• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 783
  • Last Modified:

Add service account and grant Full MAilbox Access to ALL user objects in a particular OU

Hi
Environment:
Windows 2003 AD
Exchange 2003

I just need a script (vbscript) to target a specific OU in AD and add a user object (I am creating a service account) to the mailbox rights attribute (if mailbox-enabled) and give full mailbox access.

I have circa 600 users I would like to run this against.
Also, if possible, an output to a logfile would be awesome.

Any pointers much appreciated..!
Cheers
B
0
bryan oakley-wiggins
Asked:
bryan oakley-wiggins
  • 13
  • 11
  • 4
2 Solutions
 
Steven WellsCommented:
You can apply this rights at the OU using the security tab, which will replicate to all users, with out the need to script anything. Or you can apply the rights on the exchange server's store security tab.

http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm

This is a lot better than scripting anything, and also means that as users are added the permissions are automatically applied, especially if for blackberry etc.
0
 
PakaCommented:
This is do-able via script, but can probably be done in a better fashion using AD and Exchange Delegation of Control wizards.  Can you elaborate on what the service account will be doing with the users' mailboxes?
0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Hi StevenWells99: & Paka:

Thanks for your responses.
I need to have this scripts (part of migration process out of another companies AD) -

I would've normally have used the below in the cmdline ADModify:
admodcmd -dn "%DN%" -f "(&(objectclass=user)(CN=%userFilter%*))" -addtomailboxrights %Domain%\%Group% ACE_MB_FULL_ACCESS

But I would need to have pure vbscript as the other company do want to allow me to use any other tools (including ADUC etc)

My purpose is to add a service account with full mailbox rights to assist in mail data migrations...
It needs to be scripted, no gui's or external tools, pure vbscript...


Appreciate any further options?

Cheers
Bry
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Steven WellsCommented:
You can use the script supplied the this article

 http://support.microsoft.com/kb/930879

I have just had a quick look at it (down bottom) that should do what you need.

0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
@ StevenWells99:

Thanks for the script pointer, very much appreciated.
So if I wanted to target just a particular OU I would just update the rootDSE to my OU LDAP path, correct?

Cheers
Bry
0
 
Steven WellsCommented:
Correct.
0
 
PakaCommented:
This script is expecting an input file of the user accounts that you want to give full mailbox access rights to.  You should be able to export the user accounts you want to modify to a text file and use them as an input to the script though.
0
 
PakaCommented:
After digging into the script, it looks like the inputfile is in the form of:
LDAPName1 True True
LDAPName2 True True
LDAPName3 True True

Where the first true is for Full Mailbox Access and the second for Send As rights.

0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
@ StevenWells99: - Thanks for the confirmation

@ PAKA: ah right - so I can leave the rootDSE and then just have the input file of 'MY' users and the script will only update those accounts? - Where do you see the input file required in the code?

If possible, would I be able to ammend the script to allow me to point to an LDAP path (a particular OU) and not use an input file, just apply to all users in that OU?

Hope makes sense

Cheers
Bry
0
 
PakaCommented:
Looks like the bottom script in this link might be better suited to your task.

http://support.microsoft.com/kb/310866
0
 
PakaCommented:
Sorry, that one is for modifying a single mailbox.  Let me dig some more.  If I don't find something soon, do you need help in modifying one of the scripts that we found?  It looks like Stephen's might be easier to change...
0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
HI Paka:

Maybe if we could ammend the script Steven sent over that seems like a winner to me.
To clarify - I just need to be able to do the following:

Set LDAP to a specific OU, I.e OU=MDCUSERS,OU=EU,DC=COMPANY,DC=co,DC=uk
Modify the mailbox rights to add a specific service account to all mailbox-enabled user objects in this OU.
Output to logfile all mailboxes affected (if possible)

Cheers
Bry
0
 
PakaCommented:
I looked at the code more closely and think it would be simpler (and safer) to use that code in the way it was intended.  I could modify the script but to do so properly would take a couple hours to code and test fully (since it has 600+ lines of code).  I would recommend going about it this way:

1) dsquery user "ou=mdcusers,ou=eu,dc=company,dc=co,dc=uk" > inputfile.txt
2) open inputfile.txt with notepad and do a search and replace of =uk" with =uk" True True
3) run the Stephen script using:
CSCRIPT modusers.vbs -Add company\serviceAccountName inputfile.txt"

0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Hi Paka:

Thanks I will give a go on your recommendations.
Please clarify point 2)
open inputfile.txt with notepad and do a search and replace of =uk" with =uk" True True ???Cheers
Bry
0
 
PakaCommented:
This will add parameters to the text file - this is needed for the script to run properly.  The inputfile should look look like:

DN True True
DN True True
DN True True

Using notepad, we're just doing a search and replace for the end of each line of text and adding "True True" to it.
0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
ok so that I got it right for example it would be

"CN=USER,OU=USER_MIGRATION,DC=company,DC=co,DC=uk" TRUE TRUE

? DO I have the " " in the right place?

