Before Exchange 2003 SP2 the only method you could use to disable MAPI access was to use the rather cumbersome method described in MS KB article: 288894 – How to disable MAPI client access to an Exchange Server 2003 computer or to an Exchange 2000 Server computer. But Exchange 2003 SP2 introduces a new method with which you can enable or disable MAPI (Outlook) access on a per user basis. This is a welcome addition especially to Exchange hosting providers, who often provide different types of subscription packages – such as one allowing OWA access, another allowing OWA and Outlook MAPI access etc.
MAPI access can, with Exchange 2003 Service Pack 2, be controlled via a new ProtocolSettings attribute, which is set on a mailbox-enabled AD user object for example by using ADSIEdit (yes that’s right this is one more Exchange 2003 SP2 feature which cannot be manipulated via the Active Directory Users and Computer nor the Exchange System Manager snap-in).
Configuring the ProtocolSettings attribute
As mentioned above you need to use ADSIEdit to manipulate the ProtocolSettings attribute, so make sure you have the Windows 2003 Server Support Tools (the Support Tools can be found in the Support folder on a Windows 2003 Server CD) installed on the machine before you read any further.
Alright now that you’re ready, let’s take a closer look at the new ProtocolSettings attribute. We do this by executing ADSI Edit > expand Domain [servername.domain.com] then the respective container holding the user objects you wish to allow or deny MAPI access. Here you right-click a user then select Properties on the context menu which appears (see Figure 1).
Figure 1: ADSI Edit
In the property window of the respective user find and double-click on the ProtocolSettings attribute, as shown in Figure 2 below.
Figure 2: ProtocolSettings attribute
By default the Multi-valued string is blank which means no value is defined, and therefore MAPI access is allowed. Adding the string MAPI§0§0§§§§§§ just like I did in Figure 3 below will disable MAPI access for the respective user.
Figure 3: Value string used to disable MAPI access
Adding the string MAPI§1§0§§§§§§ as shown in Figure 4 below will enable MAPI access for the user.
Figure 4: Value string used to enable MAPI access
Finally adding the string MAPI§1§1§§§§§§ as shown in Figure 5 will enable MAPI access for Outlook clients but only Outlook clients running in cached mode.
Figure 5: Value string used to enable MAPI access for Cached Mode clients only
Bear in mind the ProtocolSettings attribute is cached in the MBICache (the MBICache TTL is by default set to 2 hours) as well as in DSAccess (The TTL for DSAccess is by default set to 15 minutes), which means a delay can occur before the change or changes become effective.
The MAPI access ProtocolSettings attribute string doesn’t apply to mailboxes when accessed via delegation.
Using ADModify to Disable MAPI Access
As shown above there’s no UI to manipulate the ProtocolSettings attribute which means you need to use a tool such as ADSI Edit, but luckily the latest version of ADModify.NET, which is version 2.1 (can be downloaded here) supports the new Exchange 2003 SP2 MAPI access feature.
In a nutshell, ADModify is a neat little but powerful tool, with which you (among other things) can modify Exchange attributes on Active Directory (AD) users in bulk. If you have never used ADModify.NET, I suggest you read a previous article of mine that covers ADModify in detail (can be found here).
As can be seen in Figure 6 below, you can change MAPI access for users in bulk by clicking the Exchange Features tab, you then have the following options: Enable MAPI, Disable MAPI or Enable Cached Mode MAPI Clients Only. Selecting one of them and clicking Go! immediately inserts the respective string in the ProtocolSettings attribute value field for the selected users, that’s pretty neat ah?
Figure 6: Enable or Disable MAPI Access via ADModify.NET
Until now, especially Exchange shared hosting providers have missed the possibility of blocking MAPI (Outlook) access on a per user basis. Previous to Exchange 2003 SP2 they needed to block MAPI access by blocking specific Outlook versions, but with the new ProtocolSettings attribute it’s now possible to block MAPI access on a per user basis. But since there’s no UI for this new feature it can quickly become cumbersome for Exchange hosing providers admin’s to manipulate this setting, but luckily the latest version of ADModify.NET supports the new ProtocolSettings feature, so that using this tool can enable or disable MAPI access for users in bulk.
Enabling and disabling MAPI and/or non-Cached access per user in Exchange 2003 SP2:
Microsoft Exchange Server 2003 Service Pack 2 Release Notes:
How to disable MAPI client access to an Exchange Server 2003 computer or to an Exchange 2000 Server computer: