We're implementing ActiveSync on Exchange 2007 SP1 RU9 on Svr 2008. We want to control who can sync their devices to Exchange, using the Enable/Disable flag on the mailbox isn't a good solution since all newly created users are enabled by default. We would like to control this somehow with a security group, other than a nightly PoSH cmd to disable all and enable only the members of the group. The thought was to use a Security group and set the permissions in IIS/NTFS. Which I tested and it broke the OAB access for OLK 2007 clients.. and left them with the continuous "Outlook is synchronizing forlders.." message.
I made the following changes on the Microsoft-Server-ActveSync vdir: Removed Authenticated users and added the new Security Group with Read access which is what Authenticated Users had. One thought I have is to make the Security Group changes to the files located in .\ClientAccess\Sync, but I'm unsure of future ramifications of doing so. So default.eas and global.asax since they would be accessed when setting up a new Active Sync partnership. Wondering if anyone else has a suggested access control method or has tried to accomplish this before. We are publishing with an ISA box, but it's not on our Domain and we don't have the LDAP connectivity setup to apply the group to the EAS publishing rule. TIA. JB