Solved

Programmatically Add Admin Rights to mailboxes on an exchange server 2003

Posted on 2011-03-16
18
907 Views
Last Modified: 2012-05-11
hi,

How can we provide administrator rights to a mailbox programmatically on an exchange server 2003 ?
0
Comment
Question by:davinder101
  • 7
  • 5
  • 2
18 Comments
 
LVL 7

Expert Comment

by:waleeda
ID: 35145710
check the below
Grant Full Mailbox Rights to an Administrator on Exchange 2000/2003

http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm


0
 

Author Comment

by:davinder101
ID: 35145794
this is a manual way which i know.
i need a programmatic way using c#, vc++ or c++
0
 
LVL 7

Expert Comment

by:waleeda
ID: 35145799
sorry i'm system guy, you have to contact programing guy :)
0
 
LVL 8

Expert Comment

by:GundogTrainer
ID: 35146073
This is the basic script I have used in the past to add rights to a mailbox - cant remember where it came from originally.

I normaly have the script saved as AddMBperms.vbs
and have a .bat file names AddPerms.bat with the following:
@echo off
cscript //nologo AddMBPerms.vbs %1 %2 true true >>log.txt

Then for example to as Domain\Davinder101 full rights to Domain\TestUser you can just run:
addperms Domain\Davinder101 Domain\Testuser

This will grant full access and send-as permissions.
' ------------------------------------------------------------------------------------------------------------------------------------------

Option Explicit

Dim objArgs : Set objArgs = WScript.Arguments
Dim sTarget,sTrustee,bSetSendAs,bSetReceiveAs

bSetSendAs = True
bSetReceiveAs = True
if objArgs.Count < 2 Then : ShowSyntax
If (objArgs(0) = "?") Or (objArgs(0) = "-?") Or (objArgs(0) = "/?") Then : ShowSyntax
sTarget = objArgs(0) 
sTrustee = objArgs(1)
If objArgs.Count > 2 Then
    If UCase(objArgs(2)) = "FALSE" Then 
        bSetSendAs = False
    Elseif UCase(objArgs(2)) <> "TRUE" Then
        ShowSyntax
    End If
End if
If objArgs.Count > 3 Then
    If UCase(objArgs(3)) = "FALSE" Then
        bSetReceiveAs = False
    Elseif UCase(objArgs(3)) <> "TRUE" Then
        ShowSyntax
    End If
End If

SetSendAsReceiveAs sTarget, sTrustee, bSetSendAs, bSetReceiveAs

' ------------------------------------------------------------------------------------------------------------------------------------------

Sub ShowSyntax
     Dim sString
     sString = "Syntax:" & vbCRLF & " cscript " & WScript.ScriptName & " domain\target domain\trustee [Set Send-As] [Set Receive-As]" & _
                    vbCRLF & "eg:" & vbCRLF & " cscript " & WScript.ScriptName & " mydomain\fred mydomain\Charlie True True" & _
                    vbCRLF & " cscript " & WScript.ScriptName & " mydomain\Fred mydomain\Charlie False True" & _ 
                    vbCRLF & " cscript " & WScript.ScriptName & " mydomain\Fred mydomain\Charlie"
     WScript.Echo sString
     WScript.Quit(1)
End Sub

' --------------------------------------------------------------------------

Function SetSendAsReceiveAs(sTarget,sTrustee,bSetSendAs,bSetReceiveAs)
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Const RIGHT_DS_SEND_AS = "{ab721a54-1e2f-11d0-9819-00aa0040529b}"
Const RIGHT_DS_RECEIVE_AS = "{ab721a56-1e2f-11d0-9819-00aa0040529b}"
Dim objSdUtil, objSD, objDACL, objAce1, objAce2
SetSendAsReceiveAs = False 
On Error Resume Next
Err.Clear
Set objSdUtil = GetObject("LDAP://" & WinNTToLDAP(sTarget))
If Err.Number <> 0 Then : Exit Function
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL

Set objAce1 = CreateObject("AccessControlEntry")
objAce1.Trustee = sTrustee
objAce1.AceFlags = 0
objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objAce1.ObjectType = RIGHT_DS_SEND_AS
objAce1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS

Set objAce2 = CreateObject("AccessControlEntry")
objAce2.Trustee = sTrustee
objAce2.AceFlags = 0
objAce2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce2.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objAce2.ObjectType = RIGHT_DS_RECEIVE_AS
objAce2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS

if bSetSendAs Then : objDACL.AddAce objAce1
if bSetReceiveAs Then : objDACL.AddAce objAce2

objSD.DiscretionaryAcl = objDACL
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
if bSetSendAs Or bSetReceiveAs Then : objSDUtil.SetInfo
If Err.Number <> 0 Then : Exit Function
SetSendAsReceiveAs = True
End Function

