Solved

Enumerating exchange users where Everyone - Full Mailbox access is set

Posted on 2009-07-09
5
875 Views
Last Modified: 2012-06-22
I have come across a few users in our AD environment (Exchange 2003) where their Mailbox rights include "Everyone" and Full mailbox access" is checked.  Obviously this means that anyone in the organization can open their e-mail box from Open other users folders in Outlook.  

I would to modify the below script or simplify it go through every account and looks for where "Full Mailbox access" for the Everyone group is set. I found this code on this guy's blog: http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.html

It could be a simple as returning the name where their acl includes Everyone - Full mailbox access.
Const RIGHT_DS_DELETE = &H10000

Const RIGHT_DS_READ = &H20000

Const RIGHT_DS_CHANGE = &H40000

Const RIGHT_DS_TAKE_OWNERSHIP = &H80000

Const RIGHT_DS_MAILBOX_OWNER = &H1

Const RIGHT_DS_SEND_AS = &H2

Const RIGHT_DS_PRIMARY_OWNER = &H4
 

Set objSystemInfo = CreateObject("ADSystemInfo") 

strdname = objSystemInfo.DomainShortName

set conn1 = createobject("ADODB.Connection")

strConnString = "Data Provider=NONE; Provider=MSDataShape"

conn1.Open strConnString	

set conn = createobject("ADODB.Connection")

set com = createobject("ADODB.Command")

Set iAdRootDSE = GetObject("LDAP://RootDSE")

strNameingContext = iAdRootDSE.Get("defaultNamingContext")

Conn.Provider = "ADsDSOObject"

Conn.Open "ADs Provider"

Query = "<LDAP://" & strNameingContext & ">;(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))));samaccountname,displayname,distinguishedName;subtree"

Com.ActiveConnection = Conn

Com.CommandText = Query

Com.Properties("Page Size") = 1000

set objParentRS = createobject("adodb.recordset")

set objChildRS = createobject("adodb.recordset")

strSQL = "SHAPE APPEND" & _

           "  NEW adVarChar(255) AS UOADDisplayName, " & _

           "  NEW adVarChar(255) AS UOADTrusteeName, " & _

           " ((SHAPE APPEND  " & _

           "      NEW adVarChar(255) AS MRmbox, " & _

           "      NEW adVarChar(255) AS MRTrusteeName, " & _

           "      NEW adVarChar(255) AS MRRights, " & _

           "      NEW adVarChar(255) AS MRAceflags) " & _

           "      RELATE UOADTrusteeName TO MRTrusteeName) AS rsUOMR" 

objParentRS.LockType = 3

objParentRS.Open strSQL, conn1
 

Set Rs = Com.Execute

While Not Rs.EOF

	dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")

	set objuser = getobject(dn)

	Set oSecurityDescriptor = objuser.Get("msExchMailboxSecurityDescriptor")

	Set dacl = oSecurityDescriptor.DiscretionaryAcl

	Set ace = CreateObject("AccessControlEntry")

	objParentRS.addnew 

	objParentRS("UOADDisplayName") = rs.fields("displayname")

	objParentRS("UOADTrusteeName") = strdname & "\" & rs.fields("samaccountname")

	objParentRS.update

	Set objChildRS = objParentRS("rsUOMR").Value

	For Each ace In dacl

		   if ace.AceFlags <> 18 then

			if ace.Trustee <> "NT AUTHORITY\SELF" then

				objChildRS.addnew

				objChildRS("MRmbox") = rs.fields("displayname")

				objChildRS("MRTrusteeName") = ace.Trustee

				objChildRS("MRRights") = ace.AccessMask

				objChildRS("MRAceflags") = ace.AceFlags

				objChildRS.update

			end if

		   end if

	Next

	rs.movenext

Wend

wscript.echo "Number of Mailboxes Checked " & objParentRS.recordcount

Wscript.echo

objParentRS.MoveFirst

Do While Not objParentRS.EOF

	Set objChildRS = objParentRS("rsUOMR").Value

	if objChildRS.recordcount <> 0 then wscript.echo objParentRS("UOADDisplayName")

	Do While Not objChildRS.EOF

		wscript.echo "   " & objChildRS.fields("MRmbox")

