How to put server-side restrictions on clients that are used to access Exchange 2000 mailboxes

This article has been archived. It is offered "as is" and will no longer be updated.
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
In Microsoft Exchange 2000 Server Service Pack 1 (SP1) and later, you can now put a server-side restriction on the clients used to access Exchange mailboxes. This restriction can be useful if you want to restrict older MAPI clients, or restrict users from using any MAPI client to log on to the server.

Put server-side restrictions on clients

To restrict access, create the following registry string value on the server running Exchange 2000 Server.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. For information about restoring the registry, see the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.
  • Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ MSExchangeIS\ParametersSystem
  • Name: Disable MAPI Clients
  • Type: REG_SZ
  • Value: Enter a comma-separated or semicolon-separated list of MAPI client versions -- for example:
    9.0.0-9.9.9; 12.0.0-12.1.5; 1.1.1-2.2.2
There are four possible ranges to describe the MAPI client version in the registry string value:
  • 6.0.0-7.0.0: Prevents versions 6.0.0 through 7.0.0
  • 6.0.0-: Prevents versions 6.0.0 and later
  • -9.0.0: Prevents all versions up to 9.0.0
  • 10.0.0: Prevents this version only
Important After you add the registry string value, you must stop and then restart the information store service for the new value to take effect.

Client error message

If a restricted client tries to log on to the server that is running Exchange 2000 Server, the user receives the following error message:
Cannot start Microsoft Outlook. The attempt to log on to the Microsoft Exchange Server computer has failed.

Client version string

The client itself dictates the client's version string. This string is similar to the version number reported in the About dialog box for the client. However, do not rely on this version number. Instead, use Exchange System Manager to view the Client Version property on the Mailbox Store Logons page.

Important The string reported in Exchange System Manager has an additional value -- for example, W.X.Y.Z. When you configure your server-side registry string value, use a string that is based on the values found in the W, Y, and Z positions. Do not include the value found in the X position. For example, if the version shown in Exchange System Manager is and you want to specifically stop these users, implement the registry string value with a data value of 10.0.1234.

Version string conventions

For MAPI clients up to and including Microsoft Outlook 2000, the version string uses the following convention:
Major build number.Build number.Dot release
For Microsoft Outlook 2002, the version string uses the following convention:
Major build number.Minor build Number.Build number
Hotfixes and service releases may affect the client version string. Be careful when you restrict client access, because server-side Exchange components also have to use MAPI to log on. Some components report their client version as the component name, such as SMTP or OLEDB, although others report the Exchange build number, such as 6.0.4712.0. For this reason, avoid restricting clients that have version numbers that start with 6.x.x.

For example, to prevent MAPI access completely, instead of specifying the following restriction
specify two ranges, so that the server components can log on, as follows:
0.0.0-5.9.9; 7.0.0-65535.65535.65535
For more information about how to disable MAPI clients, click the following article number to view the article in the Microsoft Knowledge Base:
288894 How to disable MAPI client access to a computer that is running Exchange Server
connect kbFEA kbExchange2000SP1Fea kbExchange2000preSP1fea kbExchange2000SP1Fix kbinfo

Article ID: 328240 - Last Review: 01/10/2015 13:44:24 - Revision: 4.0

Microsoft Exchange Server 2003 Standard Edition, Microsoft Exchange Server 2003 Enterprise Edition, Microsoft Exchange 2000 Server Standard Edition

  • kbnosurvey kbarchive kberrmsg kbhowtomaster KB328240