We help IT Professionals succeed at work.

Help with Active Directory Saved Queries

Admin_Stooge
Admin_Stooge asked
on
Medium Priority
373 Views
Last Modified: 2012-06-22
I have some standard 'Saved Queries' that I use:
Find SMTP
(objectcategory=person)(SMTP=*)

Locked out Accounts
(&(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294)))))

Mailboxes Overriding Exchange Size Limits
(&(&(&objectCategory=user)(mDBUseDefaults=FALSE)))

I need help in creating a new Saved Queries to to place a userid within the Query and see if that account has access to other mailboxes within the org.  
Or if there could be a Saved Queries to display those AD Accounts with a manual access to one's mailbox.

Thanks
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2013

Commented:
I'll try to test later but try
(&(&(objectCategory=person)(objectClass=user)(publicdelegates=*)))
(&(&(objectCategory=person)(objectClass=user)(publicDelegatesBL=*)))  
 See if either of those do what you want.
 
Thanks
Mike

Commented:
You may have better luck using the command line dsget and piping it to dsquery.
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

You won't be able to enumerate the access control for a mailbox using an LDAP query. The Send On Behalf permission granted by publicDelegates is as near as you'd get with LDAP only.

I have a script here that can search the security descriptor of a mailbox for Exchange 2000 / 2003 to look for a specific value:

http://www.highorbit.co.uk/?p=575

We can do more than that, or look for something more specific, but you'd have to let us know the version of Exchange and more specifically what you're wanting to see.

Chris

Author

Commented:
Thanks Chris,

Exchange 2003 & Exchange 2007

I guess I'm looking for mainly 2 things.
1. I want to be able to see if myself or other teammates still have manual access to one's mailbox if we were trouble shooting an issue and forgot to remove our access.

2. I would like the ability to run a report to display who user(s) have manual access to another user's mailbox.
For example, something that can be dumped into xls to display:
Account:
Joe Smith
Manual Mailbox Access:
(list of mailboxes)

This way we can do clean ups and confirm that certain users should or should not have access to another employee's mailbox.

Hope this helps clear things up.

-Brian
PowerShell Developer
CERTIFIED EXPERT
Top Expert 2010
Commented:

For the Exchange 2003 side we can play with the script in my blog to get the results you want.

For Exchange 2007 we're blessed with the Exchange Management Shell which can make this all nice and easy. For example, we could find out about every mailbox where someone has been granted explicit access rights as follows:

Get-Mailbox | Get-MailboxPermission | ?{ ($_.IsInherited -eq $False) -And !(($_.User.ToString()).Contains("SELF")) } | Select-Object Identity, User, AccessRights

Chris

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

Provided the output from the command is something like what you're looking for we can make the VbScript version do something like the same for Exchange 2003.

Chris
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

Missed a little bit.

The output from that can be dumped to a CSV file by adding "| Export-CSV -Path FileName.csv". However, we'll have to do a bit of work with some of the more complex attributes (AccessRights) to have them display in a meaningful way within the CSV file.

Chris
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.