I recently ran into a situation where I had to apply a custom ActiveSync policy to a specific subset of the mailboxes in our organization. We have an MDM solution that targets only our domestic users, and in the process of rolling it back (yes, we're no longer requiring users to use our MDM solution), management finally agreed that we could enforce most of our password and security requirements by simply using an ActiveSync policy and eliminate the complexity of the MDM solution. I would have preferred to modify the Default policy, but they wanted the change done quickly and we didn't have time to notify our international users. So, I needed a quick way to set the ActiveSync policy on only our domestic users' mailboxes.
The domestic users are all in one site, but the site is more of a North America site, rather than a USA-only site, so one of the requirements is to modify the domestic mailboxes without touching the Canadian mailboxes. To do this, I needed to target specific OUs.
Our domestic Exchange site has multiple mailbox databases, but we let the system balance the mailboxes across the databases, so the Canadian mailboxes are mixed in with the domestic mailboxes. The database names are similar - GV1DB01, GV1DB02, GV1DB03, etc., so to gather up all the mailboxes, we'll use a wildcard to get the databases, then pipe the results to Get-Mailbox and limit the results to just the OUs we want.
Get-MailboxDatabase GV1* | Get-Mailbox -OrganizationalUnit "ou=Headquarters,dc=domain,dc=local -ResultSize unlimited
After running that command and verifying the results, all we need to do is re-run the command and pipe the results to Set-CASMailbox.
Get-MailboxDatabase GV1* | Get-Mailbox -OrganizationalUnit "ou=Headquarters,dc=domain,dc=local" -ResultSize unlimited | Set-CASMailbox -ActiveSyncMailboxPolicy "DomesticASPolicy"
Once we've brought the international community up to speed with our password and security policies, we'll modify the Default ActiveSync policy, then use the same command to set all the domestic mailboxes back to the Default policy.
Yes, I fully realize that the password and security policies should be applied to everyone, but it's your typical slow-moving corporation, and the domestic and international communities are run by two separate groups, so it's difficult to get everyone on board at once. Everyone should be in sync by the end of the month. Right!
Monday, January 19, 2015
Thursday, January 8, 2015
Ironport Best Practice articles
A couple of brief blog articles related to Cisco Ironport appliance best practices.
http://emtunc.org/blog/06/2014/cisco-ironport-e-mail-security-appliance-best-practices-part-1/
http://emtunc.org/blog/12/2014/cisco-ironport-e-mail-security-appliance-best-practices-part-2/
http://emtunc.org/blog/06/2014/cisco-ironport-e-mail-security-appliance-best-practices-part-1/
http://emtunc.org/blog/12/2014/cisco-ironport-e-mail-security-appliance-best-practices-part-2/
Subscribe to:
Posts (Atom)