none
Powershell to disable ActiveSync by default and enable based on group

    Question

  • Hello,

    Please could someone help me. We would like to disable ActiveSync on all mailboxes except for users which are members of a security group "ActiveSync Allowed".  

    I have had some success by scheduling powershell script to run on a daily basis to disable activesync for any users which may have been added/enabled during the previous day.  I have managed to get this working by scheduleding the following:

    Get-User -ResultSize Unlimited | Where {($_.WhenCreated -gt (get-date).adddays(-1))} | Set-CASMailbox –ActiveSyncEnabled $false

    However I would like this to exclude a number of users.  These users are a member of a security group "ActiveSync Allowed"  Is it possible to somehow get all users in the Exchange 2007 environment but exclude members of this group from the above powershell?  Alternativley any other methods would be welcome.

    Many Thanks
    Mark
    • Edited by ams11 Tuesday, January 19, 2010 10:47 PM edit
    Tuesday, January 19, 2010 10:40 PM

Answers

  • This should work for enabling your group of allowed ActiveSync users. Save the commands  in a text file with the extension .PS1 and run the script from a PowerShell command line, such as:

     

    [PS] C:\Scripts>.\allow-activesync.ps1


    --------------- SCRIPT -------------
     

    # Clear screen (used for testing purposes)

    Clear-Host

     

    # Assign all members of the DG to the dynamic array

    $allMembers = Get-DistributionGroupMember -Identity ' ActiveSync Allowed'

     

     

    # Loop through the array

    foreach ($member in $allMembers) {

     

           # Set ActiveSync for each member of the array

           $member | Set-CASMailbox –ActiveSyncEnabled $true

          

           # Remove the # sign in front of the Get-CASMailbox statement for status information

           # Get-CASMailbox $member.Name | Select-Object Name, ActiveSyncEnabled

    }

     


    MCTS: Messaging | MCSE: S+M | Small Business Specialist
    • Proposed as answer by Frank.Wang Monday, January 25, 2010 2:05 AM
    • Marked as answer by Frank.Wang Tuesday, January 26, 2010 1:35 AM
    Wednesday, January 20, 2010 7:32 AM

All replies

  • On Tue, 19-Jan-10 22:40:22 GMT, dmxop11 wrote:

    >Hello, Please could someone help me. We would like to disable ActiveSync on all mailboxes except for users which are members of a security group "ActiveSync Allowed". I have had some success by scheduling powershell script to run on a daily basis to disable activesync for any users which may have been added/enabled during the previous day. I have managed to get this working by scheduleding the following:Get-User -ResultSize Unlimited | Where {($_.WhenCreated -gt (get-date).adddays(-1))} | Set-CASMailbox ?ActiveSyncEnabled $falseHowever I would like this to exclude a number of users. These users are a member of a security group "ActiveSync Allowed" Is it possible to somehow get all users in the Exchange 2007 environment but exclude members of this group from the above powershell? Alternativley any other methods would be welcome.Many ThanksMark

    Try this:

    $m = Get-DistributionGroupMember "Group-Name";get-mailbox -resultsize
    unlimited | where {$m -notcontains $_.name} | set-casmailbox etc.

    What this WON'T do is to enable ActiveSync for the members of the
    group.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, January 20, 2010 4:13 AM
  • This should work for enabling your group of allowed ActiveSync users. Save the commands  in a text file with the extension .PS1 and run the script from a PowerShell command line, such as:

     

    [PS] C:\Scripts>.\allow-activesync.ps1


    --------------- SCRIPT -------------
     

    # Clear screen (used for testing purposes)

    Clear-Host

     

    # Assign all members of the DG to the dynamic array

    $allMembers = Get-DistributionGroupMember -Identity ' ActiveSync Allowed'

     

     

    # Loop through the array

    foreach ($member in $allMembers) {

     

           # Set ActiveSync for each member of the array

           $member | Set-CASMailbox –ActiveSyncEnabled $true

          

           # Remove the # sign in front of the Get-CASMailbox statement for status information

           # Get-CASMailbox $member.Name | Select-Object Name, ActiveSyncEnabled

    }

     


    MCTS: Messaging | MCSE: S+M | Small Business Specialist
    • Proposed as answer by Frank.Wang Monday, January 25, 2010 2:05 AM
    • Marked as answer by Frank.Wang Tuesday, January 26, 2010 1:35 AM
    Wednesday, January 20, 2010 7:32 AM
  • Question:

    Would these need to be 2 separate scripts?

