Export (0) Print
Expand All
Expand Minimize

Exchange 2003 SP2 Disabling Mapi/Non-Cached Access Per User

 

Topic Last Modified: 2006-12-05

By Nino Bilic

Disabling MAPI per user functionality will be primarily for Exchange hosting providers but other Exchange administrators have also been requesting this capability.

This article describes how this capability can be useful and how to implement it.

Exchange Server 2003 Service Pack 2 (SP2) adds functionality to let the administrator completely turn off MAPI access for a given user or grant access to a user whose Microsoft® Office Outlook® is configured for cached mode but deny access otherwise. This functionality is expected to be valuable to providers of hosting services that for example want their end-users to connect to Exchange with Outlook Web Access but not with Outlook (through regular MAPI connection or by using RPC over HTTP).

The protocolSettings attribute on the user object in Active Directory stores client access settings. This attribute is a multivalued string property, where each string applies to a different protocol. MAPI access can be restricted by manually adding the following string to the protocolSettings attribute using a tool such as ADSIEdit:

MAPI§<Bool1>§<Bool2>§§§§§§

The eight § separators define exactly nine fields. The meanings of the fields are as follows:

 

MAPI

Specifies that this string contains settings that apply to the MAPI protocol

Bool1

0 to block all MAPI access; 1 to determine MAPI access based on Bool2.

Bool2

0 for “no effect”; 1 to deny access to non-cached mode Outlook clients

Remaining 6 fields

Currently not used, but the separators must be used

noteNote:
The symbol “§” is a Unicode character that can be typed on a keyboard by pressing and holding the ALT key and then typing “0167” on the numeric keypad. As soon as you release the ALT key, the character will appear. Alternatively, the character can be copied from the Character Map application (Start > All Programs > Accessories > System Tools > Character Map).

If there is no MAPI string in protocolSettings, all MAPI clients are allowed.

By default, the protocolSettings user attribute is blank; to add values, pull up the properties of the user in ADSIEdit. Make sure that when you view attributes, the “Show only attributes that have values” check box is not checked. Then, select the attribute and press the Edit button:

Attribute Editor tab

Add the value desired and press the Add button:

Multi-valued String Editor

Press OK.

ADSIEdit will then show the following:

Attribute Editor, Protocol Settings

As soon as the protocolSettings attribute is set, it can also be observed from LDP:

     1> protocolSettings: MAPI§1§1§§§§§§;

Some examples of those settings are as follows:

MAPI§0§<Bool2>§§§§§§ - this would block ANY client MAPI access to the mailbox (cached or not), regardless of what the value of “Bool2” was.

MAPI§1§0§§§§§§ - this would not block anything, because the value “Bool2” is set to “0”. MAPI access is enabled for online and cached clients.

MAPI§1§1§§§§§§ - this would block any “online” (non-cached) MAPI access. Outlook clients accessing the server that uses cached mode would be able to connect to the mailbox.

If the MAPI string does not have the eight separators and complies with the expected data types, the behavior is undefined.

The access restrictions specified earlier do not apply in the following cases.

  • The client is an Exchange component (for example, mailbox moves would still work correctly regardless of the MAPI access settings for the mailboxes).

  • The client is doing delegate access to the mailbox.

Delays in changes to protocolSettings becoming effective can be caused by the following:

  1. As with other mailbox properties that are stored in Active Directory, protocolSettings are cached in the Information Store (MBICache default Time to Live [TTL] is two hours) and in Directory Access (DSAccess) cache (default TTL is 15 minutes). These caches may delay the time that is required for a change in the protocolSettings to become effective.

    For more information about the Information Store cache and the Directory Access cache, see the following Microsoft Knowledge Base articles.

    noteNote:
    It should be understood that decreasing the Time to Live (TTL) of Information Store cache must be tested in a live production environment. Shorter cache life will mean that there will be more queries against the domain controllers and GCs and possibly performance effect has to be understood. We recommended not to set the value any smaller than 20 minutes.
  2. The access check is performed at connection time. If a user is connected and the setting is changed to deny access, the change will not take effect until the client disconnects (which may take several days).

  3. In the case here, because Outlook typically uses more than one connection, if one connection drops while the others stay on, there may be unexpected behavior when Outlook tries to reestablish the dropped connection. This client will be denied access and all it takes to discover what is occurring is to restart Outlook.

  4. If the following registry key is set HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem\Disable MAPI Clients the server is set to block certain client versions server-wide (based on the registry value). Specific users could be affected (blocked) either by this registry setting (based on the client version) or the per-user MAPI protocolSettings.

    For more information about the Disable MAPI Clients registry key, see Microsoft Knowledge Base article 288894, How to disable MAPI client access to an Exchange Server 2003 computer or to an Exchange 2000 Server computer.

