Script repository

Enable/disable ActiveSync based on group membership

Updated on: Jan 18, 2026, Views: 6951

Exchange, Group membership

The script enables the ActiveSync Exchange feature for members of the specified group and disables the feature for others. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

Parameters

  • $groupDN - the distinguished dame (DN) of the groups whose members will have the ActiveSync feature enabled. For information on how to get the DN of a directory object, see Get the DN of a directory object.
  • $reportPathBeforeUpdate - a path to the CSV file that will contain users who had the feature enabled before running the script.
  • $reportPathAfterUpdate - a path for the CSV report containing users who have the feature enabled after the script run.
$CurrentDate = Get-Date
$CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')

$groupDN = "CN=ACTIVE_SYNC_ALLOWED,OU=Exchange Objects,DC=example,DC=com" # TODO: modify me
$reportPathBeforeUpdate = "\\SERVER\Share\Reports\BeforeRunActiveSyncEnabled_$CurrentDate.csv" # TODO: modify me
$reportPathAfterUpdate = "\\SERVER\Share\Reports\AfterRunActiveSyncEnabled_$CurrentDate.csv" # TODO: modify me

$scriptBlock = {
    Import-Module Adaxes

    function UpdateActiveSync ($userInfos)
    {
        # Update ActiveSync for user.
        foreach ($userGuid in $userInfos.Keys)
        {
            $userPath = 'Adaxes://<GUID=' + $userGuid + '>;'
            $user = $admService.OpenObject($userPath, $NULL, $NULL, 0)

            # Check whether the user has an Exchange mailbox.
            if ($user.RecipientType -ine 'ADM_EXCHANGERECIPIENTTYPE_MAILBOXENABLED')
            {
                continue
            }

            try
            {
                # Get Exchange properties.
                $mailboxParams = $user.GetMailParameters()
            }
            catch
            {
                continue
            }

            # Get ActiveSync settings.
            $activeSync = $mailboxParams.MailboxFeatures.GetItemByType(
                'ADM_EXCHANGE_MAILBOXFEATURETYPE_ACTIVESYNC')

            # Enable/disable ActiveSync.
            $activeSync.Enabled = $userInfos[$userGuid]

            try
            {
                $user.SetMailParameters($mailboxParams, 'ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE')
            }
            catch
            {
                continue
            }
        }
    }

    # Build LDAP filter to search for users with ActiveSync enabled.
    $activeSyncEnabledFilter = New-Object "System.Text.StringBuilder"
    $activeSyncEnabledFilter.Append('(&(sAMAccountType=805306368)(mailNickname=*)(!(cn=SystemMailbox{*))(msExchHomeServerName=*)(msExchVersion=*)') | Out-Null

    [int]$airSyncDisabled = 4
    $activeSyncDisabledPart = [Softerra.Adaxes.Ldap.FilterBuilder]::CreateBitAndMatch('msExchOmaAdminWirelessEnable', $airSyncDisabled)
    $activeSyncEnabledFilter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::CreateNegation($activeSyncDisabledPart)) | Out-Null

    $activeSyncEnabledFilter.Append(')') | Out-Null
    $activeSyncEnabledFilter = $activeSyncEnabledFilter.ToString()

    # Search all users with ActiveSync enabled.
    $users = Get-AdmUser -LdapFilter $activeSyncEnabledFilter `
        -SearchBase '%distinguishedName%' -SearchScope SubTree `
        -Server $domainName -AdaxesService localhost `
        -Properties DisplayName, SamAccountName, mail

    $userActiveSyncEnabled = New-Object "System.Collections.Generic.HashSet[System.Guid]"
    foreach ($userID in $users)
    {
        $userActiveSyncEnabled.Add($userID.ObjectGUID) | Out-Null
    }

    # Backup status before script run.
    $users | Select-Object DisplayName, SamAccountName, mail | Sort-Object DisplayName `
        | Export-Csv -Path $reportPathBeforeUpdate -NoTypeInformation

    # Bind to the group.
    $admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
    $admService = $admNS.GetServiceDirectly('localhost')

    $groupPath = 'Adaxes://' + $groupDN
    $group = $admService.OpenObject($groupPath, $NULL, $NULL, 0)

    # Build filter to search for members of the group.
    $groupMemberFilter = New-Object "System.Text.StringBuilder"
    $groupMemberFilter.Append('(&(sAMAccountType=805306368)(|') | Out-Null
    foreach ($memberGuidInByte in $group.GetEx('adm-MembersGuid'))
    {
        $memberGuid = New-Object "System.Guid" (,$memberGuidInByte)
        $groupMemberFilter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create('objectGUID', $memberGuid)) | Out-Null
    }

    $groupMemberFilter.Append('))') | Out-Null
    $groupMemberFilter = $groupMemberFilter.ToString()

    # Search all users who are members of the group.
    $memberGuids = Get-AdmUser -LdapFilter $groupMemberFilter `
        -SearchBase '%distinguishedName%' -SearchScope SubTree `
        -Server $domainName -AdaxesService localhost

    # Get users who need ActiveSync enabled.
    $userInfos = @{}
    foreach ($memberID in $memberGuids)
    {
        if ($userActiveSyncEnabled.Contains($memberID.ObjectGUID))
        {
            $userActiveSyncEnabled.Remove($memberID.ObjectGUID) | Out-Null
            continue
        }

        # Enable ActiveSync.
        $userInfos.Add($memberID.ObjectGUID, $True) | Out-Null
    }

    # Get users who need ActiveSync disabled. 
    foreach ($userGuid in $userActiveSyncEnabled)
    {
        $userInfos.Add($userGuid, $False) | Out-Null
    }

    # Enable/disable ActiveSync.
    UpdateActiveSync $userInfos

    # Search for users with ActiveSync enabled.
    Get-AdmUser -LdapFilter $activeSyncEnabledFilter -Server $domainName -AdaxesService localhost `
        -SearchBase '%distinguishedName%' -SearchScope SubTree `
        -Properties DisplayName, SamAccountName, mail | Select-Object DisplayName, SamAccountName, mail `
        | Sort-Object DisplayName | Export-Csv $reportPathAfterUpdate -NoTypeInformation

}

# Start Windows PowerShell as a separate process and run the script block in the process.
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$powershellPath = "$env:windir\system32\windowspowershell\v1.0\powershell.exe"
Start-Process $powershellPath -NoNewWindow `
    -ArgumentList ("-ExecutionPolicy Bypass -noninteractive -noprofile `$domainName = '$domainName'; `$reportPathBeforeUpdate = '$reportPathBeforeUpdate'; `$reportPathAfterUpdate = '$reportPathAfterUpdate'; `$groupDN = '$groupDN';" + $scriptBlock )

Comments 3

You must be signed in to comment.

  • Sandra Mitchell

    Sandra Mitchell

    I'm unable to get this to work. I suspect it may have something to do with the Activity Scope, but I'm not sure. Can someone reach out so that I can provide specifics.

    Thanks...

    • Support

      Support

      Hello Sandra,

      What exactly is not working? Do you face any error messages? If so, please, provide us with screenshots.

      Could you, please, post here or send us (support[at]adaxes.com) the script you are using in TXT format including all your modifications?

      Also, provide us with a screenshot of the Custom Command, Business Rule or Scheduled Task that executes the script. If it is a Business Rule or Scheduled Task, please, include the Activity Scope section into the screenshot.

      • Sandra Mitchell

        Sandra Mitchell

        I'll respond via email...

Got questions?

Support Questions & Answers

We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.