Preventing Access to OMA and Active Sync Using Security Groups in AD

I think that I saw a post about this the other day in the MSExchange Forum.

I was about to answer with the usual, you can configure this via the “Exchange Features” component in AD Users and Computers and there is no other way…. but then I thought is that strictly true?

You see, the enable or disable values for these components are part of a users Active Directory properties contained in a value entitled msExchOmaAdminWirelessEnable which has a data type of integer, and can be viewed and modified by using ADSI edit, which also means that you can generate scripts to manipulate the values.

In essence you can use a combination of Integer values from 0 to 7 to enabled or disable the following Mobile features for an individual users account:

  • Outlook Mobile Access (OMA)
  • User Initiated Synchronisation
  • Up-To-Date Notifications

The following table is a run down on the combinations that can be used to gain the desired results:


Integer Value OMA User Initiated Synchronisation Up-to-date Notification
0 Enabled Enabled Enabled
1 Enabled Enabled Disabled
2 Disabled Enabled Enabled
3 Disabled Enabled Disabled
4 Enabled Disabled Enabled
5 Enabled Disabled Disabled
6 Disabled Disabled Enabled
7 Disabled Disabled Disabled

So, from know this, I thought “What if you have a security group that contains all the people that you wish to disable these values for, and then have a script which reads the group periodically and changes the values in ad”.

The following is what I came up with:

strADPath = “cn=Deny_AS,cn=Users, “

Set objRootDSE = GetObject(”LDAP://RootDSE“)
strDomainContext = objRootDSE.Get(”DefaultNamingContext”)

Set objGroup = GetObject (”LDAP://”& strADPath & strDomainContext)

Members = objGroup.GetEx(”member”)

For Each strMember in Members

set ObjUser = getObject(”LDAP://” & stMember)

obJUser.msExchOmaAdminWirelessEnable = “7″


The above script reads the group membership of DENY_AS which is located in the Users container in Active Directory (you would need to create this group if you wish to use the script) and then changes the mobile settings on the account to match the Integer value which is set on the line obJUser.msExchOmaAdminWirelessEnable = “7″ (In my example it will disable all Mobile settings).

This script can be scheduled to run on either you Exchange server, member server or Domain Controller perhaps at an interval of 10 or 20 minutes.

Sharing is caring!:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.