Determining Which User Accounts Have OWA Access Enabled or Disabled
Enabling OWA access is simple, but determining which of all your user accounts already have (or don't have) access can be a bigger task. This script simplifies the job.
December 11, 2005
I am looking for a script that will tell me which user accounts in my domain have the Outlook Web Access (OWA) setting on the Exchange Features tab enabled or disabled. Can you help?
The Exchange Features tab, which Figure 1 shows and which you can see when you open a user account's Properties dialog box in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, lets you configure whether the user can access his or her mail via OWA. This setting is easy to modify on a user-by-user basis, but determining the user accounts for which the setting is enabled or disabled is more complicated.
Active Directory (AD) stores the protocol settings on the Exchange Features tab in the protocolSettings attribute. You can see this attribute by using the Microsoft Active Directory Service Interfaces (ADSI) Edit console (adsiedit.msc), which you can get by downloading the 32-bit Windows Server 2003 Service Pack 1 (SP1) Support Tools. (To download the tools, go to http://www.microsoft.com/downloads/details.aspx?familyid=6ec50b78-8be1-4e81-b3be-4e7ac4f0912d.) Right-click the user account in the ADSI Edit console, choose Properties, then scroll down to the protocolSettings attribute, as Figure 2 shows. The attribute is a Unicode string that uses the syntax
protocol§setting1§setting2 . . .
where protocol is the protocol's name (e.g., HTTP, POP3, IMAP), and setting1 is a value that indicates whether the protocol is enabled (1) or disabled (0). A protocol can have multiple settings, and the § character separates these settings from one another. (You can enter this character by typing Alt+0167.) If a protocol isn't listed, it's enabled by default, and if the protocolSettings attribute contains no entries, all protocols are enabled by default.
The HTTP protocol entry in the protocolSettings attribute defines the OWA setting. When the protocolSettings attribute is empty or when the HTTP entry isn't present or lists a value of 1 for the first setting (i.e., HTTP§1), OWA is enabled for that user. When the protocol entry exists and the first setting has a value of 0 (i.e., HTTP§0), you know that OWA is disabled.
To simplify the process of finding this information, I wrote the short script OWAEnabled.vbs, which Listing 1 shows. This script uses ActiveX Data Objects (ADO) to query the current AD domain, then lists all user accounts that are OWA-enabled. The script accomplishes this task by using the query filter shown at callout A. All the parentheses make this piece of code difficult to read, but it basically tells the script, "Select all users, from the current-domain, who have an Exchange Server mailbox and a protocolSettings attribute that's either blank or that contains the string HTTP§1."
Listing 2 shows OWADisabled.vbs, a script that does the same thing as OWAEnabled.vbs except that it lists all domain user accounts for which the HTTP protocol is explicitly disabled. The only change from OWAEnabled.vbs is the search filter (at callout A in Listing 2). Both scripts use the WScript.Echo method to produce their output, so you should run them by using the CScript host so that the output appears in the command window instead of in a series of Windows message boxes.
About the Author
You May Also Like