ActiveSync – Find Enabled Users via msExchOmaAdminWirelessEnable Attribute

2011-02-14 Updated

2011-02-12 Initial Post

Windows Server 2003 SP2

Exchange Server 2003 SP2

In the IT business, sometimes what seems like a simple question can result in a few hours of work to get a satisfactory answer. The other day I was asked to look at why a query for all ActiveSync enabled users wasn't returning the correct results. The query was using the msExchOmaAdminWirelessEnable attribute. That attribute holds the values for the settings under user properties --> Exchange Features tab --> Mobile Services.

Under Mobile Services are these three options:

Option 1: Outlook Mobile Access

Option 2: User Initiated Synchronization (This is what's needed to allow use of ActiveSync, per this MS article.)

Option 3: Up-to-date Notifications (This is known as Direct Push over HTTP(S) and is optional for ActiveSync but requires option 2 if selected.)

So this what I need to find out: What is the value for msExchOmaAdminWirelessEnable for each different combination of options?

The value for msExchOmaAdminWirelessEnable really consist of three bits (credit to Ed Crowley for explaining it (though not very clearly) here). The value is an integer, so it contains more than three bits, but the maximum possible value that I could set via Active Directory Users and Computers is 7 (111).

Here are the results in integer and binary values:

msExchOmaAdminWirelessEnable = <not set> = All options are, by default, enabled. This is a null value and is not the same as a value of 0. This is the default setting per this MS article.

msExchOmaAdminWirelessEnable = 0 = 000 = All options explicitly enabled. This happens after you've disabled any option and then go back and enable all options. From the user end this is the same as <not set> because all three options are enabled.

msExchOmaAdminWirelessEnable = 1 = 001 = Option 1 and option 2 enabled.

msExchOmaAdminWirelessEnable = 2 = 010 = Option 2 and option 3 enabled (option 3 requires option 2).

msExchOmaAdminWirelessEnable = 3 = 011 = Option 2 enabled.

msExchOmaAdminWirelessEnable = 5 = 101 = Option 1 enabled.

msExchOmaAdminWirelessEnable = 7 = 111 = All options disabled. This seems backwards because enabling all the bits disables all the options.

Based on the findings above, to find all users that have any combination of options enabled which would allow ActiveSync (any combination which has User Initiated Synchronization enabled); you need to filter for msExchOmaAdminWirelessEnable by these five values:

msExchOmaAdminWirelessEnable = nothing (not set/null)

msExchOmaAdminWirelessEnable = 0

msExchOmaAdminWirelessEnable = 1

msExchOmaAdminWirelessEnable = 2

msExchOmaAdminWirelessEnable = 3

Note: I’m guessing msExchOmaAdminWirelessEnable = 4 is for option 3 only. If so, that would not be valid and won’t work wih ActiveSync because option 3 requires option 2 (which is msExchOmaAdminWirelessEnable = 2, if both are selected).

I used CSVDE as an example below in my test lab. I couldn't figure out how to get CSVDE to query for a null value (it doesn't look like that's possible), so I used !msExchOmaAdminWirelessEnable=* which means "x value not equal to something." If a value is not equal to something, it has no value and is therefore null. Note that I simplified things here because objectCategory=user will return EVERY user, so I put a description of "Company User" for my test users and then filtered on that. This makes the LDAP query easier to follow. If you wanted to, you could filter by OU or only mail-enabled users, etc, but the LDAP query filter will just get longer and more difficult to follow. I also didn't filter out disabled accounts or anything else that might need to be filtered in a production environment.

csvde -f ASUserList.csv -r "(&(objectCategory=user)(description=Company User)(|(!msExchOmaAdminWirelessEnable=*)(msExchOmaAdminWirelessEnable=0)(msExchOmaAdminWirelessEnable=1)(msExchOmaAdminWirelessEnable=2)(msExchOmaAdminWirelessEnable=3)))" -s chh-dc-01 -l "displayName,msExchOmaAdminWirelessEnable" -j .

Note how the CSVDE output below shows no msExchOmaAdminWirelessEnable value for Ted Strawberry. That's because I never changed his settings, so he has the default of <not set> which means all options are enabled.