' --------------------------------------------------------------------------

Function WinNTToLDAP(sAccountName)
    Const ADS_NAME_INITTYPE_GC = 3
    Const ADS_NAME_TYPE_NT4 = 3
    Const ADS_NAME_TYPE_1779 = 1
    Dim objTrans, oObject
    Set objTrans = CreateObject("NameTranslate")
    objTrans.Init ADS_NAME_INITTYPE_GC, ""
    objTrans.Set ADS_NAME_TYPE_NT4, sAccountName
    WinNTToLDAP = objTrans.Get(ADS_NAME_TYPE_1779)
End Function

' --------------------------------------------------------------------------

Open in new window

0
 
LVL 8

Expert Comment

by:GundogTrainer
ID: 35146143
Sorry this was VBScript - hadnt read your comment "i need a programmatic way using c#, vc++ or c++".
I dont do any of the C flavours, but you would need to add another entry to the DACL
I did find an example of this on the following link, it may point you in the right direction.

http://social.technet.microsoft.com/Forums/en/exchangesvrdevelopment/thread/15e206fa-0d1e-4e92-a4f8-982eb35b81a5
0
 

Author Comment

by:davinder101
ID: 35179955
hi
tried your vb script too.
it is not setting full mailbox permission.
0
 
LVL 8

Accepted Solution

by:
GundogTrainer earned 500 total points
ID: 35180429
OK,
just had a look and it sets the send as and receive as rights rather than the full access you asked for:

Do you want to give this one a go - its a bit of a mess as I had been using it to add the external account access rights and disable mailboxes.
This does however set the "Full Mailbox access"

cscript.exe //nologo addperms.vbs domain\test1 domain\test33
should grant test33 full access to the test1 mailbox.
Dim objUser
Dim oSecurityDescriptor 
Dim dacl 
Dim ace 
CONST ADS_ACEFLAG_INHERIT_ACE = 2 
CONST ADS_RIGHT_DS_CREATE_CHILD = 1 
CONST ADS_ACETYPE_ACCESS_ALLOWED = 0 
CONST ADS_ACETYPE_ACCESS_DENIED = 1 
CONST ADS_ACETYPE_SYSTEM_AUDIT = 2 

CONST ADS_RIGHT_FULL_MB_ACCESS=&H00001
CONST ADS_EXTERNAL_ACCESS=&H00004

CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5 
CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6 
CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7 
CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8

'wscript.echo ADS_RIGHT_FULL_MB_ACCESS+ADS_EXTERNAL_ACCESS
'wscript.echo 131077 and ADS_EXTERNAL_ACCESS

'wscript.quit

' ********************************************************************
' Change this variable according to your environment.
'
Dim objArgs : Set objArgs = WScript.Arguments
if objArgs.count<>2 then wscript.quit
 sUserADsPath = "LDAP://" & WinNTToLDAP(objArgs(0))
 sTrustee = objArgs(1)

' ********************************************************************

'Get directory user object.
Set objUser = GetObject(sUserADsPath)


' Get the Mailbox security descriptor (SD).
Set oSecurityDescriptor = objUser.MailboxRights

' Extract the Discretionary Access Control List (DACL) using the IADsSecurityDescriptor.
' Interface.
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'  The following block of code demonstrates how to read all the 
'  ACEs on a DACL for the Exchange 2000 mailbox.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'wscript.echo "Here are the existing ACEs in the mailbox's DACL:"

' Enumerate all the Access Control Entries (ACE) in the DACL using the IADsAccessControlList.
' Interface, therefore, displaying the current mailbox rights.
'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
readdACL=false
 For Each ace In dacl
 ' Display all the properties of the ACEs using the IADsAccessControlEntry interface.
     wscript.echo ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType
 Next


'wscript.quit
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'  The following block of code demonstrates adding a new ACE to the DACL
'  for the Exchange 2003/2000 mailbox with the Trustee specified in sTrustee,
'  which permits full control over this mailbox.
'  This is the same task that is performed by ADUnC when you follow these
'  steps to modify the properties of a user: on the Exchange Advanced tab,
'  under Mailbox Rights, click Add, select the Trustee, and then select the 
'  Full Mailbox Access Rights check box. 
'  Similarly, you can also remove ACEs from this ACL by using the IADsAccessControlEntry interfaces.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
AddAce dacl, sTrustee, ADS_RIGHT_DS_CREATE_CHILD, _
       ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0
'wscript.echo ADS_RIGHT_DS_CREATE_CHILD,ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0
' Add the modified DACL to the security descriptor.
oSecurityDescriptor.DiscretionaryAcl = dacl

' Save new SD onto the user.
objUser.MailboxRights = oSecurityDescriptor

' Commit changes from the property cache to the information store.
objUser.SetInfo

wscript.quit(0)

