?
Solved

Help with Active Directory Saved Queries

Posted on 2009-02-09
7
Medium Priority
?
353 Views
Last Modified: 2012-06-22
I have some standard 'Saved Queries' that I use:
Find SMTP
(objectcategory=person)(SMTP=*)

Locked out Accounts
(&(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294)))))

Mailboxes Overriding Exchange Size Limits
(&(&(&objectCategory=user)(mDBUseDefaults=FALSE)))

I need help in creating a new Saved Queries to to place a userid within the Query and see if that account has access to other mailboxes within the org.  
Or if there could be a Saved Queries to display those AD Accounts with a manual access to one's mailbox.

Thanks
0
Comment
Question by:Admin_Stooge
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23595418
I'll try to test later but try
(&(&(objectCategory=person)(objectClass=user)(publicdelegates=*)))
(&(&(objectCategory=person)(objectClass=user)(publicDelegatesBL=*)))  
 See if either of those do what you want.
 
Thanks
Mike
0
 
LVL 15

Expert Comment

by:zelron22
ID: 23597143
You may have better luck using the command line dsget and piping it to dsquery.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23602490

You won't be able to enumerate the access control for a mailbox using an LDAP query. The Send On Behalf permission granted by publicDelegates is as near as you'd get with LDAP only.

I have a script here that can search the security descriptor of a mailbox for Exchange 2000 / 2003 to look for a specific value:

http://www.highorbit.co.uk/?p=575

We can do more than that, or look for something more specific, but you'd have to let us know the version of Exchange and more specifically what you're wanting to see.

Chris
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Admin_Stooge
ID: 23602563
Thanks Chris,

Exchange 2003 & Exchange 2007

I guess I'm looking for mainly 2 things.
1. I want to be able to see if myself or other teammates still have manual access to one's mailbox if we were trouble shooting an issue and forgot to remove our access.

2. I would like the ability to run a report to display who user(s) have manual access to another user's mailbox.
For example, something that can be dumped into xls to display:
Account:
Joe Smith
Manual Mailbox Access:
(list of mailboxes)

This way we can do clean ups and confirm that certain users should or should not have access to another employee's mailbox.

Hope this helps clear things up.

-Brian
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 23602695

For the Exchange 2003 side we can play with the script in my blog to get the results you want.

For Exchange 2007 we're blessed with the Exchange Management Shell which can make this all nice and easy. For example, we could find out about every mailbox where someone has been granted explicit access rights as follows:

Get-Mailbox | Get-MailboxPermission | ?{ ($_.IsInherited -eq $False) -And !(($_.User.ToString()).Contains("SELF")) } | Select-Object Identity, User, AccessRights

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23602703

Provided the output from the command is something like what you're looking for we can make the VbScript version do something like the same for Exchange 2003.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23602738

Missed a little bit.

The output from that can be dumped to a CSV file by adding "| Export-CSV -Path FileName.csv". However, we'll have to do a bit of work with some of the more complex attributes (AccessRights) to have them display in a meaningful way within the CSV file.

Chris
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question