Problem solve Get help with specific problems with your technologies, process and projects.

Mass-enabling or disabling Outlook Mobile Access permissions

In Exchange Server 2003, Outlook Mobile Access is enabled by default for all users. If you're in a large organization, you probably want to be more selective about who is allowed to use OMA, but making mass changes to AD user accounts can be challenging. In this tip, discover how to make bulk modifications to OMA user permissions.

When setting up Outlook Mobile Access (OMA) for an Exchange Server installation, you may want to selectively enable or disable OMA for groups of users (or all users at once). But doing so can be slightly complicated because of certain default Exchange Server and Windows Server configurations.


When you first set up Exchange 2003, all users have OMA enabled in their Active Directory account properties. But the Outlook Mobile Access option -- which controls whether or not those AD properties are used, -- is disabled. Since users' OMA settings in AD are not activated, if OMA is enabled in Exchange System Manager (in Global Settings -> Mobile Services), all users will have OMA turned on.

If you're in an organization with a lot of users, you probably do not want to give OMA usage permissions to everyone. But you also don't want to have to go through AD and manually disable OMA for each person you don't want to allow mobile access.

There is a faster and easier way to selectively allow OMA access though. The first -- and hardest -- step is turning off OMA by default for all users in Active Directory. One quick way to do this is through the following VB script, which sets the msExchOmaAdminWirelessEnable property in AD for each user to 7 (the value meaning "disabled").

Set xDSE = GetObject("LDAP://rootDSE")
Set xUsers = GetObject("LDAP://cn=Users," & xDSE.Get("defaultNamingContext"))
For Each xUser In xUsers
xUser.Put "msExchOmaAdminWirelessEnable", "7"

You can then enable OMA for certain users through Active Directory Users and Computers with a tool like ADModify, which allows you to bulk-modify the msExchOmaAdminWirelessEnable property for a list of users or by user-group names. This usually requires two passes, though -- one pass to disable OMA access for everyone (as above), and then another pass to enable it for selected users.

More on Microsoft Exchange mobile device management:

Configuring OMA and ActiveSync

Issue with Outlook Mobile Access and certificate authorities

Mobile messaging enhancements in Exchange Server 2003 SP2

Exchange mobile and wireless tips and resources

About the author: Serdar Yegulalp is editor of Windows Insight.


What about users that are created after you've disabled Outlook Web Access for a selective few? Will OWA still be enabled for them by default?
—Mark A.


I haven't yet been able to find a definitive answer, but I believe Outlook Web Access will still be enabled for new users by default. My own Exchange installation is currently toast or I'd try it out myself, but I suspect this is what will happen.
—Serdar Yegulalp, tip author


To disable only OMA, the correct value is "2" not "7." The "7" value will disable OMA, ActiveSync and push technology. Please refer to the table below.

msExchOmaAdminWirelessEnable OMA User Initiated

—Juan U.


Great article; I was not aware of the bulk tool ADModify previously. However, when I try to cut and paste the VB extract to a text document and rename it 'disable.vbs,' I get the following error:

I am running native Windows Server 2003 AD (R2) and Exchange 2003 SP2.

I am unsure from the article whether the script was meant to disable OWA by default, or whether it does it individually per already-created-user (looking at the script I would guess the latter).

If there is a way of disabling users by default, it would save the admins that create users from forgetting to set this each time.
—Graham S.


The script disables existing users. A number of people have asked if it's possible to do this for all users by default, which I'm not sure of yet (although I'm looking into ways to do that).

As for the error you're getting, I'm not sure about that either. Although one possible reason is that you're running it in the context of a user account that doesn't allow such objects to be modified.
—Serdar Yegulalp, tip author


Our organization would like to be able to change the default behavior for Microsoft Exchange regarding OMA. We don't want to run a script and then have all new users after the script is run be set to allow OMA access. What an administrative nightmare!

We have hundreds of new users created every month. We want to control who gets permission to use OMA access. Running the script today isn't going to help control the 200+ new accounts created every month thereafter!
—Melissa A.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip is via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share? Submit it to If we publish it, we'll send you a nifty thank you gift.

Dig Deeper on Outlook management