This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I stop ARS from detecting my on-premise exchange environment? I do NOT want any mail options available at all.

Currently using ARS 7.2.1 in a hybrid environment with on-premise Exchange and O365.  ARS is currently detecting the on-prem exchange environment and causing a few minor issues.  Is there a way to stop ARS from detecting the on-prem exchange environment?

  • I did find this https://support.oneidentity.com/active-roles/kb/246975/how-to-remove-create-an-exchange-mailbox-page-from-new-user-wizard which eliminates the exchange mailbox page, but if there's another holistic solution, please let me know.

  • I would recommend options:

    #1. ARS Policy |- DEny  edsaExchangeCreateMailbox = FALSE and other Exchange Attributes (homeMDB, mail, proxyAddresses, alias = DENY access to all AD role groups like AD|ARS_HelpDesk etc.)

    #2. ARS Policy Script. onPreCreate(), onPreModify() $edsaExchangeCreateMailbox = $FALSE - that is a solid "silent" block for everybody in #1 and also AD\ARSADMIns, AD|\svc_ars_service account.

    #3. removing ARS WI | User Create/Update | Exchange Properties Tab is a "weak" option which leaves other clients to have Exchange Properties available in ARS.MMC open and ARS Script PS1, VBS.

  • I tested a modification of the policy which you found in my lab.

    The original policy only removed the Microsoft Exchange tab from the User Creation Wizard. This policy ignores all existing Microsoft Exchange properties, removes the ability to add any properties, and stops automation tools like PowerShell or the Active Roles Synchronization Service from creating Users with a mailbox:

    function onPostGet($Request){
        if ($Request.IsAttributeRequested('edsaIsMsExchangePresent')){
        $Request.Put('edsaIsMsExchangePresent',$false)
        $Request.put('edsaCreateMSExchMailbox',$false)
        $Request.put('edsaExchangeTasksAvailable',$null)
        $Request.put('edsaAllExchangeTasks',$null)
        }
    }
    
    function onPreCreate($Request){
        if ($Request.class -eq 'user'){
        $Request.put('edsaCreateMSExchMailbox',$false)
        }
    }

  • What about just removing the required permissions from the Active Roles service account which are needed to perform Exchange managerial functions?

    Regardless - I do like the custom policy you tweaked Terrance.  Do we have any other similar examples which effectively remove other tabs?  If so it would be a nice summary KB to get into the community.