Monday, 24 May 2010

Disable/Enable Outlook Web Access (OWA) using powershell Exchange 2003 - protocolSettings

This took several hours of googling binging so hopefully this will save people some time, and me when i forget in a few days!

What we'll do:
Query AD and find accounts that have OWA disabled and then re-enable them.

When accessing AD with powershell you REALLY need to use the FREE -as in beer addons from Quest: http://www.quest.com/powershell/activeroles-server.aspx install that then crack open powershell, for this i'm using powershell 2...

For the purposes of this everything in courier is powershell script

first add the snapin you just installed:


Add-PSSnapin Quest.ActiveRoles.ADManagement

try it:

Get-QADUser thenameofyouraccount | Select-Object name

That should bring back your name, if it doesn't it can't connect to AD, i'm guessing you can fix that yourseld :)

Now, to build the LDAP string to get back the users we're looking for:


$strFilter = "(&(&(objectcategory=Person)(protocolSettings=HTTP§0§1§§§§§§)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))"

the above brings back all person objects whose account is enabled and their protocolSettings is set to disable WebAccess.

FYI:
HTTP§0§1§§§§§§ = Disabled
HTTP§1§1§§§§§§ = Enabled

This is the same for all Protocol settings the first switch is the enabler.

Now we need to connect to AD, i haven't done this using the Quest addin and i'm not sure why, its useful to know though:

 
$objDomain = New-Object System.DirectoryServices.DirectoryEntry


$objSearcher = New-Object System.DirectoryServices.DirectorySearcher


$objSearcher.SearchRoot = $objDomain


$objSearcher.PageSize = 1000


$objSearcher.Filter = $strFilter


$objSearcher.SearchScope = "Subtree"

That should all be pretty straight forward, the PageSize appears to be a bug, when its not set or set to another number it only returns 1000 records, at 1000 its returns all, go figure! this is exactly the opposite behaviour as in .net proper.
 
You need a few properties to bring back so we'll tell powershell to preload them as part of the AD search call:

 
$colProplist ="distinguishedName", "name", "sAMAccountName", "Description"


foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

Bring the results back!
to get how many you've got back:
$colResults = $objSearcher.FindAll()

Now go through each record and change the protocolSettings using the QuestAddin, this can be done in theory from AD but i could never get it to play nicely with the string array.
Write-host "Total objects: $($colResults.count)"

 
foreach ($objResult in $colResults)



{


$objItem = $objResult.properties;


Set-QADUser -identity "$($objItem.distinguishedname)" -ObjectAttributes @{protocolSettings='IMAP4§1§1§4§ISO-8859-1§0§1§0§0','POP3§1§1§4§ISO-8859-1§0§§§','HTTP§1§1§§§§§§'}


}
I'm actually enabling all the protocol settings just change the 1 after the first § to 0 to disable them.

Make sure you're using the right encoding!
 
 
To check you've changed something:


Get-QADUser  -IncludedProperties('protocolSettings')

Select-object protocolSettings, name

That's it, bear in mind it might take a few (2hrs 15mins max -depending on your TTL in exchange) for the properties to be picked up, also if you've got any connections currenty open you may encounter strange behaviour until the connections are re-authenticated.

the complete script:
Add-PSSnapin Quest.ActiveRoles.ADManagement



$strFilter = "(&(&(objectcategory=Person)(protocolSettings=HTTP§0§1§§§§§§)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))"



$objDomain = New-Object System.DirectoryServices.DirectoryEntry


$objSearcher = New-Object System.DirectoryServices.DirectorySearcher


$objSearcher.SearchRoot = $objDomain


$objSearcher.PageSize = 1000


$objSearcher.Filter = $strFilter


$objSearcher.SearchScope = "Subtree"






$colProplist ="distinguishedName", "name", "sAMAccountName", "Description"


foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}



$colResults = $objSearcher.FindAll()


Write-host "Total objects: $($colResults.count)"


foreach ($objResult in $colResults)


{


$objItem = $objResult.properties;


Set-QADUser -identity "$($objItem.distinguishedname)" -ObjectAttributes @{protocolSettings='IMAP4§1§1§4§ISO-8859-1§0§1§0§0','POP3§1§1§4§ISO-8859-1§0§§§','HTTP§1§1§§§§§§'}


}
Posted by at
Labels:

1 comment:

  1. Bucky7 July 2010 at 23:57

    Use SizeLimit instead of PageSize

    Add-PSSnapin Quest.ActiveRoles.ADManagement
    $strFilter = "(&(&(objectcategory=Person)(protocolSettings=HTTP§0§1§§§§§§)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))"
    $colUsers = Get-QADUser -LdapFilter $strFilter -SizeLimit 10000
    Write-host "Total objects: $($colUsers.count)"
    foreach ($User in $colUsers)
    {
    Set-QADUser $User -ObjectAttributes @{protocolSettings='IMAP4§1§1§4§ISO-8859-1§0§1§0§0','POP3§1§1§4§ISO-8859-1§0§§§','HTTP§1§1§§§§§§'}
    }

    ReplyDelete

Subscribe to: Post Comments (Atom)