Enable or disable POP3 and IMAP4 by group membership in Exchange 2007

As you know, Exchange 2007 supports POP3 and IMAP4 protocols. Mostly, these protocols are shutdown (due to many concerns).

In certain cases, for you as the administrator, there is no other choice, but to enable this feature.

The next thing, you may consider, is to limit the usage of those protocols for certain users only. What you will find, that you can either enable or disable this per user (from the TechNet – How to Enable or Disable POP3 Access for a User).

Now the problem starts! You can start managing your users one by one, enabling or disabling them for POP3/IMAP4. But what would you do with the new users? They will be enabled by default!

The following guide describes the possibility to limit POP3 and IMAP4 protocols using Active Directory group. We will utilize two major PowerShell functions:

Get-Mailbox -Filter{(memberofgroup -eq GroupDistinguishedName)} -ResultSize:unlimited

and

Set-CASMailbox -Identity:MailboxDistinguishedName -PopEnabled:$true|$false

where in first function, the term GroupDistinguishedName will point to the distinguished name of the group, containing the list of POP3-enabled users.

Let the fun begin!

First we have to get the list of all enabled mailboxes into variable:

$mailboxes = Get-Mailbox -ResultSize:unlimited

Next, we will get the mailboxes, that their corresponding users are members of the group “POP3EnabledUsers“:

$groupidentity = $(Get-Group "POP3EnabledUsers").Identity.DistinguishedName
$pop3Enabled = Get-Mailbox -Filter{(memberofgroup -eq $groupidentity)} -ResultSize:unlimited

After this, we will loop through all mailboxes from the $mailboxes collection:

foreach ($mailbox in $mailboxes)
{
... code goes here ...
}

Now, it is just a matter of using temporary variable $enablePop3, that will include the “verdict” per each mailbox, wherever to enable or disable this particular mailbox for POP3:

$enablePop3 = $false
foreach ($pop3 in $pop3Enabled)
{
if ($pop3.DistinguishedName -eq $mailbox.DistinguishedName)
{
$enablePop3 = $true
}
}

Technically, this will return $true, only in case the $mailbox, currently the main loop runs on, appears in $pop3Enabled.

Finally, we can combine all pieces together. Working code will look like this:

###

$mailboxes = Get-Mailbox -ResultSize:unlimited
$groupidentity = $(Get-Group "POP3EnabledUsers").Identity.DistinguishedName
$pop3Enabled = Get-Mailbox -Filter{(memberofgroup -eq $groupidentity)} -ResultSize:unlimited
foreach ($mailbox in $mailboxes)
{
$enablePop3 = $false
foreach ($pop3 in $pop3Enable)
{
if ($pop3.DistinguishedName -eq $mailbox.DistinguishedName)
{
$enablePop3 = $true
}
}
if ($enablePop3 -eq $true)
{
if ((Get-CASMailbox -Identity:$mailbox.DistinguishedName).PopEnabled -ne $true)
{
$Pop3Enabled++
Set-CASMailbox -Identity:$mailbox.DistinguishedName -PopEnabled:$true
}
}
else
{
if ((Get-CASMailbox -Identity:$mailbox.DistinguishedName).PopEnabled -ne $false)
{
Set-CASMailbox -Identity:$mailbox.DistinguishedName -PopEnabled:$false
}
}
}

Voila! The result of this, will enable the POP3 option only for members of the group. All other mailboxes will be disabled. Run this code on the schedule basis, in order to keep the situation up to date. The same, with the slight changes, works for IMAP4.

I would like to express my special thanks to ilantz for his valuable help in creation of this code.

Any comments will be highly appreciated!