Share via


FYI: ProtocolSettings and MAPI client restrictions affect MAPI and CDO 1.21

There are several options for configuring restrictions on MAPI client access to Exchange 2003 SP 2.

…some were around prior to SP 2...

288894 How to disable MAPI client access to an Exchange Server 2003 computer or to an Exchange 2000 Server computer
https://support.microsoft.com/default.aspx?scid=kb;EN-US;288894

…some were new to SP 2...

Microsoft Exchange Server 2003 Service Pack 2 Release Notes

Enabling and disabling MAPI and/or non-Cached access per user in Exchange 2003 SP2

https://blogs.technet.com/exchange/archive/2005/07/27/408274.aspx

Typically these restrictions are used to lessen the attack surface for an organization whose users only use OWA, POP3, or IMAP to connect to Exchange. By turning off MAPI all together, limiting the versions of MAPI clients, or specifying the required cached mode administrators gain great control over who is accessing Exchange.

When developing an application that uses MAPI either directly or through CDO 1.21 it is important to understand how these MAPI restrictions affect code. These restrictions are applied on a mailbox basis in Active Directory. There are no flags or permissions that can get you past these restrictions so that you can directly log on to a restricted mailbox.

The only way to access a restricted mailbox is to use MAPI functions like GetMailboxTable or CreateStoreEntryID (from Exchange 5.5 SDK here) to open another information store while logged on as a service account that does not have MAPI access restricted. In this configuration, all user accounts have MAPI restrictions while this one service account does not.

CDO 1.21 does not have the ability to jump to a different information store like MAPI. There are no calls like GetMailboxTable and CreateStoreEntryID in CDO and GetInfoStorewill only retrieve an information store loaded in the current profile. So even while logged into a Session as the service account, CDO offers no ability to get to another restricted user’s mailbox like MAPI.

…Consider this in a scenario when you are relying on CDO 1.21 for calendaring support and MAPI for mail message manipulation. The bottom line is you can work around these restriction settings with MAPI code but there is no workaround for CDO 1.21. There are no plans to update CDO 1.21…

Updated 1/22/2009 – Fixed some broken links.