Building on a previous post, http://almostdailytech.com/?p=7, when a user is created they by default get ActiveSync access. The script will go through and change all the settings back to disabled. All new users however will have this setting enabled. By using a user template and search flags in AD, you can prevent this from happening.

First you need to create a user template, make sure the ActiveSync features are disabled. Then log into the DC that holds the schema master role. Run ADSIEdit.msc, you may have to install the support tools pack. You want to expand Schema, then look for, ms-Exch-Oma-Admin-Wireless-Enable. Scroll down until you see the SearchFlags Attribute. Set the value from 0 to 16. Now when you deploy from a template, these values will be copied.

References

http://technet.microsoft.com/en-us/library/cc755809.aspx

Search for: searchflags

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93494.mspx?mfr=true

There are quite a bit of white papers and technet articles on ActiveSync and the Windows Mobile Platform. Howerver it takes a bit of reading to find the ones that are really really important. These are those pages.

http://msexchangeteam.com/archive/2006/04/03/424028.aspx

Gives a quick summary of how Direct Push works and some troubleshooting steps in the logs.

http://www.microsoft.com/technet/solutionaccelerators/mobile/maintain/SecEntMessaging/d592e80a-035e-4291-b05d-c8b8dae71b80.mspx?mfr=true

Gives the security settings you can set, with their defaults.

http://technet.microsoft.com/en-us/library/cc182269.aspx

The Huge Main Documentation

There isn’t much information on what performance counters are really important, the only thing I’ve found is that treat the performance of it just like any other website. I’ll update this as I find out more stats.

The only stat I’ve found is from the How Microsoft does IT.

A typical Exchange front-end server on the Microsoft network runs Microsoft Windows Server™ 2003 with Service Pack 1 on a Compaq DL380 G3, with four 2.4-gigahertz (GHz) Xeon processors and 2 gigabytes (GB) of RAM. Front-end servers that have this specification can handle 17,000 concurrent connections from roughly 3,000 users at a CPU loading of 15-30 percent

How Microsoft IT does Mobile.

http://technet.microsoft.com/en-us/library/bb735199.aspx

Quite a bit of information is stored in the IIS logs for an ActiveSync user. Using the LogParser tool from MS you can generate useful information, number of devices, top users, etc from the IIS logs. If you make some simple SQL queries you can setup to automatically run and generate the information. Here are some of the links I’ve used to get myself started.

http://msexchangeteam.com/archive/2006/02/14/419562.aspx

http://msexchangeteam.com/archive/2006/03/03/421149.aspx

http://msexchangeteam.com/archive/2007/09/12/446982.aspx
General LogParser Usage

http://www.msexchange.org/tutorials/Using-Logparser-Utility-Analyze-ExchangeIIS-Logs.html

Since many of the components have been removed and incorporated in new products, such as the driver is now part of Virtual PC, someone on the Exchange Team Blog put together a post of how to do the installation of the Windows Mobile Device Emulators.

http://msexchangeteam.com/archive/2007/09/17/447033.aspx

Using the web console for MobileAdmin there are two options, Remote Wipe and Transaction Log. In the Remote Wipe section you enter a username or an email address of a user to see what devices are currently using ActiveSync. If you don’t see the Remote Wipe feature you need to enable a policy in ESM. Go to Global Settings, Mobile Services, then the Device Security button. You have to at a minmum require a password on the device. Once this is enabled you should have the ability to Remote Wipe in the MobileAdmin web page any devices that are using this policly. If you don’t enable this, you’ll only see the “Block” and “Delete” options available.