Disabling Outlook Anywhere Per User

RPC/HTTPS was the first name when outlook anywhere access was introduced with Exchange Server 2003. Exchange 2003 did not provide a very granular control on it though. With increase in productivity it also brought a concern with it. It could allow configuring user’s mailbox on any outlook client even if the user was not supposed to do it. Result, people could make unauthorized copies of their mailboxes on their home PCs and laptops.

Exchange 2007 SP1 and later has a great feature of disabling outlook anywhere access per user basis. It is a very simple process of running few commands in powershell and the administrator is done with the configuration. Lets take a look:

To disable outlook anywhere for a single user:

Get-Mailbox –Identity <username> | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True

To disable it for all users:

Get-Mailbox –ResultSize Unlimited | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True

To disable it for selected users only:

  • Identify the user who need to be blocked access to Outlook Anywhere.
  • Make a list of all such user’s user accounts.
  • Put it in a simple text file as below:




  • Now save this text file to any location you want with name Mailboxes.txt. In my case it is D:Mailboxes.txt
  • Simply run the script below.

$Mailboxes = Get-Content D:Mailboxes.txt
Foreach ($Mailbox in $Mailboxes)
Set-CASMailbox -Identity $Mailbox -MAPIBlockOutlookRpcHttp:$true -Verbose

The harder way:

Each mailbox in active directory has an attribute named ProtocolSettings on it. When you have outlook anywhere enabled for a specific user mailbox the value of ProtocolSettings is set to MAPI§§§§§0§§§, HTTP§1§1§§§§§§, OWA§1 and when you disable outlook anywhere the value of this attribute changes to MAPI§§§§§1§§§, HTTP§1§1§§§§§§, OWA§1

I would not touch these attributes in AD unless there is a good reason to do so but thought it could help for some people for troubleshooting. Hope this post helps Smile