We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Enumerating exchange users where Everyone - Full Mailbox access is set

nucksgambit
nucksgambit asked
on
Medium Priority
905 Views
Last Modified: 2012-06-22
I have come across a few users in our AD environment (Exchange 2003) where their Mailbox rights include "Everyone" and Full mailbox access" is checked.  Obviously this means that anyone in the organization can open their e-mail box from Open other users folders in Outlook.  

I would to modify the below script or simplify it go through every account and looks for where "Full Mailbox access" for the Everyone group is set. I found this code on this guy's blog: http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.html

It could be a simple as returning the name where their acl includes Everyone - Full mailbox access.
Const RIGHT_DS_DELETE = &H10000
Const RIGHT_DS_READ = &H20000
Const RIGHT_DS_CHANGE = &H40000
Const RIGHT_DS_TAKE_OWNERSHIP = &H80000
Const RIGHT_DS_MAILBOX_OWNER = &H1
Const RIGHT_DS_SEND_AS = &H2
Const RIGHT_DS_PRIMARY_OWNER = &H4
 
Set objSystemInfo = CreateObject("ADSystemInfo") 
strdname = objSystemInfo.DomainShortName
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString	
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Query = "<LDAP://" & strNameingContext & ">;(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))));samaccountname,displayname,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = Query
Com.Properties("Page Size") = 1000
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
           "  NEW adVarChar(255) AS UOADDisplayName, " & _
           "  NEW adVarChar(255) AS UOADTrusteeName, " & _
           " ((SHAPE APPEND  " & _
           "      NEW adVarChar(255) AS MRmbox, " & _
           "      NEW adVarChar(255) AS MRTrusteeName, " & _
           "      NEW adVarChar(255) AS MRRights, " & _
           "      NEW adVarChar(255) AS MRAceflags) " & _
           "      RELATE UOADTrusteeName TO MRTrusteeName) AS rsUOMR" 
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1
 
Set Rs = Com.Execute
While Not Rs.EOF
	dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")
	set objuser = getobject(dn)
	Set oSecurityDescriptor = objuser.Get("msExchMailboxSecurityDescriptor")
	Set dacl = oSecurityDescriptor.DiscretionaryAcl
	Set ace = CreateObject("AccessControlEntry")
	objParentRS.addnew 
	objParentRS("UOADDisplayName") = rs.fields("displayname")
	objParentRS("UOADTrusteeName") = strdname & "\" & rs.fields("samaccountname")
	objParentRS.update
	Set objChildRS = objParentRS("rsUOMR").Value
	For Each ace In dacl
		   if ace.AceFlags <> 18 then
			if ace.Trustee <> "NT AUTHORITY\SELF" then
				objChildRS.addnew
				objChildRS("MRmbox") = rs.fields("displayname")
				objChildRS("MRTrusteeName") = ace.Trustee
				objChildRS("MRRights") = ace.AccessMask
				objChildRS("MRAceflags") = ace.AceFlags
				objChildRS.update
			end if
		   end if
	Next
	rs.movenext
Wend
wscript.echo "Number of Mailboxes Checked " & objParentRS.recordcount
Wscript.echo
objParentRS.MoveFirst
Do While Not objParentRS.EOF
	Set objChildRS = objParentRS("rsUOMR").Value
	if objChildRS.recordcount <> 0 then wscript.echo objParentRS("UOADDisplayName")
	Do While Not objChildRS.EOF
		wscript.echo "   " & objChildRS.fields("MRmbox")
		If (objChildRS.fields("MRRights") And RIGHT_DS_SEND_AS) Then
			wscript.echo "		-send mail as"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_CHANGE) Then
			wscript.echo "		-modify user attributes"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_DELETE) Then
			wscript.echo  "		-delete mailbox store"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_READ) Then
			wscript.echo  "		-read permissions"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_TAKE_OWNERSHIP) Then
			wscript.echo  "		-take ownership of this object"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_MAILBOX_OWNER) Then
			wscript.echo "		-is mailbox owner of this object"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_PRIMARY_OWNER) Then
			wscript.echo  "		-is mailbox Primary owner of this object"
		End If
		objChildRS.movenext
	loop
	objParentRS.MoveNext
loop

Open in new window

Comment
Watch Question

Expert of the Quarter 2009
Expert of the Year 2009

Commented:
Are you sure that "Everyone" has been set explicitly and not via an inheritance? Unusual to see that permission set explicitly.
However rather than use a script, just get hold of admodify http://www.codeplex.com/admodify which will allow you to make the change quickly.

Make sure that you remove just the full mailbox permission, nothing else, as Everyone does need to be listed in the permissions.

Simon.

Author

Commented:
I agree I was shocked to see it.  Unfortunately it was someone fairly important to the organization and management wants an audit of who else has the permission set.  That utility would probably solve the root of the problem by brute force, however if someone has a script that will do just that or something similar would be great.

Author

Commented:
"however if someone has a script that will do just that"

edit:
if someone has a script that will create a list of users with the permission "Full mailbox access" for the everyone group in their permission list.
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.