Solved

Exchange 2010

Posted on 2014-02-15
7
345 Views
Last Modified: 2014-03-05
I want to get a list names of all mailbox permissions that are accessing other mailboxs with permissions assigned.
How do I do this ?

Dnrrp
0
Comment
Question by:DNRRP
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 13

Expert Comment

by:Chris Raisin
ID: 39862692
Do you want to do this using VBA?
0
 
LVL 13

Expert Comment

by:Chris Raisin
ID: 39862720
If Using VBA (which I assume) the following code might be handy.

I cannot test it on my machine since it involves servers (which I do not have).

I repeat the code here (written by someone else) since giving a reference only leads to "broken links" when pages are taken down in the future.

I hope this may help.

The link for this code is:
http://blogs.msdn.com/b/brijs/archive/2009/03/27/how-enumerate-mailbox-permission-using-adsi-vbscript.aspx


For a version of the code which uses CDOEXM check out the post at
http://blogs.msdn.com/vikas/archive/2008/11/01/howto-programmatically-enumerate-permissions-on-exchange-2003-mailbox-store.aspx

OPTION EXPLICIT
 
Const ADS_ACETYPE_ACCESS_ALLOWED = &H00
Const ADS_ACETYPE_ACCESS_DENIED = &H01
Const ADS_ACETYPE_SYSTEM_AUDIT = &H02
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H05
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H06
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H07
Const ADS_ACETYPE_SYSTEM_ALARM_OBJECT = &H08
Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK = &H09
Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK = &H0A
Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK_OBJECT = &H0B
Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK_OBJECT = &H0C
Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK = &H0D
Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK = &H0E
Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK_OBJECT = &H0F
Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK_OBJECT = &H10
 
Const ADS_ACEFLAG_INHERIT_ACE = &H02
Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H04
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H08
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1f
Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
Const ADS_ACEFLAG_FAILED_ACCESS = &H80
 
Const ADS_RIGHT_DELETE = &H00010000
Const ADS_RIGHT_READ_CONTROL = &H00020000
Const ADS_RIGHT_WRITE_DAC = &H00040000
Const ADS_RIGHT_WRITE_OWNER = &H00080000
Const ADS_RIGHT_SYNCHRONIZE = &H00100000
Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H01000000
Const ADS_RIGHT_GENERIC_READ = &H80000000
Const ADS_RIGHT_GENERIC_WRITE = &H40000000
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
Const ADS_RIGHT_GENERIC_ALL = &H10000000
Const ADS_RIGHT_DS_CREATE_CHILD = &H00000001
Const ADS_RIGHT_DS_DELETE_CHILD = &H00000002
Const ADS_RIGHT_ACTRL_DS_LIST = &H00000004
Const ADS_RIGHT_DS_SELF = &H00000008
Const ADS_RIGHT_DS_READ_PROP = &H00000010
Const ADS_RIGHT_DS_WRITE_PROP = &H00000020
Const ADS_RIGHT_DS_DELETE_TREE = &H00000040
Const ADS_RIGHT_DS_LIST_OBJECT = &H00000080
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H00000100
 
Const FULLCONTROL = 983551
 
Const ReceiveAs = "{AB721A56-1E2F-11D0-9819-00AA0040529B}"
Const SendAs = "{AB721A54-1E2F-11D0-9819-00AA0040529B}"
 
Dim objUser
Dim oSecurityDescriptor 
Dim dacl 
Dim ace 
Dim strOutput
Dim strPath
Dim strOutputPath
Dim fso
Dim fOutput
Dim strAccount 
Dim strAccess
Dim Conn
Dim Comm
Dim RSAll
Dim iAdRootDSE
Dim strNameingContext
Dim Query
 
 
strOutput = InputBox("File Output", "", "ExportData.csv")
 
strPath = WScript.ScriptFullName
stroutputPath = Left(strPath, InStrRev(strPath, "\"))
 
set fso = CreateObject("Scripting.FileSystemObject")
set fOutput = fso.CreateTextFile(strOutputPath & strOutput, 8)
 
 
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("defaultNamingContext")
Query = "<LDAP://" & strNameingContext & ">;(&(mailnickname=*)(objectCategory=person)(objectClass=user));samaccountname,displayname,distinguishedName;subtree"
 
 
set conn = createobject("ADODB.Connection")
 
