Recipe 8.22. Disabling User Access to POP3, IMAP4, and HTTPProblemYou want to control access to your Exchange S erver from non-MAPI clients, allowing some users to use IMAP, POP, or HTTP and preventing others from doing so. SolutionUsing a graphical user interfaceTo disable an individual user's access to POP3, IMAP4, or HTTP, do the following:
To keep any user from using POP3 or IMAP4 on a particular server, do the following:
Using VBScript' This code disables access to POP3, HTTP, and IMAP ' ------ SCRIPT CONFIGURATION ------ strUser = "cn=<username>,cn=Users,dc=<domain>,dc=<com>" ' e.g., "cn=Paul Robichaux,cn=Users,dc=robichaux,dc=net" charSS = Chr(167) 'define a section symbol symbolset = "ISO-8859-1" 'choose a symbol set for pop3 & imap4 ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUser) disableHTTP = "HTTP" & charSS & "0" & charss & "1" & String(6,charSS) enableHTTP = "HTTP" & charSS & "1" & charss & "1" & String(6,charSS) disableIMAP = "IMAP4" & charSS & "0" & charss & "1" & charss & "4" & charSS _ & symbolset & charSS & "0" & charss & "1" & charss & "0" & charss & "0" enableIMAP = "IMAP4" & charSS & "1" & charss & "1" & charss & "4" & charSS _ & symbolset & charSS & "0" & charss & "1" & charss & "0" & charss & "0" disablePOP3 = "POP3" & charSS & "0" & charSS & "1" & charSS & "4" & charSS _ & symbolset & charSS & "0" & String(3,charSS) enablePOP3 = "POP3" & charSS & "1" & charSS & "1" & charSS & "4" & charSS _ & symbolset & charSS & "0" & String(3,charSS) '--- set each protocol as "enable" or "disable" protocolSettings= Array(disableHTTP,disableIMAP,disablePOP3) ' to disable all ' protocolSettings= Array(enableHTTP,enableIMAP,enablePOP3) ' to enable all objuser.Put "protocolSettings", protocolSettings objUser.SetInfo Wscript.Echo "Protocol settings for " & objUser.Get("sAMAccountName") & _ " have been updated" DiscussionIn Active Directory, the settings for POP3, IMAP4, and HTTP access to a user's mailbox are stored in the multivalued protocolSettings property in the user object. The format of each value takes a funny-looking format that uses the section character (§, ASCII 167) as a field delimiter. POP3§<enableFlag>§<defaultsFlag>§<encodingFlag>§<symbolSet>§<rtfFlag>§Â§Â§ IMAP4§<enableFlag>§<defaultsFlag>§<encodingFlag>§<symbolSet>§1§1§0§0 HTTP§<enableFlag>§<defaultsFlag> §Â§Â§Â§Â§Â§ The first two flag values are fairly straightforward:
Finally, the <rtfFlag> values control whether or not Exchange will use RTF (and thus generate the infamous winmail.dat attachment):
Note that the steps provided in the GUI solutions are also applicable for IMAP4 and HTTP; while the actual service name changes, the steps for each protocol are identical. In the interests of simplicity, we've only included the steps for disabling the POP3 protocol. See AlsoMS KB 252459 (Retrieve Properties of User Objects with ADSI and ADO) and MSDN documentation for Platform SDK: Active Directory Schema |