Enabling and disabling MAPI and/or non-Cached access per user in Exchange 2003 SP2


Exchange Server 2003 Service Pack 2 (SP2) adds functionality to allow the administrator to completely turn off MAPI access for a given user or grant access to a user whose Outlook is configured for cached mode but deny access otherwise. This functionality is expected to be valuable to providers of hosting services that for example want their end users to connect to Exchange with Outlook Web Access but not with Outlook (via regular MAPI connection or RPC over HTTP).


 


The ProtocolSettings attribute on the user object in the Active Directory stores client access settings. This attribute is a multi-valued string property, where each string applies to a different protocol. MAPI access can be restricted by manually adding the following string to the ProtocolSettings attribute using a tool such as ADSIEdit:


 


MAPI§<Bool1>§<Bool2>§§§§§§


 


The eight § separators define exactly nine fields. The meanings of the fields are as follows:


 
















MAPI


Specifies that this string contains settings that apply to the MAPI protocol


Bool1


0 to block all MAPI access; 1 to determine MAPI access based on Bool2.


Bool2


0 for “no effect”; 1 to deny access to non-cached mode Outlook clients


Remaining 6 fields


Currently not used


 


If there is no MAPI string in ProtocolSettings, all MAPI clients are allowed.


 


Some examples of this:


 


MAPI§0§<Bool2>§§§§§§ - this would block ANY client MAPI access to the mailbox (cached or not), no matter what the value of “Bool2” was.


 


MAPI§1§0§§§§§§ - this would not block anything, because the value “Bool2” is set to “0”. MAPI access is allowed for online and cached clients.


 


MAPI§1§1§§§§§§ - this would block any “online” (non-cached) MAPI access. Outlook clients accessing the server using cached mode would be able to connect to the mailbox.


 


If the MAPI string does not have the eight separators and conforms to the expected data types, the behavior is undefined.


 


The access restrictions specified above do NOT apply in the following cases:


- the client is an Exchange component (for example, mailbox moves would still work correctly regardless of the MAPI access settings for the mailboxes)


- the client is doing delegate access to the mailbox


 


Delays in ProtocolSettings becoming effective can be caused by:


 


1. As with others mailbox properties stored in the DS, ProtocolSettings are cached in the MBICache (default TTL = 2hrs) and in DSAccess (default TTL = 15 min). These caches may delay the time it takes for a change in the ProtocolSettings to become effective.


 


In order to read more about the Information Store cache, please see the following article:


 


179065 XADM: Changes to Primary Windows NT Account on Mailbox Do Not Take Effect


http://support.microsoft.com/?id=179065


 


2. The access check is performed at connection time. If a user is connected and the setting is changed to deny access, the change won’t take effect until the client disconnects (which may take place several days later).


 


3. In the case above, since Outlook typically uses more than one connection, if one connection drops while the others stay on, there may be unexpected behavior when Outlook tries to re-establish the dropped connection. This client has will be denied access and all it takes to find out what is happening is to restart Outlook.


 


One additional thing to mention is that if the following registry key is set:


 


HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem\Disable MAPI Clients


 


Then the server is set to block certain client versions server-wide (based on the registry value). Specific users could be affected (blocked) either by this registry setting or the per-user MAPI ProtocolSettings.


 


For more information on the "Disable MAPI Clients" registry key, please see the following article:


 


288894 How to disable MAPI client access to an Exchange Server 2003 computer or
http://support.microsoft.com/?id=288894


 

- Aaron Szafer, Nino Bilic

Comments (10)
  1. Anonymous says:

    &lt;p&gt;
    In related news, the Exchange team blog has a great post today explaining how Exchange 2003 SP2 gives us the ability to block individual users from using MAPI. The good news: because the MAPI blocking is added to the existing ProtocolSettings mechanism for blocking other protocols, you can use the same script to block or allow multiple protocols at once.
    &lt;/p&gt;

  2. Anonymous says:

    I just saw this post from the Exchange team.&amp;nbsp; This is great news for hosters that want to offer…

  3. Anonymous says:

    I just saw this post from the Exchange team.&amp;nbsp; This is great news for hosters that want to offer…

  4. Radovan Vojtek says:

    Hi, is there any possibility to block cached-mode clients? Blocking noncached clients could be good, however I’d appreciate the ability to block cached-mode outlook (security reason, etc.) Is there any way to block it? (yeah, I could set up an "DisableCacheMode" Group Policy, but what ’bout non-domain users?

    Thanx,

    R.V.

  5. Anonymous says:

    Exchange 2003 SP2 will implement a new feature where by an administrator can control&#160;MAPI access&#160;to the…

  6. Anonymous says:

    There’s an interesting new feature in Exchange 2003 as of SP2 that the Exchange Team&amp;nbsp;posted about…

  7. Anonymous says:

    There’s an interesting new feature in Exchange 2003 as of SP2 that the Exchange Team&amp;nbsp;posted about…

  8. alex says:

    Will there ever be support to require encrypted sessions? Right now, the CLIENT checks a box in their outlook profile to "Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server." It seems like this no-brainer setting should be an option the server can require. Why can’t we?

  9. Frank Carius says:

    Great stuff and thank you for that early information, how to disable MAPI per user.

    Unfortunaly the Exchange 2003 SP2 CTP does not expose that settings in the GUI.

    And on the other side it’s not really a fun to maintain hundreds or thousand of users manually. And i have not found a way to control access by group member ships. So i have written a small VBScript earlier to set the POP3, IMAP4, OWA, OMA-Permissions using security groups.

    I have added the MAPI-Properties with the current version. So i have to create group to allow POP3, IMAP4, OMA, OWA and to disallow MAPI and to enforce "cached mode". and start that vbscript once a day.

    Unfortunaly the web page itself is german.So use google to translate. But VBscript is "universal" :-)

    http://www.msxfaq.de/tools/grp2exinet.htm

  10. Anonymous says:

    There are several options for configuring restrictions on MAPI client access to Exchange 2003 SP 2.

Comments are closed.

Skip to main content