Server-Wide and Per-User Segmentation


Introduction


When accessing your mailbox, homed on a Microsoft Exchange 2007 Mailbox server, using Outlook Web Access 2007, you have a myriad of options to customize the functionalities of your mailbox. For one you can change the theme, or you can use Outlook Web Access to change your password, set your Out-of-Office, or change the pin code required to access your mailbox using the Unified Messaging server role. As an administrator you have the ability to configure segmentation, which will allow you to enable and disable certain features both server-wide as for one or more users. Client Access segmentation can be configured server-wide using the Exchange Management Console or using the Exchange Management Shell, and for specific mailboxes only by using the Exchange Management Shell cmdlet Set-CASMailbox. In this article I would like to introduce you to both forms of segmentation and what you should keep in mind when using them.


Server-Wide Segmentation: OWA


After installing the Client Access server role in your Exchange organization, you can use the Exchange Management Console to configure server-wide segmentation. To do so, you need to open the Exchange Management Console, go to Server configuration, Client Access server role, right-click OWA and go to the property page called segmentation, where you are able to enable/disable the following features server-wide, as can be seen in Figure 1:




  • Exchange ActiveSync Integration


  • All Address Lists


  • Calendar


  • Contacts


  • Journal


  • Junk E-Mail Filtering


  • Reminders and Notifications


  • Notes


  • Premium Client


  • Search Folders


  • E-mail Signature


  • Spelling Checker


  • Tasks


  • Theme Selection


  • Unified Messaging Integration


  • Change Password


  • Rules


  • Public Folders


  • S/MIME


  • Recover Deleted Items


Figure 1: Server Side Segmentation


Server-Wide Segmentation: IMAP4


Ever since SP1, you can configure next to Connection Settings, also Retrieval Settings in reference to the IMAP4 protocol using the Exchange Management Console, Server Configuration, Client Access, POP3 and IMAP4, and select the properties for IMAP4 as can be seen in Figure 2.



Figure 2: IMAP4 Retrieval Settings


Server-Wide Segmentation: POP3


As with IMAP4, ever since SP1, you can configure next to Connection Settings, also Retrieval Settings in reference to the POP3 protocol using the Exchange Management Console, Server Configuration, Client Access, POP3 and IMAP4, and select the properties for POP3 as can be seen in Figure 3.



Figure 3: POP3 Retrieval Settings


Per-User Segmentation = Set-CASMailbox


By using the Exchange Management Shell cmdlet Set-CASMailbox, you are able to enable and disable more than just Outlook Web Access related features for one or more mailboxes.


Set-CASMailbox allows you to change attributes for any of the following client access protocols offered by Exchange to clients to gain access to their mailboxes:




  • Microsoft Exchange ActiveSync (EAS)


  • Microsoft Office Outlook Web Access (OWA)


  • Post Office Protocol version 3 (POP3)


  • Internet Message Access Protocol  version 4rev1 (IMAP4)


  • Messaging Application Programming Interface (MAPI)

It is possible to disable a Client Access protocol for a mailbox-enabled user by using the Exchange Management Console,  Recipient Configuration, Mailbox, selecting the properties of the mailbox of choice, and move to the property page entitled Mailbox Features, as can be seen in Figure 4.



Figure 4: Mailbox Features


However, by using the Exchange Management Shell cmdlet you’re able to enable/disable more granularly a set of features as listed in Table 1.



















