Disabling Exchange 2010 ActiveSync, OWA, POP, IMAP or MAPI access for mailboxes with PowerShell

I’ve recently been asked by an administrator at a school to suggest the best way of preventing students from setting up an Outlook profile for their mailboxes.  The first thought that I had was that we could simply disable MAPI access via the Mailbox Features tab in the Exchange Management Console

image

Enable or Disable MAPI for a User Mailbox
http://technet.microsoft.com/en-us/library/bb124497(v=exchg.141).aspx

The challenge was that there are thousands of students in the school and manually clicking in the GUI to disable the MAPI feature wasn’t the best choice so we turned to PowerShell.

The 2 cmdlets we’ll be using to turn off MAPI access are the following:

Get-Mailbox
http://technet.microsoft.com/en-us/library/bb123685(v=exchg.141).aspx

Set-CASMailbox
http://technet.microsoft.com/en-us/library/bb125264(v=exchg.150).aspx

The first Get-Mailbox is to retrieve the mailboxes which will then be piped into the Set-CASMailbox cmdlet.

The following is an example of retrieving all of the mailboxes from a mailbox database then piping it into the set cmdlet to disable MAPI:

Get-Mailbox -Database “Students Database” | Set-CASMailbox -MAPIEnabled $false

image

Note that if you have more than 1000 objects returned from the Get-Mailbox cmdlet then you will receiving the warning:

WARNING: By default, only the first 1000 items are returned. Use the ResultSize parameter to specify the number of items returned. To return all items, specify “-ResultSize Unlimited”. Be aware that, depending on the actual number of items, returning all items can take a long time and consume a large amount of memory. Also, we don’t recommend storing the results in a variable. Instead, pipe the results to another task or script to perform batch changes.

I’ve ran this cmdlet in a few environments and noticed that it applies the changes to more than 1000 objects but just to be the safe, I usually run it with the additional -ResultSize unlimited switch:

Get-Mailbox -Database “Students Database” -ResultSize unlimited | Set-CASMailbox -MAPIEnabled $false

image

From here, you can randomly select users to ensure the MAPI feature is turned off

image

Note the warning message:

There are more results available than are currently displayed. To view them, increase the value for the ResultSize parameter.

You can change this limit of 1000 objects returned setting as shown in the following article:

http://technet.microsoft.com/en-us/library/ee332311.aspx

Click on the Recipient Configuration node on the left Modify the Maximum Number of Recipients link on the right:

image

Then change the vaue for Maximum recipients to display:

image

The GUI may not be the most optimal way of reviewing the configuration change so going back to PowerShell, you can use the following cmdlet to list all of the recipient objects in a store with their mailbox feature settings:

Get-Mailbox -Database “Students Database” -ResultSize unlimited | Get-CASMailbox

image

If the list is too long, you can either use the | more command at the end as such:

Get-Mailbox -Database “Students Database” -ResultSize unlimited | Get-CASMailbox | more

… or simply pipe the output to a text file:

Get-Mailbox -Database “Students Database” -ResultSize unlimited | Get-CASMailbox > C:mailboxfeatures.txt

——————————————————————————————————————————————————————–

Note that to disable or enable the other features, simply replace -MAPIEnabled with any of the following:

  • ActiveSyncEnabled
  • OWAEnabled
  • PopEnabled
  • ImapEnabled

2 Responses

  1. Very informative post. I sometimes do presentations on SharePoint and was wondering if I could use your Print List example in my presentations and refer my audience to your website for further info.