Microsoft Exchange 2007 was a big step forward, but some common-sense settings are just not possible!  To “fail safe” one would expect that some mailbox features could be globally disabled.  A prime example would be ActiveSync, which allows Windows Mobile handsets (or those licensing the technology, i.e. the Apple iPhone) to synchronize e-mail, calendar, contacts, and tasks with your Exchange server.  Rather than having mailboxes created with this feature disabled, it is enabled!


Sure, you can disable all users from the command line.  For example:

Get-CASMailbox | Set-CASMailbox  -ActiveSyncEnabled $false

You can use other commands to reduce the set of users based on whatever parameters you deem important, including Exchange server, mailbox database, location, department, etc., and pipe them to the Set-CASMailbox command to disable ActiveSync (and/or OWA access, if you like).

To see which users have devices that have formed partnerships, i.e. are actually using ActiveSync, the following command will help:

Get-CASMailbox | where {$_.HasActiveSyncDevicePartnership} | select Name

Of course, Exchange provides a great deal of policy control over mobile handsets, which can be as simple as requiring a PIN, or controlling what features of the handset can be used, e.g. camera.  But something as simple as the ability to disable a feature by default is completely missing!  In security, whitelisting is always preferable to blacklisting, and right now Exchange makes this difficult!