'wscript.echo "Done viewing and modifying the mailboxsecurity descriptor"
'********************************************************************
'*
'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
'*          gAceFlags, gFlags, gObjectType, gInheritedObjectType)
'*
'* Purpose: Adds an ACE to a DACL
'* Input:   dacl            Object's Discretionary Access Control List
'*          TrusteeName     SID or Name of the trustee user account
'*          gAccessMask     Access Permissions
'*          gAceType        ACE Types
'*          gAceFlags       Inherit ACEs from the owner of the ACL
'*          gFlags          ACE has an object type or inherited object type
'*          gObjectType     Used for Extended Rights
'*          gInheritedObjectType
'*
'* Output:  Object - New DACL with the ACE added
'*
'********************************************************************

Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
    Dim Ace1
    ' Create a new ACE object.
    Set Ace1 = CreateObject("AccessControlEntry")
    Ace1.AccessMask = gAccessMask
    Ace1.AceType = gAceType
    Ace1.AceFlags = gAceFlags
    Ace1.Flags = gFlags
    Ace1.Trustee = TrusteeName
    'See whether ObjectType must be set
    If CStr(gObjectType) <> "0" Then
       Ace1.ObjectType = gObjectType
    End If

    'See whether InheritedObjectType must be set.
    If CStr(gInheritedObjectType) <> "0" Then
        Ace1.InheritedObjectType = gInheritedObjectType
    End If
    dacl.AddAce Ace1

    ' Destroy objects.
    Set Ace1 = Nothing
End Function

Function WinNTToLDAP(sAccountName)
    Const ADS_NAME_INITTYPE_GC = 3
    Const ADS_NAME_TYPE_NT4 = 3
    Const ADS_NAME_TYPE_1779 = 1
    Dim objTrans, oObject
    Set objTrans = CreateObject("NameTranslate")
    objTrans.Init ADS_NAME_INITTYPE_GC, ""
    objTrans.Set ADS_NAME_TYPE_NT4, sAccountName
    WinNTToLDAP = objTrans.Get(ADS_NAME_TYPE_1779)
End Function

Function DeleteAce(ByRef objDacl, _
                   ByRef szTrusteeName)

    Dim objOACE

    On Error Resume Next

    ' Create a temp ACE Object.
    Set objOACE = CreateObject("AccessControlEntry")

        ' Recurse through the ACL.

        For Each objOACE In objDacl

            ' Find the Trustee you are looking to delete.
            If (Trim(LCase(objOACE.Trustee)) = Trim(LCase(szTrusteeName))) Then

                ' Delete the ACE from the ACL
                objDacl.RemoveAce (objOACE)
            End If
        Next

    ' Clean up.
    Set objOACE = Nothing
End Function

Open in new window

0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 

Author Comment

by:davinder101
ID: 35187869
i tried with this with these two

C:\AddPerms.bat "exc03.local\ashwani" "exc03.local\administrator"
and
C:\AddPerms.bat exc03.local\ashwani exc03.local\administrator

for the both the scripts that you have provided but nothing happens
no rights are set i can not get the mailbox of other user using administrator account.

but when i do manually it works fine.
0
 
LVL 8

Expert Comment

by:GundogTrainer
ID: 35187930
Odd,
Can i just check you are running this with an account with rights to update the permissions and your logged into the same domain etc.

Not getting any errors etc ?

Do you get any results from the 2nd script at all ? It should display the DACL - lilsting all the account names and rights (as an integer value).

Can you post the output if you run the following please.
cscript.exe scriptname.vbs exc03\ashwani exc03\administrator
0
 

Author Comment

by:davinder101
ID: 35187966
a log.txt is made it is just an empty file
and executing all these with administrator login on exchange server itself not from an domain pc.
0
 
LVL 8

Expert Comment

by:GundogTrainer
ID: 35188149
Can you post the output if you run the following please.
cscript.exe scriptname.vbs exc03\ashwani exc03\administrator

It can error out and as the process terminiates the output is no longer sent to the file hence running it manually to see if there is any change - also just confirms that only 2 arguments are being passed to this script as it terminates if there is more or less than 2.
0
 

Author Comment

by:davinder101
ID: 35188680
hi
just changed the first script send as and receive as script
by hard coding the values like this

************************************************************************
sTarget = "exc03\ashwani"
sTrustee = "exc03\adminsitrator"

SetSendAsReceiveAs sTarget, sTrustee, bSetSendAs, bSetReceiveAs

objSD.DiscretionaryAcl = objDACL
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
if bSetSendAs Or bSetReceiveAs Then : objSDUtil.SetInfo

If Err.Number <> 0 Then : MsgBox(Err.Number)
'Exit Function

it returns error number:- -2147023559
************************************************************************

second script
have a look at the attached output just tried to get using print screen

may this help out to trace the error or results
if it is not the result or output you were expecting me to send
then tell me how to manually run a script just steps to run it.
as i am a new bee to this scripting world.








untitled.bmp
0
 

Author Comment

by:davinder101
ID: 35813395
thanks alot for the solution...
0
 

Author Closing Comment

by:davinder101
ID: 35813403
I got  my solution partially..
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.
how to add IIS SMTP to handle application/Scanner relays into office 365.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now