Solved

Enumerating exchange users where Everyone - Full Mailbox access is set

Posted on 2009-07-09
5
878 Views
Last Modified: 2012-06-22
I have come across a few users in our AD environment (Exchange 2003) where their Mailbox rights include "Everyone" and Full mailbox access" is checked.  Obviously this means that anyone in the organization can open their e-mail box from Open other users folders in Outlook.  

I would to modify the below script or simplify it go through every account and looks for where "Full Mailbox access" for the Everyone group is set. I found this code on this guy's blog: http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.html

It could be a simple as returning the name where their acl includes Everyone - Full mailbox access.
Const RIGHT_DS_DELETE = &H10000
Const RIGHT_DS_READ = &H20000
Const RIGHT_DS_CHANGE = &H40000
Const RIGHT_DS_TAKE_OWNERSHIP = &H80000
Const RIGHT_DS_MAILBOX_OWNER = &H1
Const RIGHT_DS_SEND_AS = &H2
Const RIGHT_DS_PRIMARY_OWNER = &H4
 
Set objSystemInfo = CreateObject("ADSystemInfo") 
strdname = objSystemInfo.DomainShortName
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString	
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Query = "<LDAP://" & strNameingContext & ">;(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))));samaccountname,displayname,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = Query
Com.Properties("Page Size") = 1000
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
           "  NEW adVarChar(255) AS UOADDisplayName, " & _
           "  NEW adVarChar(255) AS UOADTrusteeName, " & _
           " ((SHAPE APPEND  " & _
           "      NEW adVarChar(255) AS MRmbox, " & _
           "      NEW adVarChar(255) AS MRTrusteeName, " & _
           "      NEW adVarChar(255) AS MRRights, " & _
           "      NEW adVarChar(255) AS MRAceflags) " & _
           "      RELATE UOADTrusteeName TO MRTrusteeName) AS rsUOMR" 
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1
 
Set Rs = Com.Execute
While Not Rs.EOF
	dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")
	set objuser = getobject(dn)
	Set oSecurityDescriptor = objuser.Get("msExchMailboxSecurityDescriptor")
	Set dacl = oSecurityDescriptor.DiscretionaryAcl
	Set ace = CreateObject("AccessControlEntry")
	objParentRS.addnew 
	objParentRS("UOADDisplayName") = rs.fields("displayname")
	objParentRS("UOADTrusteeName") = strdname & "\" & rs.fields("samaccountname")
	objParentRS.update
	Set objChildRS = objParentRS("rsUOMR").Value
	For Each ace In dacl
		   if ace.AceFlags <> 18 then
			if ace.Trustee <> "NT AUTHORITY\SELF" then
				objChildRS.addnew
				objChildRS("MRmbox") = rs.fields("displayname")
				objChildRS("MRTrusteeName") = ace.Trustee
				objChildRS("MRRights") = ace.AccessMask
				objChildRS("MRAceflags") = ace.AceFlags
				objChildRS.update
			end if
		   end if
	Next
	rs.movenext
Wend
wscript.echo "Number of Mailboxes Checked " & objParentRS.recordcount
Wscript.echo
objParentRS.MoveFirst
Do While Not objParentRS.EOF
	Set objChildRS = objParentRS("rsUOMR").Value
	if objChildRS.recordcount <> 0 then wscript.echo objParentRS("UOADDisplayName")
	Do While Not objChildRS.EOF
		wscript.echo "   " & objChildRS.fields("MRmbox")
		If (objChildRS.fields("MRRights") And RIGHT_DS_SEND_AS) Then
			wscript.echo "		-send mail as"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_CHANGE) Then
			wscript.echo "		-modify user attributes"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_DELETE) Then
			wscript.echo  "		-delete mailbox store"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_READ) Then
			wscript.echo  "		-read permissions"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_TAKE_OWNERSHIP) Then
			wscript.echo  "		-take ownership of this object"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_MAILBOX_OWNER) Then
			wscript.echo "		-is mailbox owner of this object"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_PRIMARY_OWNER) Then
			wscript.echo  "		-is mailbox Primary owner of this object"
		End If
		objChildRS.movenext
	loop
	objParentRS.MoveNext
loop

Open in new window

0
Comment
Question by:nucksgambit
  • 3
5 Comments
 
LVL 65

Expert Comment

by:Mestha
ID: 24821778
Are you sure that "Everyone" has been set explicitly and not via an inheritance? Unusual to see that permission set explicitly.
However rather than use a script, just get hold of admodify http://www.codeplex.com/admodify which will allow you to make the change quickly.

Make sure that you remove just the full mailbox permission, nothing else, as Everyone does need to be listed in the permissions.

Simon.
0
 
LVL 1

Author Comment

by:nucksgambit
ID: 24824797
I agree I was shocked to see it.  Unfortunately it was someone fairly important to the organization and management wants an audit of who else has the permission set.  That utility would probably solve the root of the problem by brute force, however if someone has a script that will do just that or something similar would be great.
0
 
LVL 1

Author Comment

by:nucksgambit
ID: 24824816
"however if someone has a script that will do just that"

edit:
if someone has a script that will create a list of users with the permission "Full mailbox access" for the everyone group in their permission list.
0
 
LVL 1

Accepted Solution

by:
nucksgambit earned 0 total points
ID: 24828153
I think I was able to hack through Glen's script and modify it.  It *looks* like it is working.  I found a few more users that had the permission set.  If anyone see's any glaring errors please let me know...
Const RIGHT_DS_MAILBOX_OWNER = &H1
 
Set objSystemInfo = CreateObject("ADSystemInfo") 
strdname = objSystemInfo.DomainShortName
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString	
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Query = "<LDAP://" & strNameingContext & ">;(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))));samaccountname,displayname,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = Query
Com.Properties("Page Size") = 1000
 
Set Rs = Com.Execute
While Not Rs.EOF
	dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")
	set objuser = getobject(dn)
	Set oSecurityDescriptor = objuser.Get("msExchMailboxSecurityDescriptor")
	Set dacl = oSecurityDescriptor.DiscretionaryAcl
	Set ace = CreateObject("AccessControlEntry")
	For Each ace In dacl
		   if ace.AceFlags <> 18 then
			if ace.Trustee = "Everyone" then
				if ace.AccessMask = RIGHT_DS_MAILBOX_OWNER then
					wscript.echo rs.fields("displayname") & "     "  & "Everyone - Full Mailbox access" 
		   		end if
			end if
		   end if
		   
	Next
	rs.movenext
Wend
wscript.echo "Number of Mailboxes Checked " & RS.recordcount

Open in new window

0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question