A little while ago I saw this post in the MSExchange Forums which was basically was asking was it possible to disable IMAP for new users when created in Active Directory, but in the case of the Executives, leave the IMAP settings intact (due to that fact that one of them had purchased an iPhone – yuck!)
I liked the look of this post and wanted to answer, but when thinking about it -it became apparent that this is quite hard to do even though I had the basic idea that it could perhaps be accomplished by some form of script, there were some finer details of how the script should run and how we could take into account existing IMAP settings.
During my research I came across the following script on Glens Exchange Dev Blog which explains how you can enable and disable POP3 and IMAP on a per user basis, this was great as with some adaption these could be used to disable IMAP globally in AD (thanks Glen – as always you have what we need), now all I needed was a method to exclude people from the disable process.
In the end I decided to have a Sub in the script that would open a text file – exclude.txt which contains a lists of distinguishedNames that we which to read back into the Sub and re-enable the IMAP settings.
Now that the script had been logically thought out this is what I came up with in terms of the code:
Set objRootDSE = GetObject(“LDAP://rootDSE“)
strADsPath = “LDAP://” & objRootDSE.Get(“defaultNamingContext”)
Set objDomain = GetObject(strADsPath)
Set objCommand = CreateObject(“ADODB.Command”)
Set objConn = CreateObject(“ADODB.Connection”)
objConn.Open “Provider=ADsDSOObject;”
Set objCommand.ActiveConnection = objConn
objCommand.CommandText = “SELECT distinguishedName,samAccountName FROM “+”‘”+strADsPath+”‘”+” WHERE objectClass = ‘user’”
objCommand.Properties(“searchscope”) = 2
objCommand.Properties(“Page Size”) = 1000
Set objRecordSet = objCommand.Execute
While Not objRecordSet.EOF
ChangeVal(objRecordSet.Fields(“distinguishedName”))
objRecordSet.MoveNext
Wend
FindExcluded
Sub ChangeVal(strDN)
qstring = “LDAP://” & strDN
set objUser = GetObject(qstring)
objUser.PutEx 2, “protocolSettings”,ARRAY(“IMAP4§0§1§4§ISO-8859-1§0§1§0§0″)
objUser.setinfo
Set objUser = Nothing
End Sub
Sub FindExcluded
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set objFile = objFSO.OpenTextFile(“exclude.txt”, 1)
Do Until objFile.AtEndOfStream
strLine = objFile.ReadLine
qstring = “LDAP://” & strLine ‘Thanks Glen
set objUser = GetObject(qstring)
objUser.PutEx 2, “protocolSettings”,ARRAY(“IMAP4§1§1§4§ISO-8859-1§0§1§0§0″)
objUser.setinfo
Loop
ObjFile.Close
Set objFSO = Nothing
Set objFile = Nothing
End Sub
You can download a copy of this code from Here
You will notice that the code above references a text file called exclude.txt this file should contain the values of the distinguishedNames that you wish to exclude from the process of disabling IMAP on a separate line – for example:
CN=Andy,CN=Users,DC=ldn,DC=com
CN=Maria,CN=Users,DC=ldn,DC=com
What I suggest for people wishing to implement this is to out this script either on a Domain controller or Exchange server, and the schedule it as a re-occurring task using the “Scheduled Tasks” wizard (you can configure a batch file to run every 10 minutes or so which runs the script).
great code, but now you can do it in powershell with 4 lines (even less if you wanted). this code doesn’t use a text file, it uses an ad group to determine if the users should have imap enabled. the same can be done with a few tweaks for pop and activesync. i had a little more code on lines 3 + 4 to create a log file. email me and let me know if you want that too. you can set this as a scheduled task. it works great!
$AD = (get-group ‘NameofGroup’).members | select ObjectGuid | ForEach-Object {Get-User -Identity ([string]$_.ObjectGuid)} | select Name, SamAccountName
$EX = Get-CASMailbox -resultsize unlimited | where {$_.IMAPEnabled} | select Name, SamAccountName
$EX | ForEach-Object {if (!($AD -contains $_.SamAccountName)) {Set-CASMailbox -identity $_.SamAccountName -ImapEnabled $false}}
$AD | ForEach-Object {if (!($EX -contains $_.SamAccountName)) {Set-CASMailbox -identity $_.SamAccountName -ImapEnabled $true}}
By: Jake on September 18, 2008
at 3:27 pm
Oops…the above script disables everyone and then enables only the ones that are needed. This updated script only disables the enabled users that should not have it, and then enables the disabled users that should.
$AD = (get-group ‘NameofGroup’).members | select ObjectGuid | ForEach-Object {Get-User -Identity ([string]$_.ObjectGuid)} | select Name, SamAccountName
$EX = Get-CASMailbox -resultsize unlimited | where {$_.PopEnabled} | select Name, SamAccountName
$EX | ForEach-Object {if (($AD | ForEach-Object {$_.SamAccountName}) -notcontains $_.SamAccountName) {Set-CASMailbox -identity $_.SamAccountName -PopEnabled $false}}
$AD | ForEach-Object {if (($EX | ForEach-Object {$_.SamAccountName}) -notcontains $_.SamAccountName) {Set-CASMailbox -identity $_.SamAccountName -PopEnabled $true}}
By: Jake on September 24, 2008
at 12:54 pm
Great script Jake! One note I had to change the “SamAccountName” to “DistinguishedName” because some of my user objects had really long names.. The script works great though..
By: David on February 24, 2009
at 7:13 pm