    Or is it possible to disable activesync global and only need to run the script to enable AS based on group membership?

    Thanks,

    Matt

    Tuesday, April 20, 2010 3:27 PM
  • I'm also looking for the same sort of script.

    Sort of an

    If part of the "ActiveSync Allowed" group, then enable activesync

    Else Disable ActiveSync

    Thanks,

    Ryan

    Wednesday, January 26, 2011 11:10 PM
  • Has anyone run this script?  How has it worked for you?

     

    I'm curious if this script has to be run after a new account is created?  I'd like to find a way that new accounts are by default set to activesync disabled and only someone manually allowing activesync, either by group membership or manually enabling AS, have AS capabilities.  Does this script need to be run after a new account is created or does it change the default status of activesync to disabled for all new accounts created?

    Thanks,

    Mike

     

     

    Friday, September 30, 2011 2:43 PM
  • We're also trying to take the approach of having a group of folks who are allowed to use ActiveSync with Exchange 2010, and scripting the synchronization of the ActiveSyncEnabled mailbox setting. Here's what works for me:

    $mailboxes = Get-CASMailbox -resultSize unlimited
    $asusers = Get-DistributionGroupMember -Identity 'ActiveSync Allowed'

    $asguids = @()
    foreach ($user in $asusers) {
        $asguids += $user.GUID
    }

    foreach ($mailbox in $mailboxes) {
        if ($asguids -contains $mailbox.GUID ) {
            if ($mailbox.ActiveSyncEnabled -ne $true) {
                $mailbox | Set-CASMailbox -ActiveSyncEnabled $true
                echo "$mailbox is enabled"
            }
        }
        else {
            if ($mailbox.ActiveSyncEnabled -ne $false) {
                $mailbox | Set-CASMailbox -ActiveSyncEnabled $false
                echo "$mailbox is disabled"
            }
        }
    }


    • Proposed as answer by Rob Bray Friday, March 16, 2012 5:53 PM
    • Edited by Rob Bray Friday, March 16, 2012 6:58 PM
    • Unproposed as answer by Rob Bray Friday, March 16, 2012 7:06 PM
    • Proposed as answer by Atamidos Wednesday, June 06, 2012 1:03 AM
    Friday, March 16, 2012 5:49 PM
  • That's an excellent script, Rob Bray. I made some modifications to it to make it much faster in a very large environment as it only gets mailboxes that have ActiveSyncEnabled.  It'll also supports nested groups in your ActiveSync Allowed group.  It is a little less universal though and requires that you import the Active Directory add on to use the Get-ADUser commandlet. 


    $mailboxes = Get-CASMailbox -Filter {ActiveSyncEnabled -eq $true} -ResultSize Unlimited $asusers = Get-ADUser -ResultSetSize 2147483647 -Filter {(enabled -eq $true) -and (msExchMailboxGUID -like "*") -and (memberOf -RecursiveMatch "Distinguished Name of group")} -Properties mailNickname

    # Find mailboxes that have ActiveSync enabled but aren't a member of the group $asguids = @() foreach ($user in $asusers) { $asguids += $user.ObjectGUID } foreach ($mailbox in $mailboxes) { if ($asguids -notcontains $mailbox.GUID ) { $mailbox | Set-CASMailbox -ActiveSyncEnabled $false Write-Host "$mailbox is disabled" } }

    # Find mailboxes that have ActiveSync disabled, but are a member of the group. $mailguids = @() foreach ($mailbox in $mailboxes) { $mailguids += $mailbox.GUID } foreach ($user in $asusers) { if ($mailguids -notcontains $user.ObjectGUID ) { Set-CASMailbox -Identity $user.mailNickname -ActiveSyncEnabled $true Write-Host "$($user.Name) is enabled" } }







    • Edited by Atamidos Tuesday, May 22, 2012 9:18 PM
    • Proposed as answer by Justin Grathwohl Tuesday, June 18, 2013 1:48 AM
    Tuesday, May 22, 2012 9:17 PM
  • Hello Rob -

    Just wanted to say Thank you for the above script.  It worked out perfectly for me.

