After talking Microsoft the only way to do this is a script when the account is created. What I have done is every couple of weeks I run a ADModify with a custom ldap query that pulls all accounts that have the default setting of 0. Then I select those accounts and set the attribute to explicit disable. If a user needs access they have to go through the approval process then we enable the option.
You would think that MS would have a changeable default value for that since people have been asking for it since Exch 2000. From: May, Jeff [mailto:j...@bbandt.com] Sent: Wednesday, December 30, 2009 2:56 PM To: MS-Exchange Admin Issues Subject: RE: Access control to Exchange Active Sync We script our account creations out so helpdesk personnel and customer service request personnel along with our Information Security groups can do mail account creations. At this point after the mailbox has been "enabled" the script also removes the active sync functionality. This may would help if you do script mailbox creation as a method to give it down to request personnel to handle. Just a thought on the methods we currently have in place. From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Wednesday, December 30, 2009 2:38 PM To: MS-Exchange Admin Issues Subject: Access control to Exchange Active Sync We're implementing ActiveSync on Exchange 2007 SP1 RU9 on Svr 2008. We want to control who can sync their devices to Exchange, using the Enable/Disable flag on the mailbox isn't a good solution since all newly created users are enabled by default. We would like to control this somehow with a security group, other than a nightly PoSH cmd to disable all and enable only the members of the group. The thought was to use a Security group and set the permissions in IIS/NTFS. Which I tested and it broke the OAB access for OLK 2007 clients.. and left them with the continuous "Outlook is synchronizing forlders.." message. I made the following changes on the Microsoft-Server-ActveSync vdir: Removed Authenticated users and added the new Security Group with Read access which is what Authenticated Users had. One thought I have is to make the Security Group changes to the files located in .\ClientAccess\Sync, but I'm unsure of future ramifications of doing so. So default.eas and global.asax since they would be accessed when setting up a new Active Sync partnership. Wondering if anyone else has a suggested access control method or has tried to accomplish this before. We are publishing with an ISA box, but it's not on our Domain and we don't have the LDAP connectivity setup to apply the group to the EAS publishing rule. TIA. JB