Monday, 7 April 2008

Disabling Outlook Web Access on AD accounts

A request came up asking, "If we need to could we disable Outlook Web Access for a particuar list of users?"

After some digging around and some great help from Shay Levy on the Powergui message board I was able to come up with the following:

Set-QADUser 'springfield\homer.simpson' -ObjectAttributes @{ProtocolSettings='HTTP§0§1§§§§§§'}

If you need to disable more than one of the options it would be

Set-QADUser 'springfield\homer.simpson' -ObjectAttributes @{ProtocolSettings='HTTP§0§1§§§§§§,IMAP40§1§§§§§'}

The options detailed on the 'Exchange Features' tab of an AD account are stored in the ProtocolSettings field. If you look at that field in Adsiedit, you will see which options have been disabled, if any. From there you can grab the HTTP,IMAP etc string that you need.

More info here:
Making bulk protocolSettings changes

1 comment:

Jonathan Craig said...

Hi Guys,

Thanks for sharing your insightful thoughts and suggestions - very helpful, and appreciated indeed.

On a related note, recently we needed a quick and efficient way to find out which accounts were OWA enabled (for an internal security audit) so we asked our on-site MS consultant and he recommended using the Gold Finger from Paramount Defenses Inc.

Gold Finger pleasantly surprised us because not only was it endorsed by Microsoft but also 100% FREE and loaded with almost 250 useful Active Directory security, Exchange and ACL management reports. BTW, you can download it for free from

In particular, it has over 60 inbuilt Exchange reports, including OWA and MAPI enabled accounts. For a complete list of reports, checkout

Thought I'd share this with you incase it could help you too, especially if you need a free way to generate Exchange and AD security reports.

Thanks again, and looking forward to your next post.

Best wishes,