		If (objChildRS.fields("MRRights") And RIGHT_DS_SEND_AS) Then

			wscript.echo "		-send mail as"

		End If

		If (objChildRS.fields("MRRights") And RIGHT_DS_CHANGE) Then

			wscript.echo "		-modify user attributes"

		End If

		If (objChildRS.fields("MRRights") And RIGHT_DS_DELETE) Then

			wscript.echo  "		-delete mailbox store"

		End If

		If (objChildRS.fields("MRRights") And RIGHT_DS_READ) Then

			wscript.echo  "		-read permissions"

		End If

		If (objChildRS.fields("MRRights") And RIGHT_DS_TAKE_OWNERSHIP) Then

			wscript.echo  "		-take ownership of this object"

		End If

		If (objChildRS.fields("MRRights") And RIGHT_DS_MAILBOX_OWNER) Then

			wscript.echo "		-is mailbox owner of this object"

		End If

		If (objChildRS.fields("MRRights") And RIGHT_DS_PRIMARY_OWNER) Then

			wscript.echo  "		-is mailbox Primary owner of this object"

		End If

		objChildRS.movenext

	loop

	objParentRS.MoveNext

loop

Open in new window

0
Comment
Question by:nucksgambit
  • 3
5 Comments
 
LVL 65

Expert Comment

by:Mestha
ID: 24821778
Are you sure that "Everyone" has been set explicitly and not via an inheritance? Unusual to see that permission set explicitly.
However rather than use a script, just get hold of admodify http://www.codeplex.com/admodify which will allow you to make the change quickly.

Make sure that you remove just the full mailbox permission, nothing else, as Everyone does need to be listed in the permissions.

Simon.
0
 
LVL 1

Author Comment

by:nucksgambit
ID: 24824797
I agree I was shocked to see it.  Unfortunately it was someone fairly important to the organization and management wants an audit of who else has the permission set.  That utility would probably solve the root of the problem by brute force, however if someone has a script that will do just that or something similar would be great.
0
 
LVL 1

Author Comment

by:nucksgambit
ID: 24824816
"however if someone has a script that will do just that"

edit:
if someone has a script that will create a list of users with the permission "Full mailbox access" for the everyone group in their permission list.
0
 
LVL 1

Accepted Solution

by:
nucksgambit earned 0 total points
ID: 24828153
I think I was able to hack through Glen's script and modify it.  It *looks* like it is working.  I found a few more users that had the permission set.  If anyone see's any glaring errors please let me know...
Const RIGHT_DS_MAILBOX_OWNER = &H1
 

Set objSystemInfo = CreateObject("ADSystemInfo") 

strdname = objSystemInfo.DomainShortName

set conn1 = createobject("ADODB.Connection")

strConnString = "Data Provider=NONE; Provider=MSDataShape"

conn1.Open strConnString	

set conn = createobject("ADODB.Connection")

set com = createobject("ADODB.Command")

Set iAdRootDSE = GetObject("LDAP://RootDSE")

strNameingContext = iAdRootDSE.Get("defaultNamingContext")

Conn.Provider = "ADsDSOObject"

Conn.Open "ADs Provider"

Query = "<LDAP://" & strNameingContext & ">;(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))));samaccountname,displayname,distinguishedName;subtree"

Com.ActiveConnection = Conn

Com.CommandText = Query

Com.Properties("Page Size") = 1000
 

Set Rs = Com.Execute

While Not Rs.EOF

	dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")

	set objuser = getobject(dn)

	Set oSecurityDescriptor = objuser.Get("msExchMailboxSecurityDescriptor")

	Set dacl = oSecurityDescriptor.DiscretionaryAcl

	Set ace = CreateObject("AccessControlEntry")

	For Each ace In dacl

		   if ace.AceFlags <> 18 then

			if ace.Trustee = "Everyone" then

				if ace.AccessMask = RIGHT_DS_MAILBOX_OWNER then

					wscript.echo rs.fields("displayname") & "     "  & "Everyone - Full Mailbox access" 

		   		end if

			end if

		   end if

		   

	Next

	rs.movenext

Wend

wscript.echo "Number of Mailboxes Checked " & RS.recordcount

Open in new window

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now