Enumerating exchange users where Everyone - Full Mailbox access is set

I have come across a few users in our AD environment (Exchange 2003) where their Mailbox rights include "Everyone" and Full mailbox access" is checked.  Obviously this means that anyone in the organization can open their e-mail box from Open other users folders in Outlook.  

I would to modify the below script or simplify it go through every account and looks for where "Full Mailbox access" for the Everyone group is set. I found this code on this guy's blog: http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.html

It could be a simple as returning the name where their acl includes Everyone - Full mailbox access.
Const RIGHT_DS_DELETE = &H10000
Const RIGHT_DS_READ = &H20000
Const RIGHT_DS_CHANGE = &H40000
Const RIGHT_DS_TAKE_OWNERSHIP = &H80000
Const RIGHT_DS_MAILBOX_OWNER = &H1
Const RIGHT_DS_SEND_AS = &H2
Const RIGHT_DS_PRIMARY_OWNER = &H4
 
Set objSystemInfo = CreateObject("ADSystemInfo") 
strdname = objSystemInfo.DomainShortName
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString	
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Query = "<LDAP://" & strNameingContext & ">;(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))));samaccountname,displayname,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = Query
Com.Properties("Page Size") = 1000
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
           "  NEW adVarChar(255) AS UOADDisplayName, " & _
           "  NEW adVarChar(255) AS UOADTrusteeName, " & _
           " ((SHAPE APPEND  " & _
           "      NEW adVarChar(255) AS MRmbox, " & _
           "      NEW adVarChar(255) AS MRTrusteeName, " & _
           "      NEW adVarChar(255) AS MRRights, " & _
           "      NEW adVarChar(255) AS MRAceflags) " & _
           "      RELATE UOADTrusteeName TO MRTrusteeName) AS rsUOMR" 
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1
 
Set Rs = Com.Execute
While Not Rs.EOF
	dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")
	set objuser = getobject(dn)
	Set oSecurityDescriptor = objuser.Get("msExchMailboxSecurityDescriptor")
	Set dacl = oSecurityDescriptor.DiscretionaryAcl
	Set ace = CreateObject("AccessControlEntry")
	objParentRS.addnew 
	objParentRS("UOADDisplayName") = rs.fields("displayname")
	objParentRS("UOADTrusteeName") = strdname & "\" & rs.fields("samaccountname")
	objParentRS.update
	Set objChildRS = objParentRS("rsUOMR").Value
	For Each ace In dacl
		   if ace.AceFlags <> 18 then
			if ace.Trustee <> "NT AUTHORITY\SELF" then
				objChildRS.addnew
				objChildRS("MRmbox") = rs.fields("displayname")
				objChildRS("MRTrusteeName") = ace.Trustee
				objChildRS("MRRights") = ace.AccessMask
				objChildRS("MRAceflags") = ace.AceFlags
				objChildRS.update
			end if
		   end if
	Next
	rs.movenext
Wend
wscript.echo "Number of Mailboxes Checked " & objParentRS.recordcount
Wscript.echo
objParentRS.MoveFirst
Do While Not objParentRS.EOF
	Set objChildRS = objParentRS("rsUOMR").Value
	if objChildRS.recordcount <> 0 then wscript.echo objParentRS("UOADDisplayName")
	Do While Not objChildRS.EOF
		wscript.echo "   " & objChildRS.fields("MRmbox")
		If (objChildRS.fields("MRRights") And RIGHT_DS_SEND_AS) Then
			wscript.echo "		-send mail as"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_CHANGE) Then
			wscript.echo "		-modify user attributes"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_DELETE) Then
			wscript.echo  "		-delete mailbox store"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_READ) Then
			wscript.echo  "		-read permissions"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_TAKE_OWNERSHIP) Then
			wscript.echo  "		-take ownership of this object"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_MAILBOX_OWNER) Then
			wscript.echo "		-is mailbox owner of this object"
		End If
		If (objChildRS.fields("MRRights") And RIGHT_DS_PRIMARY_OWNER) Then
			wscript.echo  "		-is mailbox Primary owner of this object"
		End If
		objChildRS.movenext
	loop
	objParentRS.MoveNext
loop

Open in new window

LVL 1
nucksgambitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MesthaCommented:
Are you sure that "Everyone" has been set explicitly and not via an inheritance? Unusual to see that permission set explicitly.
However rather than use a script, just get hold of admodify http://www.codeplex.com/admodify which will allow you to make the change quickly.

Make sure that you remove just the full mailbox permission, nothing else, as Everyone does need to be listed in the permissions.

Simon.
0
nucksgambitAuthor Commented:
I agree I was shocked to see it.  Unfortunately it was someone fairly important to the organization and management wants an audit of who else has the permission set.  That utility would probably solve the root of the problem by brute force, however if someone has a script that will do just that or something similar would be great.
0
nucksgambitAuthor Commented:
"however if someone has a script that will do just that"

edit:
if someone has a script that will create a list of users with the permission "Full mailbox access" for the everyone group in their permission list.
0
nucksgambitAuthor Commented:
I think I was able to hack through Glen's script and modify it.  It *looks* like it is working.  I found a few more users that had the permission set.  If anyone see's any glaring errors please let me know...
Const RIGHT_DS_MAILBOX_OWNER = &H1
 
Set objSystemInfo = CreateObject("ADSystemInfo") 
strdname = objSystemInfo.DomainShortName
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString	
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Query = "<LDAP://" & strNameingContext & ">;(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))));samaccountname,displayname,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = Query
Com.Properties("Page Size") = 1000
 
Set Rs = Com.Execute
While Not Rs.EOF
	dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")
	set objuser = getobject(dn)
	Set oSecurityDescriptor = objuser.Get("msExchMailboxSecurityDescriptor")
	Set dacl = oSecurityDescriptor.DiscretionaryAcl
	Set ace = CreateObject("AccessControlEntry")
	For Each ace In dacl
		   if ace.AceFlags <> 18 then
			if ace.Trustee = "Everyone" then
				if ace.AccessMask = RIGHT_DS_MAILBOX_OWNER then
					wscript.echo rs.fields("displayname") & "     "  & "Everyone - Full Mailbox access" 
		   		end if
			end if
		   end if
		   
	Next
	rs.movenext
Wend
wscript.echo "Number of Mailboxes Checked " & RS.recordcount

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.