Enable or Disable Outlook Anywhere based on Group Membership

Posted by in Exchange, PowerShell

Lets face it – security guys HATE Outlook Anywhere. So, it is highly likely you’ve stumbled onto this page because you’ve been asked to disable it outright or only enable it for the trusted few. In that case, this will hopefully help.

The script below will enable or disable Outlook Anywhere based on the membership of a distribution group. It will then give you a CSV output of everything it’s done.

Note: The script doesn’t currently recurse groups, so nested groups will not work.

Also Note: The script runs a Get-CASMailbox across all your mailboxes with no limit on ResultSize. If you want to limit this or customize this  in any way you should change the $Users variable on Line 17.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
################################################################################
#### Enable or Disable Outlook Anywhere Based on Allow Group by Matt Ellis #####
################################################################################
 
# Contact Me
# ----------
 
# Web: http://mattellis.me
# Twitter: http://twitter.com/ellismessaging (@ellismessaging)
 
# Start Variables
$ReportPath = "D:\Temp\OA-Report.csv"
$GroupName = "sec_OutlookAnywhere_Allow"
# End Variables
 
$Global:AllMembers = @()
$Users = Get-CASMailbox -ResultSize Unlimited | Select Identity, SamAccountName, ServerName, MAPIBlockOutlookRpcHttp
$Allow = Get-DistributionGroupMember -Identity $GroupName -ResultSize:Unlimited | Select SamAccountName
 
Function InsertObject {
	$obj = New-Object psObject
	$obj | Add-Member -Membertype noteproperty -Name "Name" -Value $User.Identity
	$obj | Add-Member -Membertype noteproperty -Name "User4x4" -Value $User.SamAccountName
	$obj | Add-Member -Membertype noteproperty -Name "Server" -Value $User.ServerName
	$obj | Add-Member -Membertype noteproperty -Name "BlockOA" -Value $User.MAPIBlockOutlookRpcHttp
	$obj | Add-Member -Membertype noteproperty -Name "InAllowGroup" -Value $InAllowGroup
	$obj | Add-Member -Membertype noteproperty -Name "Result" -Value $Result
	$Global:AllMembers += $obj
}
 
ForEach ($User in $Users) {
	ForEach ($Username in $Allow) {
		If ($Username -match $User.SamAccountName) {
			[bool]$InAllow = $true
			Break
		} Else {
			[bool]$InAllow = $false
		}
	}
	If ($InAllow -and !$User.MAPIBlockOutlookRpcHttp) {
		$InAllowGroup = "Yes"
		$Result = "Already Enabled"
		# Do Nothing
	} ElseIf (!$InAllow -and $User.MAPIBlockOutlookRpcHttp) {
		$InAllowGroup = "No"
		$Result = "Already Disabled"
		# Do Nothing
	} ElseIf ($InAllow -and $User.MAPIBlockOutlookRpcHttp) {
		$InAllowGroup = "Yes"
		$Result = "To Be Enabled"
		# Enable OA
		Set-CASMailbox -Identity $User.Identity -MAPIBlockOutlookRpcHttp:$False
	} ElseIf (!$InAllow -and !$User.MAPIBlockOutlookRpcHttp) {
		$InAllowGroup = "No"
		$Result = "To Be Disabled"
		# Disable OA
		Set-CASMailbox -Identity $User.Identity -MAPIBlockOutlookRpcHttp:$True
	} Else {
		$Result = "Hell, I dunno!"
	}
	InsertObject
}
$Global:AllMembers | Export-CSV $ReportPath -NoTypeInformation -Force