One little AD “trick” to completely screw up Exchange OWA

I came across this little “gem” at a client today.  After I spent quite a bit of time getting their Exchange 2010 up and running (see earlier post about RPC 6001 errors) I was back on site trying to figure out why webmail and iPhone connections would not work for most users including the CEO.  I beat my head against the wall for probably 30 minutes as I methodically checked settings and tested stuff with the Exchange Connectivity tester (ExRCA).  Some accounts worked all the way through on both the ActiveSync and RPC over HTTP tests but most failed with a “401” error.  Why???

In the end it was an AD account setting, set per user, that I have actually never used before BUT the previous IT guy at the customer had made liberal use of it.  Here it is:


Yup, the user account was locked down to a couple of specific computers which precluded login to the Exchange server which hosts OWA.  I pulled the setting by clicking on “All computers” and clicking OK.  Testing via ExRCA immediately passed and both webmail and iPhone now worked for the user in question.  I suppose I could have entered the Exchange server as an allowed system but there was really no point in terms of the customer’s security requirements to have the user “locked down”.  If you DO have the need to lock users down then ensure they have access to the Exchange server or “array” (if you have an Exchange farm) or both you and your users will pay the price when you try to use OWA and any of the functions that rely on OWA access.