Microsoft KB Archive/328240

= How to put server-side restrictions on clients that are used to access Exchange 2000 mailboxes =

Article ID: 328240

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q328240



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
In Microsoft Exchange 2000 Server Service Pack 1 (SP1) and later, you can now put a server-side restriction on the clients used to access Exchange mailboxes. This restriction can be useful if you want to restrict older MAPI clients, or restrict users from using any MAPI client to log on to the server.

Put server-side restrictions on clients
To restrict access, create the following registry string value on the server running Exchange 2000 Server.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. For information about restoring the registry, see the &quot;Restoring the Registry&quot; Help topic in Regedit.exe or the &quot;Restoring a Registry Key&quot; Help topic in Regedt32.exe.  Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ MSExchangeIS\ParametersSystem Name: Disable MAPI Clients Type: REG_SZ Value: Enter a comma-separated or semicolon-separated list of MAPI client versions -- for example:

9.0.0-9.9.9; 12.0.0-12.1.5; 1.1.1-2.2.2



There are four possible ranges to describe the MAPI client version in the registry string value:
 * 6.0.0-7.0.0: Prevents versions 6.0.0 through 7.0.0
 * 6.0.0-: Prevents versions 6.0.0 and later
 * -9.0.0: Prevents all versions up to 9.0.0
 * 10.0.0: Prevents this version only

Important After you add the registry string value, you must stop and then restart the information store service for the new value to take effect.

Client error message
If a restricted client tries to log on to the server that is running Exchange 2000 Server, the user receives the following error message:

Cannot start Microsoft Outlook. The attempt to log on to the Microsoft Exchange Server computer has failed.

Client version string
The client itself dictates the client's version string. This string is similar to the version number reported in the About dialog box for the client. However, do not rely on this version number. Instead, use Exchange System Manager to view the Client Version property on the Mailbox Store Logons page.

Important The string reported in Exchange System Manager has an additional value -- for example, W.X.Y.Z. When you configure your server-side registry string value, use a string that is based on the values found in the W, Y, and Z positions. Do not include the value found in the X position. For example, if the version shown in Exchange System Manager is 10.0.0.1234 and you want to specifically stop these users, implement the registry string value with a data value of 10.0.1234.

Version string conventions
For MAPI clients up to and including Microsoft Outlook 2000, the version string uses the following convention:

..

For Microsoft Outlook 2002, the version string uses the following convention:

..

Hotfixes and service releases may affect the client version string. Be careful when you restrict client access, because server-side Exchange components also have to use MAPI to log on. Some components report their client version as the component name, such as SMTP or OLEDB, although others report the Exchange build number, such as 6.0.4712.0. For this reason, avoid restricting clients that have version numbers that start with 6. .

For example, to prevent MAPI access completely, instead of specifying the following restriction

0.0.0-65535.65535.65535

specify two ranges, so that the server components can log on, as follows:

0.0.0-5.9.9; 7.0.0-65535.65535.65535

