Archive

Archive for the ‘ActiveSync’ Category

Adding ActiveSync Management Rights to the Recipient Administrators Group

December 9, 2013 Leave a comment

If you are using my ActiveSync Power Administrator, or just using the ECP to manage ActiveSync devices, you may have found it difficult to assign your helpdesk staff the appropriate rights to use these tools. Logically, you would think that the Recipient Management role group should have the correct rights to perform these tasks. The reality is that the Organization Management group is the only default role group that has the appropriate default management roles; Organization Client Access and Mail Recipients. You certainly don’t want to assign your helpdesk staff to the Organization Management group. You could create a custom role group but even assigning the Organization Client Access and Mail Recipients managements roles would assign too many permissions.

The solution to this problem is to not only create a custom role group, but also to create custom management roles, which only contain the required powershell commands. To allow someone who is already in the Recipient Administrators group to use the ActiveSync Power Administrator, they need permission to run the following commands:

Get-CASMailbox

Set-CasMailbox

Clear-ActiveSyncDevice

Get-ActiveSyncDeviceStatistics

Remove-ActiveSyncDevice

The first thing we need to do is create our custom management roles, which are based on the two default roles that have the required commands. To do that, run the following commands:

New-ManagementRole "ActiveSync Admin 1" -Parent "Mail Recipients

New-ManagementRole "ActiveSync Admin 2" -Parent "Organization Client Access"

The next step is to remove all the commands we don’t need. To do that, run the following commands:

Get-ManagementRole "ActiveSync Admin 1" | Get-ManagementRoleEntry | where { $_.name -ne "Clear-ActiveSyncDevice" -and $_.name -ne "Get-ActiveSyncDeviceStatistics" -and $_.name -ne "Remove_ActiveSyncDevice" } | Remove-ManagementRoleEntry

Get-ManagementRole "ActiveSync Admin 2" | Get-ManagementRoleEntry | where { $_.name -ne "Get-CASMailbox" -and $_.name -ne "Set-CASMailbox" } | Remove-ManagementRoleEntry

Now we need to create the new role group:

New-RoleGroup -Name "ActiveSync Management" -Roles "ActiveSync Admin1","ActiveSync Admin1"

Finally, we add the Exchange Recipient Administrators group to the new role group:

Add-RoleGroupMember -Identity "ActiveSync Management" -Member "Exchange Recipient Administrators"

Your recipient administrators should now be able to manage ActiveSync devices with the least amount of permissions.

Advertisements

ActiveSync Power Administrator 2.0 (Exchange 2010 Support)

May 30, 2013 3 comments

Version 2.0 of the ActiveSync Power Administrator is now available.

Bug Fixes:

  • No bug fixes in this release

New Functionality:

  • Now works with both Exchange 2007 and 2010

Please see this post for details on the ActiveSync Power Administrator.

You can download the latest version here (change extension to .ps1).

Properly Terminating User Access

October 6, 2012 8 comments

Security is a big part of any IT professional’s job. Employee turnover is inevitable in any organization and when employee and organization part way, it is not always amicable. For this reason, it is important that when an employee is terminated, they immediately lose access to all company systems. If you ask most IT professionals what they do when HR notifies them that an employee has been terminated, you will get answers like:

  • Change user’s passwords
  • Disable user’s accounts
  • Issue wipe command to mobile devices

Those are certainly good security practices but imagine performing those steps then getting an angry call from the VP of Sales that the Account Manager who just left the company for a position with the competition is sending emails to clients, from their company email account, informing the clients that he now works for company X, which has a superior product.

Your immediate reaction is that this isn’t possible as you have disabled the accounts and changed the passwords. You check Exchange message tracking and verify the emails are indeed coming from the terminated account. What you don’t realize is that disabling an account or changing the password will prevent a new authentication session but it will not affect a current session. In this case, the terminated employee could be logged to the mailbox with a mobile device that hasn’t been wiped, an OWA session, or an Outlook Anywhere session from a personal computer. Those sessions will remain active until they time out, which could be hours or days.

You could perform a IIS reset on your Exchange CAS server, which will reset the connection, but that could be disruptive to other users as their sessions will also be reset. A better way to ensure the terminated employee’s sessions are disconnected is to set the logon hours on the AD account to never. As soon as the current time falls outside the allowed logon hours on an AD account, any active sessions are immediately terminated.

To set the logon hours to never, open the user account in ADUC and go to the Account tab, then click the Logon Hours button.

Image

In the Logon Hours window, click the Logon Denied button.

Image

Ensure the whole grid is white then click OK. Once this change replicates throughout your directory, any active sessions this users has will be terminated.

If you would prefer to set the logon hours to never with powershell, you can run the following command, which requires the Quest AD cmdlets:

Get-QADUser user | Set-QADUser -ObjectAttributes @{logonhours=[byte[]](,0*21)}

The credit for this command is this discussion on the powergui forum.

If you set the logon hours to never as part of your termination process, you will ensure you never get into a situation where a terminated employee continues to have access to resources.

ActiveSync Power Administrator

September 19, 2012 25 comments

The latest trend in IT is bring you own device (BYOD), where employees are allowed to either chose which device(s) the company provides, or allow employees to use their personal devices to connect to the corporate network and work off. The company I work for is anti-BYOD. We standardized on iPhones, which are purchased by the company and assigned to employees. I was tasked with ensuring only those company assigned iPhones could sync with Exchange. This is fairly easy to do in Exchange 2007/2010 as there is a CASMailbox property called “ActiveSyncAllowedDeviceIDs”. This property has a null value by default and when the value is null any device can form a partnership with that account. All the user needs to do is run the setup Wizard on the phone, enter their credentials, then the phone starts syncing with Exchange. You can limit which devices are allowed to sync with a mailbox by setting a list of device serial numbers in the ActiveSyncAllowedDeviceIDs property. When the property is not null, only the devices listed can form a partnership with that mailbox.

Microsoft has assumed that setting the value of ActiveSyncAllowedDeviceIDs isn’t something the majority of organization would want to do, so they have left it out of the EMC. If you want to set this value, you need to do it through powershell. I wanted my help desk staff to be able to modify this property but I didn’t want them to have to use powershell, so I decided to create a Windows form GUI for this function. I decided if I was going to create a GUI for this function, I might as well create a full blown ActiveSync administrator to take care of all admin task in one GUI. I also decided to add some reporting functionality to the GUI.

Overview

The script uses a Windows form to look up and set ActiveSync properties on an Exchange 2007/2010 mailbox. The first tab of the form is the user administrator. After an email address is entered, the form will retrieve the current ActiveSync settings on the mailbox. The administrator can then modify those settings. The second tab is a reporting function. There are four reports defined. I can add more on request if you have a specific report in mind. The results of the report are displayed on the form and can also be exported to a csv file.

Prerequisites

To run this script, you need to have the Exchange 2007 or Exchange 2010 management tools installed. You also need the free Quest cmdlets for Active Directory, which can be found here.

User Admin Tab

Email Address

Enter the primary email address on the mailbox you want to manage. As you type, the script will do a look up in AD and present suggestions. Once you have entered the email address, click the Lookup button.

ActiveSync Status

This will tell whether ActiveSync is enabled for this mailbox. You can enable/disable ActiveSync with the corresponding buttons.

ActiveSync Policy

This shows which ActiveSync policy is currently assigned to the mailbox. If you have defined ActiveSync policies, you can select which policy to apply from the drop-down. If you have not defined any policies, the “Default” policy will be assigned.

Allowed Devices

The Allowed Devices list shows any device serial numbers that have been allowed for this mailbox. If the list is empty, all devices are allowed to connect. You can remove devices by clicking the checkbox next to the device serial number and clicking the “Remove Selected” button.

Serial Number

You can add serial numbers to the Allowed Devices list by entering the serial number and clicking “Add”.

Sync History

This shows the device partnerships for devices that have synced with this mailbox, as well as the last time the device has synced.

Identity

You can issue a wipe command to a device, cancel a pending wipe, or remove the device partnership by selecting the device identity and clicking the corresponding button.

Reporting Tab

From the reporting tab, you can run various predefined reports on your ActiveSync users. There are currently four reports defined but I can add additional reports on request. The current reports are:

Users with ActiveSync enabled
Users with ActiveSync enabled and a null list of allowed devices
Users with ActiveSync disabled
Devices that haven’t synced in 30 days

Once the report has finished running, it will be displayed on the Reporting tab. You will then be presented with a button, which allows you to take action on all the users returned in the report. For example, you will be able to enable ActiveSync on all users returned after you run the “Users will Activesync disabled” report. You can also export the report to a csv file by clicking the “Export to File” button.

To run this script, download it from the link below and save it to your hard drive. Change the extension from txt to ps1. Open a powershell window and navigate to the directory where you saved the script. Type .\ActiveSyncAdmin.ps1 and hit enter.

DOWNLOAD SCRIPT (Change extension from doc to ps1)