EAS




  • ActiveSyncAllowedDeviceIDs


  • ActiveSyncMailboxPolicy


  • ActiveSyncDebugLogging


  • ActiveSyncEnabled


  • HasActiveSyncDevicePartnership

OWA




  • OWAActiveSyncIntegratonEnabled


  • OWAAllAddressListsEnabled


  • OWACalendarEnabled


  • OWAChangePasswordEnabled


  • OWAContactsEnabled


  • OWAEnabled


  • OWAJournalEnabled


  • OWAJunkEmailEnabled


  • OWANotesEnabled


  • OWAPremiumClientEnabled


  • OWAPublicFoldersEnabled


  • OWARecoverDeletedItemsEnabled


  • OWARemindersAndNotificationsEnabled


  • OWARulesEnabled


  • OWASMimeEnabled


  • OWASearchFoldersEnabled


  • OWASignaturesEnabled


  • OWASpellCheckerEnabled


  • OWATasksEnabled


  • OWAThemeSelectionEnabled


  • OWAUMIntegrationEnabled


  • OWAUNCAccessOnPrivateComputersEnabled


  • OWAUNCAccessOnPublicComputersEnabled


  • OWAWSSAccessOnPrivateComputersEnabled


  • OWAWSSAccessOnPublicComputersEnabled

IMAP




  • ImapEnabled


  • ImapMessagesRetrievalMimeFormat


  • ImapUseProtocolDefaults

POP




  • PopEnabled


  • PopMessagesRetrievalMimeFormat


  • PopUseProtocolDefaults

MAPI




  • MAPIBlockOutlookNonCachedMode


  • MAPIBlockOutlookRpcHttp


  • MAPIBlockOutlookVersions


  • MAPIEnabled

Table 1: Set-CASMailbox Features


If you would like to prevent mailbox-enabled users from connecting to your Exchange environment without having their Microsoft Office Outlook configured to use Cached Mode, you can run the following single Exchange Management Shell line:


Get-CASMailbox | Set-CASMailbox -MAPIBlockOutlookNonCachedMode:$True


Figure 4 and 5 show you the lines to run, when you just want users that have a particular custom attribute set to the value of “HQ” not to be able to start Microsoft Office Outlook unless it’s configured in Cached Mode.



Figure 5: Get-Mailbox



Figure 6: Set-CASMailbox -MAPIBlockOutlookNonCachedMode:$True


Set-CASMailbox and its Funny Behavior


Imagine you would like to disable the ability for someone to change their password using OWA. You would run the following Exchange Mangement Shell line:


Get-CASMailbox <identity mailbox> | Set-CASMailbox -OWAChangePasswordEnabled:$False


After running the given line, it becomes clear that disabling that one OWA feature, also disabled all the other OWA features at the same time, as can be seen in Pictures 6 and 7.



Figure 7: Get-CASMailbox



Figure 8: Set-CASMailbox -OWAChangePasswordEnabled:$False


If you were to run the same cmdlet to enable on OWA feature, the other ones would be disabled as well. There are several ways to fix this, one way would be to change the value of the attribute msExchMailboxFolderSet, or create an Exchange Management Shell script to change the required settings.


Method 1. msExchMailboxFolderSet


To easiest way to enable all the OWA features again for your user(s) would be to use AdsiEdit. When you check the properties of the mailbox using AdsiEdit, you can see that by running the cmdlet specified above, Exchange has changed the value of the attribute msExchMailboxFolderSet. By default this value is not set for a user, when all features are disabled, the value gets the value of 0, as can be seen in Figure 8.



Figure 9: msExchMailboxFolderSet


By clearing the value of this attribute to <not set>, as shown in Figure 10,  all OWA features will be set to enabled again.



Figure 10: Clearing the value of msExchMailboxFolderSet


In order to disable one OWA feature, you need to create a test user, and set the attribute msExchMailboxFolderSet to 2147483647 using AdsiEdit, as can be seen in Figure 11 (or PowerShell, or AdModify), since this will enable all features for that mailbox-enabled user as can be seen in Figure 12.



Figure 11: msExchMailboxFolderSet



Figure 12: Set-CASMailbox


Then you can use the shell to disable the wanted feature(s), check the value again, as can be seen in Figures 13 and 14, and hand it to any user of choice.



Figure 13: Set-CASMailbox -OWARecoverDeletedItemsEnabled:$False



Figure 14: msExchMailboxFolderSet


Method 2. Exchange Management Shell


The following script, shown in Figure 15, will prompt you for the name of the mailbox-enabled user for which you want to enable all OWA features, except the ability to change the password.



Figure 15: DisableChangePasswordOWA.ps1


When launching the script, you will need to enter the name of the user, and then the changes will be done, as can be seen in Figure 16, and 17.



Figure 16: DisableChangePasswordOWA.ps1



Figure 17: Set-CASMailbox


Summary


In this article I have shown you how Client Access segmentation can be configured server-wide using the Exchange Management Console, and for specific mailboxes alone by using the Exchange Management Shell cmdlet Set-CASMailbox,  and what you should keep in mind when using the cmdlet Set-CASMailbox.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top