A little while ago I saw this post in the MSExchange Forums which was basically was asking was it possible to disable IMAP for new users when created in Active Directory, but in the case of the Executives, leave the IMAP settings intact (due to that fact that one of them had purchased an iPhone – yuck!)

I liked the look of this post and wanted to answer, but when thinking about it -it became apparent that this is quite hard to do even though I had the basic idea that it could perhaps be accomplished by some form of script, there were some finer details of how the script should run and how we could take into account existing IMAP settings.

During my research I came across the following script on Glens Exchange Dev Blog which explains how you can enable and disable POP3 and IMAP on a per user basis, this was great as with some adaption these could be used to disable IMAP globally in AD (thanks Glen – as always you have what we need), now all I needed was a method to exclude people from the disable process.

In the end I decided to have a Sub in the script that would open a text file –  exclude.txt which contains a lists of distinguishedNames that we which to read back into the Sub and re-enable the IMAP settings.

Now that the script had been logically thought out this is what I came up with in terms of the code:

Set objRootDSE = GetObject(”LDAP://rootDSE“)
strADsPath = “LDAP://” & objRootDSE.Get(”defaultNamingContext”)
 
Set objDomain = GetObject(strADsPath)

Set objCommand =   CreateObject(”ADODB.Command”)
Set objConn = CreateObject(”ADODB.Connection”)
objConn.Open “Provider=ADsDSOObject;”
Set objCommand.ActiveConnection = objConn
objCommand.CommandText = “SELECT distinguishedName,samAccountName FROM “+”‘”+strADsPath+”‘”+” WHERE objectClass = ‘user’”
objCommand.Properties(”searchscope”) = 2
objCommand.Properties(”Page Size”) = 1000
Set objRecordSet = objCommand.Execute
  
While Not objRecordSet.EOF
  
 ChangeVal(objRecordSet.Fields(”distinguishedName”))
 objRecordSet.MoveNext
 
Wend

FindExcluded

Sub ChangeVal(strDN)

  qstring = “LDAP://” & strDN       
  set objUser = GetObject(qstring)
  objUser.PutEx 2, “protocolSettings”,ARRAY(”IMAP4§0§1§4§ISO-8859-1§0§1§0§0″)
  objUser.setinfo
  
  Set objUser = Nothing
  
End Sub
  
Sub FindExcluded

 Set objFSO = CreateObject(”Scripting.FileSystemObject”)
 Set objFile = objFSO.OpenTextFile(”exclude.txt”, 1)
 
 Do Until objFile.AtEndOfStream
  strLine = objFile.ReadLine
  qstring = “LDAP://” & strLine ‘Thanks Glen
  set objUser = GetObject(qstring)
  objUser.PutEx 2, “protocolSettings”,ARRAY(”IMAP4§1§1§4§ISO-8859-1§0§1§0§0″)
  objUser.setinfo
  
 Loop
 ObjFile.Close
 
 Set objFSO = Nothing
 Set objFile = Nothing

End Sub

You can download a copy of this code from Here

You will notice that the code above references a text file called exclude.txt this file should contain the values of the distinguishedNames that you wish to exclude from the process of disabling IMAP on a separate line – for example:

CN=Andy,CN=Users,DC=ldn,DC=com
CN=Maria,CN=Users,DC=ldn,DC=com

What I suggest for people wishing to implement this is to out this script either on a Domain controller or Exchange server, and the schedule it as a re-occurring task using the “Scheduled Tasks” wizard (you can configure a batch file to run every 10 minutes or so which runs the script).

---

Add this page to your favorite Social Bookmarking websites