How to Control Exchange ActiveSync function via AD Groups

In many companies, connections between mobile devices and an Exchange mailbox are already part of everyday life via the ActiveSync function.ActiveSync function

What does it look like if I don’t want to allow ActiveSync access for every Exchange user or only for a certain group or department.

There is no direct control of ActiveSync via ActiveDirectory. ActiveSync is active as the default value for all newly created users and must be deactivated separately.

However, there is a possibility to control the whole process under Exchange Servers 2010 and higher via the AD groups.

Powershell is the key

The remedy here is a PowerShell script, which runs daily as a scheduled task on the Exchange server at a certain time of day.

If possible, the script should run at night, because here the ActiveSync function is deactivated first for all users in the ActiveDirectory and then only activated for the respective group members. During this time, synchronization to the mobile devices cannot take place.

The script has the following structure.

#disableActive Sync for all users
 Get-User -ResultSize Unlimited | Set-CASMailbox –ActiveSyncEnabled $false

#get all members of a defined AD security group
 $allMembers = Get-DistributionGroupMember -Identity "AD-Group_ActiveSync_Aktiv"

#
 foreach ($member in $allMembers) {
      #ActiveSync für jeden User im Array aktivieren
      $member | Set-CASMailbox –ActiveSyncEnabled $true
 }

The whole file is saved as an *. ps1 file. The scheduled task must be set up on the Exchange Server, because this requires the Exchange Powershell extension.

At first we need the path of the powershell exe file.
The default path here is “C: \Windows\System32\WindowsPowerShell\v1.0\powershell.exe”.

As a parameter (argument)we have to set the remote execution of the Exchange Server as well as our created script.
-command “. C: \Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange. ps1?; Connect ExchangeServer -auto; C: \scripts\Enable_ActiveSync. ps1 “.

The Powershell script should run according to the default and activate or deactivate the ActiveSync function daily depending on the group membership.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.