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
 
set comm = createobject("ADODB.Command")
Comm.ActiveConnection = conn
Comm.CommandText = Query
Comm.Properties("Page Size") = 1000
 
Set RsAll = Comm.Execute
 
Dim dn
While Not RSAll.EOF
    dn = "LDAP://" & replace(RSAll.Fields("distinguishedName").Value,"/","\/")
    GetPermissions(dn)
    RSAll.movenext
Wend
 
WScript.Echo "Done viewing the security descriptor"
WScript.Quit
    
 
'====================================================================
' Get the msExchMailboxSecurityDescriptor attribute and break it down
'====================================================================
sub GetPermissions(DN)
 
'Get directory user object.
Set objUser = GetObject(DN)
'Here we can use Display name as well to print.
strAccount = objUser.Get("samAccountName")
'strAccount = objUser.Get("displayName")
fWriteLine("*Permission Info for :" & strAccount & vbcrlf) 
Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")
 
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
 
For Each ace In dacl
' Display all the properties of the ACEs using the IADsAccessControlEntry interface.
 
strAccess = "Access Mask: " & vbcrlf
 
if (ace.AccessMask AND ADS_RIGHT_DELETE ) then strAccess = strAccess & " Delete Permission" & vbcrlf
if (ace.AccessMask AND ADS_RIGHT_READ_CONTROL ) then strAccess = strAccess & " Read Permission " & vbcrlf
if (ace.AccessMask AND ADS_RIGHT_WRITE_DAC ) then strAccess = strAccess & " Change Permission" & vbcrlf
if (ace.AccessMask AND ADS_RIGHT_WRITE_OWNER ) then strAccess = strAccess & " Take Ownership " & vbcrlf
if (ace.AccessMask AND ADS_RIGHT_ACTRL_DS_LIST ) then strAccess = strAccess & " Associated External Account" & vbcrlf
if (ace.AccessMask AND ADS_RIGHT_DS_CREATE_CHILD ) then strAccess = strAccess & " Full Rights " & vbcrlf
 
fWriteLine("*==========================================================================*")
'fWriteLine("* RAW Info:" & vbcrlf & "TRUSTEE :" & vbcrlf & " " & ace.Trustee & vbcrlf & _
'"AccessMask:" & vbcrlf & " " & ace.AccessMask & vbcrlf & _
'"AceType :" & vbcrlf & " " & ace.AceType & vbcrlf & _
'"AceFlags :" & vbcrlf & " " & ace.AceFlags & vbcrlf & _
'"Flags :" & vbcrlf & " " & ace.Flags & vbcrlf & _
'"ObjectType:" & vbcrlf & " " & ace.ObjectType & vbcrlf & _
'"Inherited :" & vbcrlf & " " & ace.InheritedObjectType)
 
'fWriteLine("*--------------------------------------------------------------------------*")
fWriteLine("* Access Info:" & vbcrlf & "TRUSTEE :" & vbcrlf & " " & ace.Trustee & vbcrlf & strAccess)
Next
 
 
End Sub
 
 
'====================================================================
' Write the data to a file
'====================================================================
sub fWriteLine(data)
fOutput.WriteLine data
end sub

Open in new window

0
 

Author Comment

by:DNRRP
ID: 39863130
Can this be done from powershell ?

DNRRP
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:DNRRP
ID: 39863158
I am using powershell not BBC.

DNRRP
0
 
LVL 13

Accepted Solution

by:
Chris Raisin earned 500 total points
ID: 39863381
OK - Can't help with Powershell...sorry  :-(

Still....the code supplied would perhaps be good for VB Script/VBA users who want to do the same thing :-)    Shame I now get no credit (points-wise) for the 2 hours it took me to search out an answer for VBA.  :-(

Cheers
Chris
0
 
LVL 4

Expert Comment

by:michaelalphi
ID: 39863895
Hi DNRRP,
A good powershell script you can have explore here to find out the list of all mailbox permissions that are accessing other mailboxs with permissions assigned.
Or, you can also have a look at this software (exchangeserverreporting.com) which seems a good choice for you. Hope, this helps you.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question