DN,displayName,msExchOmaAdminWirelessEnable
"CN=Apple\\, John,OU=BRH,OU=Company - Users,DC=company-ad,DC=sysadmin-e,DC=com","Apple, John",3
"CN=Cherry\\, Ed,OU=BRH,OU=Company - Users,DC=company-ad,DC=sysadmin-e,DC=com","Cherry, Ed",2
"CN=Pear\\, Al,OU=CHH,OU=Company - Users,DC=company-ad,DC=sysadmin-e,DC=com","Pear, Al",1
"CN=Strawberry\\, Ted,OU=CHH,OU=Company - Users,DC=company-ad,DC=sysadmin-e,DC=com","Strawberry, Ted",

If you run the same query in a VBScript using ADO, be aware that the record set will only contain 1,000 records unless you specify a page size value. See this MS article for the reason behind that and how to work around it. This the first time that I ran into this issue in all my years of scripting. I guess I never wrote a query that would return over 1,000 records before.

To complicate matters more, I ran the query in production and didn’t see my manger in the output file. After some digging around, I found that he and a few other users in our production environment had msExchOmaAdminWirelessEnable = 32 = 100000. I have no idea how that happened. As I mentioned earlier, that is an integer value, so I believe it can go up to 32 bits long (2,147,483,647). That being the case, a more accurate LDAP filter would filter for msExchOmaAdminWirelessEnable by these three values:

msExchOmaAdminWirelessEnable <> 4

msExchOmaAdminWirelessEnable <> 5

msExchOmaAdminWirelessEnable <> 7

(&(!msExchOmaAdminWirelessEnable=4)(!msExchOmaAdminWirelessEnable=5)(!msExchOmaAdminWirelessEnable=7))

This query filter is actually simpler than the other one, but just getting to the point of figuring this out was more involved and I basically stumbled upon it. After further research, I found this MS Exchange Team blog post that mentions additional values for msExchOmaAdminWirelessEnable. The author decided to use the term “bit 0x00000020” instead of just simply stating that the value is 32 decimal. So I had to put the Windows calculator into scientific mode to verify that 0x00000020 = 32 decimal. That value means that the user is exempt from mobile device security polices (and since the first three bits are 0, that also means that the user is enabled for ActiveSync). That value is set by Exchange System Manager (ESM) when users are added to the mobile device security exception list.

2011-02-14

I couldn't help myself and looked into this a little more after my initial post and found the following:

1 - An account that has all mobile services options disabled can still be added to the mobile device security exception list in ESM. ESM then sets the account's msExchOmaAdminWirelessEnable attribute to 39 (32 is the bit value used to enable the security exception and 7 is the bit value for disabling all three options under mobile services). So what does this mean? My last LDAP filter is still not 100% accurate. Assuming that the value is 32 bits long, there are over 2 billion different options. So it looks like what really needs to be done is to do a bitwise comparison on the third bit to see if Option 2: User Initiated Synchronization is enabled; that bit value would be 0 if the option is enabled.

The main point here is that just checking to see if the msExchOmaAdminWirelessEnable attribute value is 0 or 7 doesn't cover all the available values.

Here are some links about bitwise comparisons in VBScript: http://www.devguru.com/technologies/vbscript/quickref/and.html and http://www.devguru.com/technologies/vbscript/quickref/xor.html.

Someone already wrote an article on using bitwise operations with msExchOmaAdminWirelessEnable.

MS has a KB on using LDAP Matching Rule controls for bitwise operations. You'd be able to use that directly in an LDAP filter in CSVDE, for example. There's an example of using that with msExchOmaAdminWirelessEnable in this Exchange Server forum post. That post has the full filter below, which works great and is less complex than what I had.

(&(objectClass=User)(objectCategory=Person)(mailNickname=*)(!cn=SystemMailbox{*)(|(!msExchOmaAdminWirelessEnable=*)(&(msExchOmaAdminWirelessEnable=*)(!msExchOmaAdminWirelessEnable:1.2.840.113556.1.4.803:=4))))

2- If you manually set an account's msExchOmaAdminWirelessEnable attribute to 32, it will not show up in the mobile device security exception list in ESM.

3 - If you remove an account from the mobile device security exception list in ESM, its msExchOmaAdminWirelessEnable attribute will have the sixth bit set back to 0 (as opposed to 1 which equals 32 decimal).

One Response to “ActiveSync – Find Enabled Users via msExchOmaAdminWirelessEnable Attribute”

  1. Deen Says:

    Many thanks for this post,it is really useful.

Leave a Reply

*