You may want to make protocolSettings changes in bulk (for example, if you provide e-mail hosting services). Here are some ideas on how to accomplish this.

If creating users through a CSVDE import, include the protocolSettings attribute into the original import; be aware that you can use CSVDE when you create objects but not when modifying existing objects.

For more information about CSVDE and how to use it to create user objects, see Microsoft Knowledge Base article 327620, How to use Csvde to import contacts and user objects into Active Directory.

If modifying existing users, you can use the LDIFDE tool to export from Active Directory and then modify the resulting LDF file.

For illustration, the following examples of how those modifications would be made though LDIFDE are provided. Those examples are valid only if there was nothing else (other than the MAPI setting) already in protocolSettings attribute.

To create an LDF export of users in "Users" OU with DN and protocolSettings attributes run:

LDIFDE -d "CN=Users,DC=nbroot,DC=com" -r "(objectClass=user)" -l dn,protocolSettings -f c:\export.ldf

LDF export shows (in this example) one user:

dn: CN=e2k3user2,CN=Users,DC=nbroot,DC=com

changetype: add

At this point, the value of protocolSettings attribute shows differently when it is viewed from ADSIEdit (or LDP) and when it is viewed in LDIFDE export. The following table shows those differences.

 

Scope of blocking Viewed from ADSIEdit or LDP Viewed in LDIFDE export

No MAPI access to mailbox blocking

MAPI§1§0§§§§§§

OR

<Not Set>

TUFQScKnMcKnMMKnwqfCp8KnwqfCpw==

OR

<Not Set>

Block non-cached (online) access to mailbox only

MAPI§1§1§§§§§§

TUFQScKnMcKnMcKnwqfCp8KnwqfCpw==

Block all MAPI access to mailbox

MAPI§0§0§§§§§§

TUFQScKnMMKnMMKnwqfCp8KnwqfCpw==

Now, to add the value MAPI§0§0§§§§§§ (for example) to CN=e2k3user2, create the following import file:

dn: CN=e2k3user2,CN=Users,DC=nbroot,DC=com

changetype: modify

add: protocolSettings

protocolSettings:: TUFQScKnMMKnMMKnwqfCp8KnwqfCpw==

-

Save the file as c:\import.ldf. Run the following command to import the file:

LDIFDE -i -f c:\import.ldf

The output should be something like the following:

Connecting to "NBROOTE2K3.nbroot.com"

Logging in as current user by using SSPI

Importing directory from file "c:\import.ldf"

Loading entries.

1 entry modified successfully.

If you want to modify the user who already has a value in the protocolSettings attribute, it would be done as follows:

To create an LDF export of users in "Users" OU with DN and protocolSettings attributes run:

LDIFDE -d "CN=Users,DC=nbroot,DC=com" -r "(objectClass=user)" -l dn,protocolSettings -f c:\export.ldf

LDF export shows (in this example) one user:

dn: CN=e2k3user3,CN=Users,DC=nbroot,DC=com

changetype: add

protocolSettings:: TUFQScKnMcKnMcKnwqfCp8KnwqfCpw==

As you can see earlier, the user e2k3user3 already has the protocolSettings attribute set. In this case, it was verified through ADSIEdit that there was only a MAPI value in that attribute (MAPI§1§1§§§§§§).

Now create the following file to change the protocolSettings attribute to MAPI§0§0§§§§§§:

dn: CN=e2k3user2,CN=Users,DC=nbroot,DC=com

changetype: modify

replace: protocolSettings

protocolSettings:: TUFQScKnMMKnMMKnwqfCp8KnwqfCpw==

Save the file as c:\import.ldf. Run the following command to import the file:

LDIFDE -i -f c:\import.ldf

The output should be something like the following:

Connecting to "NBROOTE2K3.nbroot.com"

Logging in as current user by using SSPI

Importing directory from file "c:\import.ldf"

Loading entries.

1 entry modified successfully.

For more information about how to use LDIFDE tool, see Microsoft Knowledge Base article 237677, Using LDIFDE to Import and Export Directory Objects to Active Directory.

ADModify is a tool that you can use to make bulk changes to Active Directory objects. Starting with the release 2.1, both Command Line and GUI version include the ability to enable/disable MAPI access in bulk.

When you run AdModify version 2.1 and you select the users who need modification, locate the Exchange Features tab in ADModify where you can see new options. Only one of those options can be chosen at a time.

For the latest version of ADModify tool, visit the following third-party Web site, AdModify Tool.

noteNote:
The third-party Web site information in this topic is provided to help you find the technical information you need. The URLs are subject to change without notice.
 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft