Automating OWA and ActiveSync Access

When I began writing this blog article I was focused on automating just ActiveSync and OWA access for end users. It dawned on me that there are quite a few settings that need to automated since the removal of previous management features like System Policies. I have also address this in some previous blog articles like Exchange 2013 and Quotas. What else should be automated?

Let’s start with mobile access.

ActiveSync and OWA Access
Few clients need this level of control but banks and other financial institutions like to keep a lid on mobile access to internal resources. To keep a lid on who has access to ActiveSync and Outlook Web Access, we need to automate the process with a scheduled task and PowerShell. I recommend that this process is completed once or twice per day to reset any changes that were made either on purpose or by accident.

The Code

# Remove all OWA and ActiveSync Access
get-mailbox | faSet-CASMailbox $user -ActiveSyncEnabled:$false  -OWAEnabled:$false  -owafordevicesenabled:$false

# Enable ActiveSync access for users in the ActiveSync Users group
$users = Get-ADGroupMember "ActiveSync Users"
foreach ($line in $users) {
	$user = $line.samaccountname
	Set-CASMailbox $user -ActiveSyncEnabled:$true
}

# Enable OWA access for users in the Owa Users group
$users = Get-ADGroupMember "OWA Users"
foreach ($line in $users) {
	$user = $line.samaccountname
	Set-CASMailbox $user -owaEnabled:$true -owafordevicesenabled:$true
}

Quick Code Dissection

Line 2 resets all OWA and EAS settings for all users in the environment.
Lines 5 through 8 first finds all the users in the security group called “ActiveSync Users”. Then it takes this list and enabled ActiveSync just for those users.
Lines 12 through 15 queries for all users in the “OWA Users” group. The script then enables OWA access for these users.

Another Automation – Common Server Settings
When it comes to your Exchange Server environment, consistency helps with management and troubleshooting issues in a messaging environment. Some of the settings that could be configured in common would be Event Log sizes, Message Tracking Log Settings, Outlook Anywhere, etc. Constructing a simple PowerShell script to handle this helps if a new server is added to the environment or if changes to the currently configured server are needed in order to confirm to a new standard. Here are a few sample lines to cover these settings:

  • Event Log sizes
  • Message Tracking Log Settings
  • Outlook Anywhere
$ExchangeServers = Get-ExchangeServer

# Loop through each server to set standard configuration
foreach ($line in $exchangeserver) {
      limit-eventlog -computername $line.name "Application" -MaximumSize 100MB
      limit-eventlog -computername $line.name "System" -MaximumSize 150MB
      set-transportservice -MessageTrackingLogMaxAge 90.00:00:00 -MessageTrackingLogMaxDirectorySize 10000MB -MessageTrackingLogMaxFileSize 50MB
      Get-outlookanywhere | set-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName legacy.domain.com -IISAuthenticationMethods {NTLM,Basic}
}

Once a set of PowerShell commands is ready it should be save in a meaningful to be run with the next installation of Exchange or modified with the next changes for Exchange.

Other Possible Automations
There are quite a few settings that could be standardized when the environment has multiple servers. The above article mentions a few examples, however, you can get quite creative on what needs to be automated and standardized. Here is a quick list of my thoughts:

  • OWA Virtual Directory options – can be set per server – Web Documents, UM Integration, themes, etc.
  • ECP Virtual Directory option – Setting authentication, URLs, etc.
  • ActiveSync Virtual Directory option – Remote doc settings, Authentication, URLs, etc.

Those are just a few sample settings that can be configured in a standardized fashion across all Exchange servers in an environment.

Duplicating Another Server
The reverse or companion to setting all the servers to the same standard is to take an existing set of server settings and apply them to a new server.

$SourceServer = "Exchange01"
$NewServers = "Exchange02"

# Get Event Log Sizes from source server
$eventlog = get-wmiobject -class "Win32_NTEventlogFile" -namespace "root\CIMV2" -computername $sourceserver
foreach ($Log in $eventlog) {   
  $log.logfilename
  if ($Log.LogFileName -eq "Security") {
    $secSize = $objLog.MaxFileSize / (1024 * 1024)
   }
   if ($Log.LogFileName -eq "Application") {
    $appSize = $objLog.MaxFileSize / (1024 * 1024)
   }
   if ($Log.LogFileName -eq "System") {
    $sysSize = $objLog.MaxFileSize / (1024 * 1024)
   }
  }
[string]$secsize = [string]$secsize+"MB"
[string]$appsize = [string]$appsize+"MB"
[string]$syssize = [string]$syssize+"MB"
$oaconfig = Get-outlookanywhere -server $sourceserver
$transportconfig = get-transportservice -server $sourceserver
$age = $transportconfig.messagetrackinglogmaxage
[string]$maxage = [string]$age.days"."$age.hours":"$age.minutes":"$age.seconds
$maxdisize = (transportconfig.MessageTrackingLogMaxDirectorySize).value

foreach ($line in $newservers) { 
      limit-eventlog -computername $line.name "Application" -MaximumSize $appsize
      limit-eventlog -computername $line.name "System" -MaximumSize $syssize
      limit-eventlog -computername $line.name "Security" -MaximumSize $secsize
      set-transportservice -MessageTrackingLogMaxAge $maxage -MessageTrackingLogMaxDirectorySize $maxdirsize -MessageTrackingLogMaxFileSize $transportconfig.MessageTrackingLogMaxFileSize
      Get-outlookanywhere | set-OutlookAnywhere -ClientAuthenticationMethod $oaconfig.clientauthenticatonmethod -SSLOffloading $oaconfig.ssloffloading -ExternalHostName $oaconfig.externalhostname -IISAuthenticationMethods $oaconfig.iisauthenticationmethods
}

Quick Code Dissection

Lines 5 to 17 query the WMI information for the source server and parses out the size for each event log size needed for the new Exchange server.
Lines 18 to 20 adds MB to the values for the event logs sizes.
Lines 21 and 22 store the configuration information of Outlook Anywhere and Transportation Server configuration.
Lines 23 and 24 cleans up the age data needed for message tracing logs later in the script.
Line 25 gets the max directory size.
Lines 28 to 30 sets the event log sizes for the destination server.
Line 31 and 32 sets the transport server settings and Outlook Anywhere.

Note the list of settings that are being duplicate are rather small. The above script could be expanded to additional settings, or less settings as needed.

Further Reading
Exchange Automation 1
Exchange Automation 2

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s