Dgoldman's WebLog

The daily adventures of an Escalation Engineer

How to break the OAB download process for certain users

How to break the OAB download process for certain users

  • Comments 4

I got a weird request today and I thought I would be interesting post. In some organizations you might have a group of users that you do not want to download the OAB for security reason. There are a few ways to do this and if not done correctly can break it for everybody.

  1. The first method is to create a separate address list with a filter, a new OAB and changing attributes to point to the new OAB. This is pretty involved and I really don't fancy people playing with any permissions as this leads to bigger problems.
  2. Move all of the users to a new mailbox store and remove the OAB associated with that mailbox store. This does not require changing permissions which is good because check names won't be broken for new profile creates, etc. This will remove the EntryID that is populated within the following MAPI Property Tag (PR_ADDRBOOK_FOR_LOCAL_SITE_ENTRYID). Now when the Outlook client logs in they will be given an EntryID that does not correspond to an existing Root OAB folder and the client will fail the download with the following error:
  3. You can populate the msExchUseOAB attribute on the active directory user object with the DN of an address list that does not exist. This works the same as number 2.

12:45:53 Synchronizing Mailbox <dgoldman>
12:45:53 Done
12:45:54 Microsoft Exchange offline address book
12:45:54 0x8004010f

Dave

Comments
  • PingBack from http://www.artofbam.com/wordpress/?p=7907

  • Exchange Server 2007 SCC/CCR lessons learned How Exchange 2007 CAS Proxying works for ActiveSync IPv6

  • This is good. Thanks for posting. I recently upgraded to 2007 and was looking to do something just like this, but.....

    My problem (that I just realized), the OAB is not being generated at all. The mailbox server doesn't have the shared \ExchangeOAB directory so the CAS cannot grab the necessary files. I receive a 1021 error on my CAS on restart of the replication service because there is no shared directory.

    Any thoughts on how to fix this so I can implement this article?

    Thanks.

  • The shared \ExchangeOAB directory will get created during the OAB Generation process. I would turn up logging for the OAB and see why it is not generating. If you do not have a public folder store you should only be generating V4.

Page 1 of 1 (4 items)