Solved

Add service account and grant Full MAilbox Access to ALL user objects in a particular OU

Posted on 2009-05-15
28
771 Views
Last Modified: 2012-05-07
Hi
Environment:
Windows 2003 AD
Exchange 2003

I just need a script (vbscript) to target a specific OU in AD and add a user object (I am creating a service account) to the mailbox rights attribute (if mailbox-enabled) and give full mailbox access.

I have circa 600 users I would like to run this against.
Also, if possible, an output to a logfile would be awesome.

Any pointers much appreciated..!
Cheers
B
0
Comment
Question by:BryanOakley
  • 13
  • 11
  • 4
28 Comments
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24394074
You can apply this rights at the OU using the security tab, which will replicate to all users, with out the need to script anything. Or you can apply the rights on the exchange server's store security tab.

http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm

This is a lot better than scripting anything, and also means that as users are added the permissions are automatically applied, especially if for blackberry etc.
0
 
LVL 22

Expert Comment

by:Paka
ID: 24394124
This is do-able via script, but can probably be done in a better fashion using AD and Exchange Delegation of Control wizards.  Can you elaborate on what the service account will be doing with the users' mailboxes?
0
 

Author Comment

by:BryanOakley
ID: 24394202
Hi StevenWells99: & Paka:

Thanks for your responses.
I need to have this scripts (part of migration process out of another companies AD) -

I would've normally have used the below in the cmdline ADModify:
admodcmd -dn "%DN%" -f "(&(objectclass=user)(CN=%userFilter%*))" -addtomailboxrights %Domain%\%Group% ACE_MB_FULL_ACCESS

But I would need to have pure vbscript as the other company do want to allow me to use any other tools (including ADUC etc)

My purpose is to add a service account with full mailbox rights to assist in mail data migrations...
It needs to be scripted, no gui's or external tools, pure vbscript...


Appreciate any further options?

Cheers
Bry
0
 
LVL 12

Accepted Solution

by:
Steven Wells earned 250 total points
ID: 24394241
You can use the script supplied the this article

 http://support.microsoft.com/kb/930879

I have just had a quick look at it (down bottom) that should do what you need.

0
 

Author Comment

by:BryanOakley
ID: 24394325
@ StevenWells99:

Thanks for the script pointer, very much appreciated.
So if I wanted to target just a particular OU I would just update the rootDSE to my OU LDAP path, correct?

Cheers
Bry
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24394353
Correct.
0
 
LVL 22

Expert Comment

by:Paka
ID: 24394405
This script is expecting an input file of the user accounts that you want to give full mailbox access rights to.  You should be able to export the user accounts you want to modify to a text file and use them as an input to the script though.
0
 
LVL 22

Expert Comment

by:Paka
ID: 24394469
After digging into the script, it looks like the inputfile is in the form of:
LDAPName1 True True
LDAPName2 True True
LDAPName3 True True

Where the first true is for Full Mailbox Access and the second for Send As rights.

0
 

Author Comment

by:BryanOakley
ID: 24394498
@ StevenWells99: - Thanks for the confirmation

@ PAKA: ah right - so I can leave the rootDSE and then just have the input file of 'MY' users and the script will only update those accounts? - Where do you see the input file required in the code?

If possible, would I be able to ammend the script to allow me to point to an LDAP path (a particular OU) and not use an input file, just apply to all users in that OU?

Hope makes sense

Cheers
Bry
0
 
LVL 22

Expert Comment

by:Paka
ID: 24394520
Looks like the bottom script in this link might be better suited to your task.

http://support.microsoft.com/kb/310866
0
 
LVL 22

Expert Comment

by:Paka
ID: 24394588
Sorry, that one is for modifying a single mailbox.  Let me dig some more.  If I don't find something soon, do you need help in modifying one of the scripts that we found?  It looks like Stephen's might be easier to change...
0
 

Author Comment

by:BryanOakley
ID: 24394949
HI Paka:

Maybe if we could ammend the script Steven sent over that seems like a winner to me.
To clarify - I just need to be able to do the following:

Set LDAP to a specific OU, I.e OU=MDCUSERS,OU=EU,DC=COMPANY,DC=co,DC=uk
Modify the mailbox rights to add a specific service account to all mailbox-enabled user objects in this OU.
Output to logfile all mailboxes affected (if possible)

Cheers
Bry
0
 
LVL 22

Assisted Solution

by:Paka
Paka earned 250 total points
ID: 24395325
I looked at the code more closely and think it would be simpler (and safer) to use that code in the way it was intended.  I could modify the script but to do so properly would take a couple hours to code and test fully (since it has 600+ lines of code).  I would recommend going about it this way:

1) dsquery user "ou=mdcusers,ou=eu,dc=company,dc=co,dc=uk" > inputfile.txt
2) open inputfile.txt with notepad and do a search and replace of =uk" with =uk" True True
3) run the Stephen script using:
CSCRIPT modusers.vbs -Add company\serviceAccountName inputfile.txt"

0
 

Author Comment

by:BryanOakley
ID: 24396061
Hi Paka:

Thanks I will give a go on your recommendations.
Please clarify point 2)
open inputfile.txt with notepad and do a search and replace of =uk" with =uk" True True ???Cheers
Bry
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 22

Expert Comment

by:Paka
ID: 24396099
This will add parameters to the text file - this is needed for the script to run properly.  The inputfile should look look like:

DN True True
DN True True
DN True True

Using notepad, we're just doing a search and replace for the end of each line of text and adding "True True" to it.
0
 

Author Comment

by:BryanOakley
ID: 24396288
ok so that I got it right for example it would be

"CN=USER,OU=USER_MIGRATION,DC=company,DC=co,DC=uk" TRUE TRUE

? DO I have the " " in the right place?

