Lost in a Sea of Attributes

Forget who has access to which services? Find your way back with the LDAP Browser.

• By Bill Boswell
• December 09, 2003

Bill: I'm running Exchange 2000. I disabled the HTTP protocol in Exchange properties for users who are not authorized to have OWA access. Over time, I've allowed certain users the ability to use HTTP but I've lost track of which people I've authorized to have it. Is there a way to have Active Directory tell me what users have the HTTP protocol enabled in the AD Users & Computers snap-in?
—Dan

Dan: I was not able to find this information in the Exchange documentation, so I used the LDAP Browser (ldp.exe) from the Windows Server 2003 Support Tools to dump a regular mailbox-enabled user's AD attributes. I then disabled the HTTP protocol in the user's Exchange properties, dumped the attributes again, and compared the results to find the difference.

It turns out that the Exchange protocol configuration for a user gets stored in an attribute called ProtocolSettings. The following listings show the value for this attribute when all three protocols (POP3, IMAP4, and HTTP) have been disabled and again for when they are enabled:

'All protocols disabled
protocolSettings: POP3§0§1§4§ISO-8859-1§0§§§;IMAP4§0§1§4§ISO-8859-1§0§1§0§0;
HTTP§0§1§§§§§§;

'All protocols enabled
protocolSettings: POP3§1§1§4§ISO-8859-1§0§§§;IMAP4§1§1§4§ISO-8859-1§0§1§0§0;
HTTP§1§1§§§§§§;

You can use the Find feature in AD Users & Computers to search for users who have an HTTP setting in the ProtocolSettings attribute that indicates Enabled.

Select the Custom Search option and the Advanced tab, then enter this LDAP query:

(objectcategory=user)(ProtocolSettings=*http§1§1§*)

Click on Find Now to get a list of the users who have HTTP enabled.

Get Help from Bill Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

Just as a quick aside: If you have a Windows XP workstation where you do your AD management, you can install the Windows Server 2003 admin tools, which includes a version of AD Users & Computers with a Saved Queries feature. This lets you enter LDAP queries like the one above and get a graphical display just like you'd get when browsing the contents of an OU. Then, you can save the query and use it anytime you want. Very cool, and it works great against a Windows 2000 domain.

Hope this helps.

Much Ado about ACLs and Exmerges
In last week's column, I included a script to make changes to MAPI permissions. Alert administrator Pete wrote me to point out that the script gives an ActiveX error.

It turns out that the script requires a copy of ACL.DLL, which, unfortunately is not available in compiled form at the Microsoft Download site. However, you can download a tool from Microsoft's ftp site: ftp.microsoft.com/pss/tools. Download the Outlook_Folders application and install it. This places an up-to-date copy of ACL.DLL on the machine.

If you don't like the idea of installing an unsupported tool on a production Exchange server, you can install the Outlook_Folders utility on a workstation then copy the ACL.DLL file to the Exchange server and register it as follows:

regsvr32 acl.dll

This eliminates the ActiveX error when you run the script at the server.

As a follow-up to "Weighty Decision in an Exchange/Windows Upgrade ," regarding migrating user mailboxes using Exmerge, reader Greg points out that this form of mailbox migration can cause problems when replying to internal messages after the X.500 address changes. If you plan on using Exmerge to migrate mailboxes between Exchange organizations or between sites in the same legacy organization, see Microsoft KnowledgeBase article 275134, "XADM: Cannot Reply to Messages That Are Sent from a User Account That Was Moved to a Different Site."