Sunday, December 15, 2013

Disabling Exchange 2010 ActiveSync, OWA, POP, IMAP or MAPI access for mailboxes with PowerShell

I’ve recently been asked by an administrator at a school to suggest the best way of preventing students from setting up an Outlook profile for their mailboxes.  The first thought that I had was that we could simply disable MAPI access via the Mailbox Features tab in the Exchange Management Console


Enable or Disable MAPI for a User Mailbox

The challenge was that there are thousands of students in the school and manually clicking in the GUI to disable the MAPI feature wasn’t the best choice so we turned to PowerShell.

The 2 cmdlets we’ll be using to turn off MAPI access are the following:



The first Get-Mailbox is to retrieve the mailboxes which will then be piped into the Set-CASMailbox cmdlet.

The following is an example of retrieving all of the mailboxes from a mailbox database then piping it into the set cmdlet to disable MAPI:

Get-Mailbox -Database "Students Database" | Set-CASMailbox -MAPIEnabled $false


Note that if you have more than 1000 objects returned from the Get-Mailbox cmdlet then you will receiving the warning:

WARNING: By default, only the first 1000 items are returned. Use the ResultSize parameter to specify the number of items returned. To return all items, specify "-ResultSize Unlimited". Be aware that, depending on the actual number of items, returning all items can take a long time and consume a large amount of memory. Also, we don't recommend storing the results in a variable. Instead, pipe the results to another task or script to perform batch changes.

I’ve ran this cmdlet in a few environments and noticed that it applies the changes to more than 1000 objects but just to be the safe, I usually run it with the additional -ResultSize unlimited switch:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Set-CASMailbox -MAPIEnabled $false


From here, you can randomly select users to ensure the MAPI feature is turned off


Note the warning message:

There are more results available than are currently displayed. To view them, increase the value for the ResultSize parameter.

You can change this limit of 1000 objects returned setting as shown in the following article:

Click on the Recipient Configuration node on the left Modify the Maximum Number of Recipients link on the right:


Then change the vaue for Maximum recipients to display:


The GUI may not be the most optimal way of reviewing the configuration change so going back to PowerShell, you can use the following cmdlet to list all of the recipient objects in a store with their mailbox feature settings:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Get-CASMailbox


If the list is too long, you can either use the | more command at the end as such:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Get-CASMailbox | more

… or simply pipe the output to a text file:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Get-CASMailbox > C:\mailboxfeatures.txt


Note that to disable or enable the other features, simply replace -MAPIEnabled with any of the following:

  • ActiveSyncEnabled
  • OWAEnabled
  • PopEnabled
  • ImapEnabled


electronic signatures said...

Very informative post. I sometimes do presentations on SharePoint and was wondering if I could use your Print List example in my presentations and refer my audience to your website for further info.

Leslie Lim said...

First time I commented in a blog! I really enjoy it. You have an awesome post. Please do more articles like this. I'm gonna come back surely. God bless.