    -Craig

    Tuesday, July 03, 2012 12:40 PM
  • That's an excellent script, Rob Bray. I made some modifications to it to make it much faster in a very large environment as it only gets mailboxes that have ActiveSyncEnabled.  It'll also supports nested groups in your ActiveSync Allowed group.  It is a little less universal though and requires that you import the Active Directory add on to use the Get-ADUser commandlet. 


    $mailboxes = Get-CASMailbox -Filter {ActiveSyncEnabled -eq $true} -ResultSize Unlimited $asusers = Get-ADUser -ResultSetSize 2147483647 -Filter {(enabled -eq $true) -and (msExchMailboxGUID -like "*") -and (memberOf -RecursiveMatch "Distinguished Name of group")} -Properties mailNickname

    # Find mailboxes that have ActiveSync enabled but aren't a member of the group $asguids = @() foreach ($user in $asusers) { $asguids += $user.ObjectGUID } foreach ($mailbox in $mailboxes) { if ($asguids -notcontains $mailbox.GUID ) { $mailbox | Set-CASMailbox -ActiveSyncEnabled $false Write-Host "$mailbox is disabled" } }

    # Find mailboxes that have ActiveSync disabled, but are a member of the group. $mailguids = @() foreach ($mailbox in $mailboxes) { $mailguids += $mailbox.GUID } foreach ($user in $asusers) { if ($mailguids -notcontains $user.ObjectGUID ) { Set-CASMailbox -Identity $user.mailNickname -ActiveSyncEnabled $true Write-Host "$($user.Name) is enabled" } }







    Hi

    does this work ok ?

    my problem is that it does not find and list users in the group

    i even ran only the line

    Get-ADUser -ResultSetSize 2147483647 -Filter {(enabled -eq $true) -and (msExchMailboxGUID -like "*") -and (memberOf -RecursiveMatch "Distinguished Name of group")} -Properties mailNickname


    but it cannot find users in my group and returns null (nothing)



    • Edited by MohammadG Tuesday, November 13, 2012 4:25 PM
    Tuesday, November 13, 2012 4:23 PM
  • Hi Guys

    Is there a version of this script that will work for Exchange Online too? It doesn't work in that environment as it is.

    Many thanks

    Brian

    Monday, January 14, 2013 11:56 AM
  • We're also trying to take the approach of having a group of folks who are allowed to use ActiveSync with Exchange 2010, and scripting the synchronization of the ActiveSyncEnabled mailbox setting. Here's what works for me:

    $mailboxes = Get-CASMailbox -resultSize unlimited
    $asusers = Get-DistributionGroupMember -Identity 'ActiveSync Allowed'

    $asguids = @()
    foreach ($user in $asusers) {
        $asguids += $user.GUID
    }

    foreach ($mailbox in $mailboxes) {
        if ($asguids -contains $mailbox.GUID ) {
            if ($mailbox.ActiveSyncEnabled -ne $true) {
                $mailbox | Set-CASMailbox -ActiveSyncEnabled $true
                echo "$mailbox is enabled"
            }
        }
        else {
            if ($mailbox.ActiveSyncEnabled -ne $false) {
                $mailbox | Set-CASMailbox -ActiveSyncEnabled $false
                echo "$mailbox is disabled"
            }
        }
    }


    Hi Rob,  Thank you very much

    for the above script.  It worked out perfectly for me.

    Tuesday, September 17, 2013 4:11 PM
  • Hi Rob, 

    Thank you very muchfor the above script.  It worked out perfectly for me.

    Regards,

    Sridhar.K

    Tuesday, September 17, 2013 4:13 PM
  • Hi

    does this work ok ?

    my problem is that it does not find and list users in the group

    i even ran only the line

    Get-ADUser -ResultSetSize 2147483647 -Filter {(enabled -eq $true) -and (msExchMailboxGUID -like "*") -and (memberOf -RecursiveMatch "Distinguished Name of group")} -Properties mailNickname

    but it cannot find users in my group and returns null (nothing)

    You need to replace Distinguished Name of group with the DN of the group you are searching.  IE, "CN=My Security Group,OU=Groups,DC=contoso,DC=local" 
    Monday, September 23, 2013 8:09 PM