Home > ActiveSync, AD, Exchange, PowerShell > HOWTO: Exchange 2010 ActiveSync Group enable and disable PowerShell scripting

HOWTO: Exchange 2010 ActiveSync Group enable and disable PowerShell scripting

Within Exchange 2010, various ActiveSync rules exist for device partnerships with users.  One of the management requests is often to be able to ensure that users in a particular group are allowed to use ActiveSync.  At the company I work for, this group is “ActiveSyncAllowed”.  One request I had recently was to build a report of users who are:

· In “ActiveSyncAllowed” but DO NOT HAVE ActiveSync enabled.

· In “ActiveSyncAllowed” but DO HAVE ActiveSync enabled.

· Not in “ActiveSyncAllowed” but DO HAVE ActiveSync enabled.

I was not able to find a good way to *report* on this, as the reporting needs to track exceptions and error levels to ensure that it worked, didn’t work, etc.  I was, however, able to find a process that instead of reporting on this, simply *does* the work, and ensure that “Users in ActiveSyncAllowed” have “ActiveSync=Enabled”, and if they’re not in the group, ActiveSync will be disabled.  Very quick and dirty.

I found this detail via a blog post at LDAP389, and Active Directory Blog – http://www.ldap389.info/en/2012/04/19/powershell-enable-disable-activesync-ad-group-rbac-exchange-scheduled-task/

Specifically, the script can be found at: http://www.ldap389.info/wp-content/uploads/2012/04/ManageActivesyncusers.txt

And the script itself, in case the link breaks:

===== CheckActiveSyncGroup.ps1 =====

#With this command you do not need to install the Exchange Management Shell on the server, change the fqdn Cas-server.ldap389.local

$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ./PowerShell/”>http://<CASSERVER>.<ADDOMAINNAME>/PowerShell/

Import-PSSession $s -allowclobber

#Import the AD module installed on the server

import-module activedirectory

#Change the DN of the AD group who grant the ActiveSync access

$groupDN = “CN=ActiveSyncAllowed,CN=users,DC=<DOMAIN>,DC=<DOMAIN_SUFFIX>”

$members = Get-ADGroupMember -Identity $groupDN -Recursive | Get-ADUser -Properties mail

$allcas = get-mailbox -ResultSize:unlimited | Get-CASMailbox

$users= $allcas | where-object {$_.ActiveSyncEnabled -eq $true}

foreach($user in $users)

        {

        $is = “”

        $is = $members |  where {($_.DistinguishedName -eq $user.DistinguishedName )}

               if (!$is) {

               Set-CASMailbox -identity $user.DistinguishedName –ActiveSyncEnabled $false -confirm:$false

               #Log file is created in folder C:\BIN, change if necessary

               (get-date).Tostring() + ‘ ‘ + [string] $user.PrimarySmtpAddress| Out-file C:\BIN\disable.txt -append

               }

        }

foreach($member in $members)

        {$is2 = “”

        $is2 = $allcas | where-object {$_.DistinguishedName -eq $member.DistinguishedName}

               if (!$is2.ActiveSyncEnabled){

                       Set-CASMailbox -identity $member.DistinguishedName –ActiveSyncEnabled $true -confirm:$false

                       #Log file is created in folder C:\BIN, change if necessary

                       (get-date).Tostring() + ‘ ‘ + [string] $member.mail | Out-file C:\BIN\enable.txt -append

                       }

        }

===== CheckActiveSyncGroup.ps1 =====

The output you get from this is in two files:

C:\BIN\ENABLE.TXT

3/14/2013 3:40:25 PM

3/14/2013 3:44:03 PM avram@netwise.ca

3/14/2013 3:44:04 PM robin@netwise.ca

3/14/2013 3:44:04 PM

3/14/2013 3:48:20 PM

C:\BIN\DISABLE.TXT

3/14/2013 3:40:25 PM

3/14/2013 3:44:03 PM

3/14/2013 3:48:20 PM testuser@netwise.ca

As you can see it will add a line and if there is nothing to do, it just puts a date/timestamp.  If there is, it puts not only the time/date but the e-mail address on the account it enabled or disabled.

Due to the PS modules in use, this is a little counter intuitive.  I ran this ON a DC and NOT on an Exchange server or a system with the Exchange Management Shell enabled.  There’s probably another half dozen ways to skin this cat, but this one works very well.

This script could be put in place to run every hour, or nightly, and there is no reason that the ENABLE/DISABLE files could not be set to overwrite and then e-mail them as attachments after the task runs.  Lots of options.

Also, it is worth noting that this generally shows how to ensure that GroupA has RightsA and not anyone else.  A similar script could be written for OWA or IMAP or POP3 access for exchange, or to set rights on folders, etc.

Hopefully this helps someone later with some powershell options.

Advertisements
Categories: ActiveSync, AD, Exchange, PowerShell
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: