If you want to disable access to ActiveSync – Direct Push – Oma, you can change the property
msExchOmaAdminWirelessEnable for the user account.
 
Here is the tab in AD exchange extensions where you would manually do it:
 
 
Note that by default this attribute is empty and all new users have access to these features.
 
In order to disable all allowed features, you need to set the attribute to 7
If you want to set specific options, you can make the changes manually and verify the setting via Adsiedit.msc
 
Here is a Powershell script that will disable the Mobile services for all users except a list of users found in mylist.txt
(based on samaccountname)

  

$cred = Get-Credential domainuser
$myexcludelist = gc c:mylist.txt
$myexcludelist
Foreach ($user in Get-QADUser -SizeLimit 5000 -SearchRoot ‘dc=domain,dc=com’ -Email *)
{
$user.SamAccountName
If ($myexcludelist -contains $user.SamAccountName)
{
Write-Host $user.SamAccountName + “exists”
}
else
{
set-QADUser -Identity $user -ObjectAttributes @{msExchOmaAdminWirelessEnable=’7′} -credential $cred
}
}
 
If you need to reset the attribute to the default value, just insert an empty value ”
Here is a little script to check your changes on a specific user:
 

$user

=Get-QADUser-samaccountname testaccount-SearchRoot‘dc=domain,dc=com’IncludedProperties(‘msExchOmaAdminWirelessEnable’)$user

.(‘msExchOmaAdminWirelessEnable’)Disable all

set-QADUser

-Identity$user-ObjectAttributes @{msExchOmaAdminWirelessEnable=‘7’}

Reset to default set-QADUser-Identity$user-ObjectAttributes @{msExchOmaAdminWirelessEnable=}

 Update

Following a comment by Joe here below, here is the way to disable the features to users from a text file.

 

Get-Content e:\users.txt | %{set-QADUser-Identity$_-ObjectAttributes @{msExchOmaAdminWirelessEnable=’7′}}

[The users.txt would contain samaccountnames] 

Advertisements

Powershell

February 9, 2009

3 Comments