Apr 19 2012

Powershell: Enable ActiveSync for users member of an AD group

We will describe in this post how to enable the mobile access to your mail system for only some employees. Only users who belong to the LDAP389-ACTIVESYNC will be able to use the ActiveSync protocol and set up their mailbox on their smartphone. This authorization will be managed by a Powershell script launched by a scheduled task.

The LDAP389-ACTIVESYNC group has two members: One group containing the users located in Paris, the second with the users located in London. Members of each group (PAR-ALLOWACTIVESYNC and LON-ALLOWACTIVESYNC) are managed by each local IT team:

In order to retrieve the users allowed to use the ActiveSync protocol we will get recursively the members of the LDAP389-ACTIVESYNC group:

$groupDN = "CN=LDAP389-ACTIVESYNC,OU=Groups,OU=HQ,DC=ldap389,DC=local"
$members = Get-ADGroupMember -Identity $groupDN -Recursive | Get-ADUser -Properties mail

We will also retrieve the mailboxes which are allowed to use the ActiveSync protocol:

$allcas = get-mailbox -ResultSize:unlimited | Get-CASMailbox
$users= $allcas | where-object {$_.ActiveSyncEnabled -eq $true}

Firstly the script will browse the mailbox accounts which are allowed to use the ActiveSync protocol ($users), if one of these accounts is not a member of the LDAP389-ACTIVESYNC group then ActiveSync is disabled with the Set-CASMailbox cmdlet (ActiveSyncEnabled parameter).

Secondly the script will browse the members of the LDAP389-ACTIVESYNC group ($members), if for one of these accounts ActiveSync is disabled, the script enables it, with the Set-CASMailbox cmdlet as well.

To download the full script, just click on the link below:

Now we need to set up the scheduled task which will run with a service account, this user should have the following rights:

  • Read the Active Directory objects.
  • Local administrator of the machine the task is running on.
  • Create a custom RBAC role, in order to grant only the necessary Exchange rights to achieve the task.

In order to create the “Disable ActiveSync” role, we create a new management role using the default “Mail Recipients” role as a parent.

New-ManagementRole -Parent "Mail Recipients" -Name "Disable ActiveSync"

The script uses only the three following cmdlets: Get-Mailbox, Get-CASMailbox, Set-CASMailbox. So we will remove all the cmdlets from the role except those three:

Get-ManagementRoleEntry "Disable ActiveSync\*" | Where { (($_.Name -ne "Get-Mailbox") -and ($_.Name -ne "Set-CASMailbox") -and ($_.Name -ne "Get-CASMailbox")) } | Remove-ManagementRoleEntry

We will also remove some of the allowed parameters from the Set-CASMailbox cmdlet for the “Disable ActiveSync” role, except the parameters used by our script:

Set-ManagementRoleEntry "Disable ActiveSync\Set-CASMailbox" -Parameters Identity,ActiveSyncEnabled,whatif,confirm

Finally we create the management role AD group called “EnableMobileAccess” corresponding to the “Disable ActiveSync” role.

New-RoleGroup -Name EnableMobileAccess
New-ManagementRoleAssignment -Name ManageMobileAccess -Role "Disable ActiveSync" -SecurityGroup EnableMobileAccess

Just add the service account to the newly created group and set up your Exchange scheduled task with this account. The connection to the Exchange remote shell is already included in the script. The scheduled task will run with a service account that will just have the necessary rights, no more.

This post is also available in: French

4 Comments

  • By Engin, April 28, 2012 @ 10:13 pm

    Great article. thanks for posting.

  • By ldap389, April 29, 2012 @ 10:46 am

    Hi Engin, I am glad you found this post interesting.

  • By Tom, September 11, 2012 @ 1:41 pm

    Hi, great article, thanks. I’m a newbie in Exchange Power shell and want to implement your script. I downloaded it in TXT format. What should I do next? Should I change it to other format?
    Thanks.

  • By ldap389, September 11, 2012 @ 10:33 pm

    Yes rename the file in PS1 format. Set the right Powershell execution policy on your workstation/server.
    Install the AD cmdlets, follow this tutorial which explains how to install them on a Windows 7 computer or Windows 2008R2 server.
    Change the default values as explained in the comments of the script, and here you go.

    Regards

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment

*

WordPress Themes

Blossom Icon Set

Software Top Blogs