Is that correct?

Thanks buddy
Bry
0
 

Author Comment

by:BryanOakley
ID: 24396469
i have created the input file
i have updated the file with CN~" True True
I have run the script cscript usermod.vbs -Add DOM\SVCaccount INPUTFILE.txt

In the permission.err log I get the following:
NO mailbox owner user accounts found for "CN=USERS etc etc"
FAILED to get user's LDAP path from "CN=USERS etc etc"

Any ideas?

Cheers
Bry
0
 
LVL 22

Expert Comment

by:Paka
ID: 24396696
Look like the calling sequence and input file format might be different than what I thought.  I'm still troubleshooting on this end.  So far, it looks like the first line in the inputfile.txt will be the account that you are granting the full mailbox permissions to.  (The account on the command line is the account under which the permissions mods will be done with.)

0
 
LVL 22

Expert Comment

by:Paka
ID: 24396934
Guess it helps if you read the instructions...  It turns out this script will grant permissions to the user on the command line, but it will grant permissions to MAILBOXES that are defined in the inputfile.txt.  Additionally, the mailboxes must be defined in the LegacyExchangeDN format.  I guess that doesn't help much.  Let me dig some more....
0
 

Author Comment

by:BryanOakley
ID: 24397176
thanks Paka

I really appreciate your input on this..!
I am working on it this end also - I'm sure we'll get there...

Thanks again
Bry
0
 
LVL 22

Expert Comment

by:Paka
ID: 24397195
Here's the revised course of action.  Use dsquery to export the list of legacyExchangeDN names of users within the OU of interest and pipe that output to inputfile.txt.  Next, feed that list into the script above.  I'm still looking into the "True True" thing.
0
 

Author Comment

by:BryanOakley
ID: 24397576
Hi PAKA

Ok - I shall look at dsquery to output the legacyexchangeDN

Cheers
Bry
0
 

Author Comment

by:BryanOakley
ID: 24401795
Update:

To get my legacyExchangeDN I run the following:
csvde -f c:\csvlegx2.txt -s DC_NAME -d "ou=sys admin ou,OU=company ou,ou=
old_companyl,dc=company,dc=co,dc=uk" -p SubTree -r "(&(mailNickname=*))" -l "legacyExchangeDN"

This works all fine.
I use this as the input file..

I now get a different error:
failed to add fullmailbox access the security id structure is invalid

Hmm, seems LDAP etc is fine so I am digging deeper to find out whay it will not modify the mbx rights..!

Check back soon
Cheers
Bry
0
 

Author Comment

by:BryanOakley
ID: 24401817
Update 2:

Ok - I tried running this in another AD I have access to and I got some of the mailboxes modified, so looks like we are getting closer..!  :-)
I will do some further tests and update again.

Cheers
Bry
0
 

Author Comment

by:BryanOakley
ID: 24406693
ok - all seems to be working for me :-)

for clarity I did the following:

1: Get a list of the legacyExchangeDN's:
csvde -f c:\csvlegx2.txt -s DC_NAME -d "ou=sys admin ou,OU=company ou,ou=
old_companyl,dc=company,dc=co,dc=uk" -p SubTree -r "(&(mailNickname=*))" -l "legacyExchangeDN"

*** clean-up the file so that only the legacyExchangeDN is showing:

2: Run the following from the command line:
cscript scriptname.vbs -Add DOMAIN\USERTOADD inputfile.txt

3: Check the log and error log to see what actions were completed on what accounts.

Note: depending on the permissions of the account you are adding, a basic domain user permission will only get Full Mailbox Access and NOT Send-As (good enough for my needs though, as didn't need to send-as).

I would like to split the points down the middle with:
StevenWells99: 250
Paka: 250

Does either of you have any objections to this?

I also want to say a massive thank you to both of you, for your help on this - It is very much appreciated and humbles me, just how generous people are with their time, in helping others..!

Cheers
Bry
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24407832
good work in getting this solution working.
Steven
0
 
LVL 22

Expert Comment

by:Paka
ID: 24409898
Hi Bry,

I second Steven - great job in glueing things together.  The split works for me.

Pat
0
 

Author Closing Comment

by:BryanOakley
ID: 31581863
@ StevenWells99: Thanks so much for your pointers
@ Paka: Also, thanks for your pointers.

I really appreciate your time and effort on this, genuinely it is so appreciated.

Cheers
Bry

For clarity to anyone else who may find this solution helpful, here is the finished process:
1: Get a list of the legacyExchangeDN's:
csvde -f c:\csvlegx2.txt -s DC_NAME -d "ou=sys admin ou,OU=company ou,ou=
old_companyl,dc=company,dc=co,dc=uk" -p SubTree -r "(&(mailNickname=*))" -l "legacyExchangeDN"

*** clean-up the file so that only the legacyExchangeDN is showing:

2: Run the following from the command line:
cscript scriptname.vbs -Add DOMAIN\USERTOADD inputfile.txt

3: Check the log and error log to see what actions were completed on what accounts.

Note: depending on the permissions of the account you are adding, a basic domain user permission will only get Full Mailbox Access and NOT Send-As (good enough for my needs though, as didn't need to send-as).



0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now