Administering Microsoft Exchange Client Access Attributes with PowerShell

Often times an IDM solution’s connector/functionality does not have the ability to fully match the disablement requirements for a client when it comes to Microsoft Exchange. An example of this is the education industry where the requirement calls for the Active Directory account to be placed into a dummy organizational unit, yet left enabled to facilitate an influx of rehires on an annual basis, i.e. returning school staff. In cases such as this, the client requires that the AD account be moved to the disabled OU and restrict client access to the user’s mailbox. Attributes such as disabling ActiveSync for mobile synchronization, disabling Outlook Web Access, and disabling email protocols such as POP, MAPI and IMAP would need to be disabled. These attributes are not often open for change via the IDM solution connector.

Enter Microsoft PowerShell. PowerShell scripts can be leveraged to change the Exchange account attributes and close the security loopholes created during the de-provisioning process.

In this example, we will utilize a PowerShell script (placed on the on premise Exchange server) to search for Exchange accounts where the Active Directory account is in a specific organizational unit in the domain, loop through each account in the OU and change the OWAEnabled, POPEnabled, IMAPEnabled, MAPIEnabled, and ActiveSyncEnabled attributes. We will also write verbose messaging to a log file to capture the actions of the PowerShell script.

Note: The script must be executed by an account with the proper rights to make changes to Exchange accounts or the cmdlets will fail.

The first step in the script is to import the Exchange snap-in needed by the script in order to modify the Exchange account attributes.

Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin

The second step is to create a variable that is a reference to the accompanying log file.

$Logfile = “C:scriptsMailFeatures.log”

This step creates a function for writing strings to the log file and creates the first datetime stamped entry of the log file.

Function LogWrite

{

Param ([string]$logstring)

Add-content $Logfile -value $logstring

}

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to $action user $user.”

The next step creates a variable called “mailboxes” to hold a list of all user mailboxes using the Get-Mailbox cmdlet against the DisabledAccounts organizational unit on the foo.com domain.

$mailboxes = Get-Mailbox -OrganizationalUnit “ou=DisabledAccounts,dc=foo,dc=com”

The step loops through the “mailboxes” variable and uses the Set-CASMailbox cmdlet. Each cmdlet call passes the Exchange attribute being modified. In this case, the cmdlet calls set OWAEnabled, ActiveSyncEnabled, POPEnabled, IMAPEnabled, and MAPIEnabled to “false” in order to disable any client access for the user Exchange account. Each cmdlet call also includes a log file entry in the log file created above.

foreach ($mailbox in $mailboxes)

{

$user = $mailbox.alias

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to disable OWA for user $user.”

Get-Mailbox -Identity $user | Set-CASMailbox -OWAEnabled $false

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to disable ActiveSync for user $user.”

Get-Mailbox -Identity $user | Set-CASMailbox -ActiveSyncEnabled $false

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to disable POP for user $user.”

Get-Mailbox -Identity $user | Set-CASMailbox -POPEnabled $false

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to disable IMAP for user $user.”

Get-Mailbox -Identity $user | Set-CASMailbox -IMAPEnabled $false

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to disable MAPI for user $user.”

Get-Mailbox -Identity $user | Set-CASMailbox -MAPIEnabled $false

}

Below is the script in its entirety:

Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin

$Logfile = “C:scriptsMailFeatures.log”

Function LogWrite

{

Param ([string]$logstring)

Add-content $Logfile -value $logstring

}

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to $action user $user.”

$mailboxes = Get-Mailbox -OrganizationalUnit “ou=DisabledAccounts,dc=foo,dc=com”

foreach ($mailbox in $mailboxes)

{

$user = $mailbox.alias

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to disable OWA for user $user.”

Get-Mailbox -Identity $user | Set-CASMailbox -OWAEnabled $false

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to disable ActiveSync for user $user.”

Get-Mailbox -Identity $user | Set-CASMailbox -ActiveSyncEnabled $false

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to disable POP for user $user.”

Get-Mailbox -Identity $user | Set-CASMailbox -POPEnabled $false

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to disable IMAP for user $user.”

Get-Mailbox -Identity $user | Set-CASMailbox -IMAPEnabled $false

LogWrite “$(Get-Date -f “MM-dd-yyyy hh:mm:ss”): Attempting to disable MAPI for user $user.”

Get-Mailbox -Identity $user | Set-CASMailbox -MAPIEnabled $false

}