Automatically disable ActiveSync for new mailboxes in Exchange 2010

One of the new features in Exchange 2010 is the use of cmdlet extension agents, as described in this post. Using the Scripting Agent you can have Exchange ActiveSync disabled whenever a mailbox is created for a new or existing user. This removes the need to do it directly against Active Directory through some workflow mechanism or scheduling a task to run that does it with the Set-CASMailbox cmdlet.

There is almost no documentation on the use of the provisioning handler for Exchange 2010, leaving me to do a lot of trial and error to get it working for new mailboxes for both new and existing users. It doesn’t look like the provisioning handler has access to any of the information returned by the success of the New-Mailbox and Enable-Mailbox cmdlets. This means it only has access to the information submitted by the user in a cmdlet. Because you supply different information when creating a mailbox for a new user compared to an existing one, the code has to be different for each.

Copy the code below into the ScriptingAgentConfig.xml file and, as Pat Richard’s post details, put it in the CmdletExtensionAgents directory and enable the Scripting Agent.

<?xml version="1.0" encoding="utf-8" ?>
<Configuration version="1.0">
	<Feature Name="MailboxProvisioning" Cmdlets="enable-mailbox">
		<ApiCall Name="OnComplete">
			if($succeeded)
				{
				$user = (Get-User $provisioningHandler.UserSpecifiedParameters["Identity"]).distinguishedName
				Set-CASMailbox $user -ActiveSyncEnabled $false
				}
		</ApiCall>
	</Feature>
	<Feature Name="MailboxProvisioning" Cmdlets="new-mailbox">
		<ApiCall Name="OnComplete">
			if($succeeded)
				{
				$user = (Get-User $provisioningHandler.UserSpecifiedParameters["Name"]).distinguishedName
				Set-CASMailbox $user -ActiveSyncEnabled $false
				}
		</ApiCall>
	</Feature>
</Configuration>

9 thoughts on “Automatically disable ActiveSync for new mailboxes in Exchange 2010

  1. One small issue – this works perfectly well for enabling a pre-existing user on AD, but doesn’t seem to work for new users in AD (raises a huge error related to Identity not being valid).

    Is there a reason both are different?

  2. “It” isn’t running enable-mailbox. The two sections dictate what the agent should do if you run enable-mailbox or new-mailbox. My guess is either DC replication latency is resulting in a user not found or that the user-specified parameter of Name isn’t valid. The parameter needs to be one that is named in the cmdlet. Name is a required parameter and that is why it is safe to rely on that value when used with new-mailbox. If it is because of DC latency, I have yet to figure out how to know which DC was used for the first cmdlet so that it can be specified to use in the second cmdlet (without hardcoding one in the first cmdlet). To know if it is because of that, you can try specifying the DC to use with new-mailbox and then doing the same with the cmdlet the agent runs.

  3. My company has significant lag, so we adapted with a loop that tries to nonchalantly handle the missing object. The code would be something similar to this:

    <?xml version="1.0" encoding="utf-8" ?>
    <Configuration version="1.0">
    <Feature Name="MailboxProvisioning" Cmdlets="enable-mailbox">
    <ApiCall Name="OnComplete">
    if($succeeded)
    {
    $user = (Get-User $provisioningHandler.UserSpecifiedParameters["Identity"]).distinguishedName
    Set-CASMailbox $user -ActiveSyncEnabled $false
    }
    </ApiCall>
    </Feature>
    <Feature Name="MailboxProvisioning" Cmdlets="new-mailbox">
    <ApiCall Name="OnComplete">
    if($succeeded) {
    $ErrorActionPreference = "SilentlyContinue"
    $SecondsYouAreWillingToWait = 55 #I chose a for loop so it would give up after a while, set your tolerance here
    Remove-variable user #a token precaution, a safeguard
    for ($LoopVar = 0;$LoopVar -lt $SecondsYouAreWillingToWait;$LoopVar++) {
    start-sleep –s 1
    $user = (Get-User $provisioningHandler.UserSpecifiedParameters["Name"]).distinguishedName
    If (-not($user)) {#I prefer to test for null versus existence, personal preference
    continue
    } else {
    Set-CASMailbox $user -ActiveSyncEnabled $false
    break
    }
    }
    $ErrorActionPreference = "Continue"
    If ($LoopVariable –ge $SecondsYouAreWillingToWait) { #it never happened
    #write-warning “Mailbox object never found in AD” #not useful to output, maybe eventvwr would be better
    }
    }
    </ApiCall>
    </Feature>
    </Configuration>

  4. You can use a start-sleep cmdlet in the script for new-mailbox to put a delay, so the if block would look like:

    if($succeeded)
    {
    start-sleep -s 60
    $user = (Get-User $provisioningHandler.UserSpecifiedParameters["Name"]).distinguishedName
    Set-CASMailbox $user -ActiveSyncEnabled $false
    }

    The only caveat is that your wizard will pause for the 60s.

    My current problem is getting the enable-mailbox block to trigger when I create a mailbox for an existing user through the EMC. Just won’t trigger.

  5. Pingback: 2K3R2 - Exchange 2010 OWA deaktivieren .. - MCSEboard.de MCSE Forum

  6. Pingback: Exchange 2010 Scripting Agent – flaphead.com

  7. Thanks for this suggestion and script, this is great. I have 3 CAS servers and 3 mailbox servers in a DAG. We are in the process of moving people over from Exchange 2007 to Exchange 2010. With this XML file in the correct location on all 3 CAS servers and all 3 Mailbox servers, and the scripting function has been enabled, its not working.

    I have tested it by migrating test accounts from 2007 to 2010 as well as creating new users on all 3 mailbox databases/servers in 2010 and it doesn’t work either.

    We only allow executive users to have active sync capibility, so I want to make sure its off by default and then i can turn it on manually for our iphone users.

    If you have any ideas or suggestions, please help. We are on track to migrate 220+ users over the next few weeks.

  8. Pingback: Best practices around Mobile Devices and Exchange 2010 | 503 5.0.0 polite people say HELO

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>