Is that correct?

Thanks buddy
Bry
0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
i have created the input file
i have updated the file with CN~" True True
I have run the script cscript usermod.vbs -Add DOM\SVCaccount INPUTFILE.txt

In the permission.err log I get the following:
NO mailbox owner user accounts found for "CN=USERS etc etc"
FAILED to get user's LDAP path from "CN=USERS etc etc"

Any ideas?

Cheers
Bry
0
 
PakaCommented:
Look like the calling sequence and input file format might be different than what I thought.  I'm still troubleshooting on this end.  So far, it looks like the first line in the inputfile.txt will be the account that you are granting the full mailbox permissions to.  (The account on the command line is the account under which the permissions mods will be done with.)

0
 
PakaCommented:
Guess it helps if you read the instructions...  It turns out this script will grant permissions to the user on the command line, but it will grant permissions to MAILBOXES that are defined in the inputfile.txt.  Additionally, the mailboxes must be defined in the LegacyExchangeDN format.  I guess that doesn't help much.  Let me dig some more....
0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
thanks Paka

I really appreciate your input on this..!
I am working on it this end also - I'm sure we'll get there...

Thanks again
Bry
0
 
PakaCommented:
Here's the revised course of action.  Use dsquery to export the list of legacyExchangeDN names of users within the OU of interest and pipe that output to inputfile.txt.  Next, feed that list into the script above.  I'm still looking into the "True True" thing.
0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Hi PAKA

Ok - I shall look at dsquery to output the legacyexchangeDN

Cheers
Bry
0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Update:

To get my legacyExchangeDN I run the following:
csvde -f c:\csvlegx2.txt -s DC_NAME -d "ou=sys admin ou,OU=company ou,ou=
old_companyl,dc=company,dc=co,dc=uk" -p SubTree -r "(&(mailNickname=*))" -l "legacyExchangeDN"

This works all fine.
I use this as the input file..

I now get a different error:
failed to add fullmailbox access the security id structure is invalid

Hmm, seems LDAP etc is fine so I am digging deeper to find out whay it will not modify the mbx rights..!

Check back soon
Cheers
Bry
0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Update 2:

Ok - I tried running this in another AD I have access to and I got some of the mailboxes modified, so looks like we are getting closer..!  :-)
I will do some further tests and update again.

Cheers
Bry
0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
ok - all seems to be working for me :-)

for clarity I did the following:

1: Get a list of the legacyExchangeDN's:
csvde -f c:\csvlegx2.txt -s DC_NAME -d "ou=sys admin ou,OU=company ou,ou=
old_companyl,dc=company,dc=co,dc=uk" -p SubTree -r "(&(mailNickname=*))" -l "legacyExchangeDN"

*** clean-up the file so that only the legacyExchangeDN is showing:

2: Run the following from the command line:
cscript scriptname.vbs -Add DOMAIN\USERTOADD inputfile.txt

3: Check the log and error log to see what actions were completed on what accounts.

Note: depending on the permissions of the account you are adding, a basic domain user permission will only get Full Mailbox Access and NOT Send-As (good enough for my needs though, as didn't need to send-as).

I would like to split the points down the middle with:
StevenWells99: 250
Paka: 250

Does either of you have any objections to this?

I also want to say a massive thank you to both of you, for your help on this - It is very much appreciated and humbles me, just how generous people are with their time, in helping others..!

Cheers
Bry
0
 
Steven WellsCommented:
good work in getting this solution working.
Steven
0
 
PakaCommented:
Hi Bry,

I second Steven - great job in glueing things together.  The split works for me.

Pat
0
 
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
@ StevenWells99: Thanks so much for your pointers
@ Paka: Also, thanks for your pointers.

I really appreciate your time and effort on this, genuinely it is so appreciated.

Cheers
Bry

For clarity to anyone else who may find this solution helpful, here is the finished process:
1: Get a list of the legacyExchangeDN's:
csvde -f c:\csvlegx2.txt -s DC_NAME -d "ou=sys admin ou,OU=company ou,ou=
old_companyl,dc=company,dc=co,dc=uk" -p SubTree -r "(&(mailNickname=*))" -l "legacyExchangeDN"

*** clean-up the file so that only the legacyExchangeDN is showing:

2: Run the following from the command line:
cscript scriptname.vbs -Add DOMAIN\USERTOADD inputfile.txt

3: Check the log and error log to see what actions were completed on what accounts.

Note: depending on the permissions of the account you are adding, a basic domain user permission will only get Full Mailbox Access and NOT Send-As (good enough for my needs though, as didn't need to send-as).



0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 13
  • 11
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now