Server-Wide and Per-User Segmentation
When accessing your mailbox, homed on a Microsoft Exchange 2007 Mailbox server, using Outlook Web Access 2007, you have a myriad of options to customize the functionalities of your mailbox. For one you can change the theme, or you can use Outlook Web Access to change your password, set your Out-of-Office, or change the pin code required to access your mailbox using the Unified Messaging server role. As an administrator you have the ability to configure segmentation, which will allow you to enable and disable certain features both server-wide as for one or more users. Client Access segmentation can be configured server-wide using the Exchange Management Console or using the Exchange Management Shell, and for specific mailboxes only by using the Exchange Management Shell cmdlet Set-CASMailbox. In this article I would like to introduce you to both forms of segmentation and what you should keep in mind when using them.
Server-Wide Segmentation: OWA
After installing the Client Access server role in your Exchange organization, you can use the Exchange Management Console to configure server-wide segmentation. To do so, you need to open the Exchange Management Console, go to Server configuration, Client Access server role, right-click OWA and go to the property page called segmentation, where you are able to enable/disable the following features server-wide, as can be seen in Figure 1:
Exchange ActiveSync Integration
All Address Lists
Junk E-Mail Filtering
Reminders and Notifications
Unified Messaging Integration
Recover Deleted Items
Figure 1: Server Side Segmentation
Server-Wide Segmentation: IMAP4
Ever since SP1, you can configure next to Connection Settings, also Retrieval Settings in reference to the IMAP4 protocol using the Exchange Management Console, Server Configuration, Client Access, POP3 and IMAP4, and select the properties for IMAP4 as can be seen in Figure 2.
Figure 2: IMAP4 Retrieval Settings
Server-Wide Segmentation: POP3
As with IMAP4, ever since SP1, you can configure next to Connection Settings, also Retrieval Settings in reference to the POP3 protocol using the Exchange Management Console, Server Configuration, Client Access, POP3 and IMAP4, and select the properties for POP3 as can be seen in Figure 3.
Figure 3: POP3 Retrieval Settings
Per-User Segmentation = Set-CASMailbox
By using the Exchange Management Shell cmdlet Set-CASMailbox, you are able to enable and disable more than just Outlook Web Access related features for one or more mailboxes.
Set-CASMailbox allows you to change attributes for any of the following client access protocols offered by Exchange to clients to gain access to their mailboxes:
Microsoft Exchange ActiveSync (EAS)
Microsoft Office Outlook Web Access (OWA)
Post Office Protocol version 3 (POP3)
Internet Message Access Protocol version 4rev1 (IMAP4)
Messaging Application Programming Interface (MAPI)
It is possible to disable a Client Access protocol for a mailbox-enabled user by using the Exchange Management Console, Recipient Configuration, Mailbox, selecting the properties of the mailbox of choice, and move to the property page entitled Mailbox Features, as can be seen in Figure 4.
Figure 4: Mailbox Features
However, by using the Exchange Management Shell cmdlet you're able to enable/disable more granularly a set of features as listed in Table 1.
Table 1: Set-CASMailbox Features
If you would like to prevent mailbox-enabled users from connecting to your Exchange environment without having their Microsoft Office Outlook configured to use Cached Mode, you can run the following single Exchange Management Shell line:
Get-CASMailbox | Set-CASMailbox -MAPIBlockOutlookNonCachedMode:$True
Figure 4 and 5 show you the lines to run, when you just want users that have a particular custom attribute set to the value of "HQ" not to be able to start Microsoft Office Outlook unless it's configured in Cached Mode.
Figure 5: Get-Mailbox
Figure 6: Set-CASMailbox -MAPIBlockOutlookNonCachedMode:$True
Set-CASMailbox and its Funny Behavior
Imagine you would like to disable the ability for someone to change their password using OWA. You would run the following Exchange Mangement Shell line:
Get-CASMailbox <identity mailbox> | Set-CASMailbox -OWAChangePasswordEnabled:$False
After running the given line, it becomes clear that disabling that one OWA feature, also disabled all the other OWA features at the same time, as can be seen in Pictures 6 and 7.
Figure 7: Get-CASMailbox
Figure 8: Set-CASMailbox -OWAChangePasswordEnabled:$False
If you were to run the same cmdlet to enable on OWA feature, the other ones would be disabled as well. There are several ways to fix this, one way would be to change the value of the attribute msExchMailboxFolderSet, or create an Exchange Management Shell script to change the required settings.
Method 1. msExchMailboxFolderSet
To easiest way to enable all the OWA features again for your user(s) would be to use AdsiEdit. When you check the properties of the mailbox using AdsiEdit, you can see that by running the cmdlet specified above, Exchange has changed the value of the attribute msExchMailboxFolderSet. By default this value is not set for a user, when all features are disabled, the value gets the value of 0, as can be seen in Figure 8.
Figure 9: msExchMailboxFolderSet
By clearing the value of this attribute to <not set>, as shown in Figure 10, all OWA features will be set to enabled again.
Figure 10: Clearing the value of msExchMailboxFolderSet
In order to disable one OWA feature, you need to create a test user, and set the attribute msExchMailboxFolderSet to 2147483647 using AdsiEdit, as can be seen in Figure 11 (or PowerShell, or AdModify), since this will enable all features for that mailbox-enabled user as can be seen in Figure 12.
Figure 11: msExchMailboxFolderSet
Figure 12: Set-CASMailbox
Then you can use the shell to disable the wanted feature(s), check the value again, as can be seen in Figures 13 and 14, and hand it to any user of choice.
Figure 13: Set-CASMailbox -OWARecoverDeletedItemsEnabled:$False
Figure 14: msExchMailboxFolderSet
Method 2. Exchange Management Shell
The following script, shown in Figure 15, will prompt you for the name of the mailbox-enabled user for which you want to enable all OWA features, except the ability to change the password.
Figure 15: DisableChangePasswordOWA.ps1
When launching the script, you will need to enter the name of the user, and then the changes will be done, as can be seen in Figure 16, and 17.
Figure 16: DisableChangePasswordOWA.ps1
Figure 17: Set-CASMailbox
In this article I have shown you how Client Access segmentation can be configured server-wide using the Exchange Management Console, and for specific mailboxes alone by using the Exchange Management Shell cmdlet Set-CASMailbox, and what you should keep in mind when using the cmdlet Set-CASMailbox.