20 November 2012

Enabling and disabling Outlook Anywhere Per User

RPC/HTTPS was the first name when outlook anywhere access was introduced with Exchange Server 2003. Exchange 2003 did not provide a very granular control on it though. With increase in productivity it also brought a concern with it. It could allow configuring user’s mailbox on any outlook client even if the user was not supposed to do it.
Result, people could make unauthorized copies of their mailboxes on their home PCs and laptops.
Exchange 2007 SP1 and later has a great feature of disabling outlook anywhere access per user basis.

It is a very simple process of running few commands in powershell and the administrator is done with the configuration. Lets take a look:

To enable outlook anywhere for a single user:
Get-Mailbox –Identity "username" | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$False

To disable outlook anywhere for a single user:
Get-Mailbox –Identity "username" | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True

To enable it for all users:
Get-Mailbox –ResultSize Unlimited | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$False

To disable it for all users:
Get-Mailbox –ResultSize Unlimited | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True

To enable it for multiple users only:
  • Identify the user who need to be blocked access to Outlook Anywhere.
  • Make a list of all such user’s user accounts.
  • Put it in a simple text file as below:
User1
User2
User3
  • Now save this text file to any location you want with name Mailboxes.txt. For example D:Mailboxes.txt
  • Simply run the script below.
$Mailboxes = Get-Content D:Mailboxes.txt
Foreach ($Mailbox in $Mailboxes)
{
Set-CASMailbox -Identity $Mailbox -MAPIBlockOutlookRpcHttp:$false -Verbose
}


To disable it for multiple users only:
  • Identify the user who need to be blocked access to Outlook Anywhere.
  • Make a list of all such user’s user accounts.
  • Put it in a simple text file as below:
User1
User2
User3
  • Now save this text file to any location you want with name Mailboxes.txt. In my case it is D:Mailboxes.txt
  • Simply run the script below.
$Mailboxes = Get-Content D:Mailboxes.txt
Foreach ($Mailbox in $Mailboxes)
{
Set-CASMailbox -Identity $Mailbox -MAPIBlockOutlookRpcHttp:$true -Verbose
}


Source

1 comment:

  1. I know this is an old post, but there is still a lot of Exchange 2007 servers out there in service and even new Exchange 2007 servers being brought into service. I did a migration for a client from 2003 to 2007 just this weekend. So as a note of caution in regards to the security of email with this command. If you Outlook Anywhere enabled, once a user connects, and downloads their mail with Cached Exchange Mode enabled, running Get-Mailbox –Identity "username" | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True will not block them from access to the Outlook Cached email and in fact will continue to connect them to the mail server for new mail. The command will only stop them from connecting to the directory. That said, if you set up a new user, then run Get-Mailbox –Identity "username" | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True they will not be able to connect to the directory and so will not be able to access their mail for the initial download of cache. I tested these commands 6 ways from Sunday and that is the hole I found. Outlook and Exchange are a flakey couple.

    ReplyDelete