing activesync, either by group membership or manually enabling AS, have AS capabilities. Does this script need to be run after a new account is created or does it change the default status of activesync to disabled for all new accounts created? Thanks, Mike

Has anyone run this script? How has it worked for you? I'm curious if this script has to be run after a new account is created? I'd like to find a way that new accounts are by default set to activesync disabled and only someone manually allowing activesync, either by group membership or manually enabling AS, have AS capabilities. Does this script need to be run after a new account is created or does it change the default status of activesync to disabled for all new accounts created? Thanks, Mike

We're also trying to take the approach of having a group of folks who are allowed to use ActiveSync with Exchange 2010, and scripting the synchronization of the ActiveSyncEnabled mailbox setting. Here's what works for me: $mailboxes = Get-CASMailbox -resultSize unlimited $asusers = Get-DistributionGroupMember -Identity 'ActiveSync Allowed' $asguids = @() foreach ($user in $asusers) { $asguids += $user.GUID } foreach ($mailbox in $mailboxes) { if ($asguids -contains $mailbox.GUID ) { if ($mailbox.ActiveSyncEnabled -ne $true) { $mailbox | Set-CASMailbox -ActiveSyncEnabled $true echo "$mailbox is enabled" } } else { if ($mailbox.ActiveSyncEnabled -ne $false) { $mailbox | Set-CASMailbox -ActiveSyncEnabled $false echo "$mailbox is disabled" } } }

That's an excellent script, Rob Bray. I made some modifications to it to make it much faster in a very large environment as it only gets mailboxes that have ActiveSyncEnabled. It'll also supports nested groups in your ActiveSync Allowed group. It is a little less universal though and requires that you import the Active Directory add on to use the Get-ADUser commandlet. $mailboxes = Get-CASMailbox -Filter {ActiveSyncEnabled -eq $true} -ResultSize Unlimited $asusers = Get-ADUser -ResultSetSize 2147483647 -Filter {(enabled -eq $true) -and (msExchMailboxGUID -like "*") -and (memberOf -RecursiveMatch "Distinguished Name of group")} -Properties mailNickname # Find mailboxes that have ActiveSync enabled but aren't a member of the group $asguids = @() foreach ($user in $asusers) { $asguids += $user.ObjectGUID } foreach ($mailbox in $mailboxes) { if ($asguids -notcontains $mailbox.GUID ) { $mailbox | Set-CASMailbox -ActiveSyncEnabled $false Write-Host "$mailbox is disabled" } } # Find mailboxes that have ActiveSync disabled, but are a member of the group. $mailguids = @() foreach ($mailbox in $mailboxes) { $mailguids += $mailbox.GUID } foreach ($user in $asusers) { if ($mailguids -notcontains $user.ObjectGUID ) { Set-CASMailbox -Identity $user.mailNickname -ActiveSyncEnabled $true Write-Host "$($user.Name) is enabled" } }

Hi All, Thanks for the info, i'm also just needed this script. I also have neen asked to get report for All enabaled AS users thats not member of "A" Group. Tried this from the script above: $mailboxes = Get-CASMailbox -Filter {ActiveSyncEnabled -eq $true} -ResultSize Unlimited $asusers = Get-ADUser -ResultSetSize 2147483647 -Filter {(enabled -eq $true) -and (msExchMailboxGUID -like "*") -and (memberOf -RecursiveMatch "xxx")} -Properties mailNickname $asguids = @() foreach ($user in $asusers) { $asguids += $user.name -- i get lines with names and not order rows -- how can i get it to SCV file?

Hello Rob - Just wanted to say Thank you for the above script. It worked out perfectly for me. -Craig