Blog - Title

March, 2009

Brijs Blogging... Looking Beyond the Obvious

  • Brijs Blogging... Looking Beyond the Obvious

    How enumerate mailbox permission using ADSI VBScript?

    • 2 Comments

    We can use ADSI VBScript sample given below to enumerate mailbox permission from the exchange server.

    NOTE: Following programming examples is for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability and/or fitness for a particular purpose. This sample code assumes that you are familiar with the programming language being demonstrated and the tools used to create and debug procedures. This sample code is provided for the purpose of illustration only and is not intended to be used in a production environment.

    OPTION EXPLICIT
     
    Const ADS_ACETYPE_ACCESS_ALLOWED = &H00
    Const ADS_ACETYPE_ACCESS_DENIED = &H01
    Const ADS_ACETYPE_SYSTEM_AUDIT = &H02
    Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H05
    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H06
    Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H07
    Const ADS_ACETYPE_SYSTEM_ALARM_OBJECT = &H08
    Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK = &H09
    Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK = &H0A
    Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK_OBJECT = &H0B
    Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK_OBJECT = &H0C
    Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK = &H0D
    Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK = &H0E
    Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK_OBJECT = &H0F
    Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK_OBJECT = &H10
     
    Const ADS_ACEFLAG_INHERIT_ACE = &H02
    Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H04
    Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H08
    Const ADS_ACEFLAG_INHERITED_ACE = &H10
    Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1f
    Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
    Const ADS_ACEFLAG_FAILED_ACCESS = &H80
     
    Const ADS_RIGHT_DELETE = &H00010000
    Const ADS_RIGHT_READ_CONTROL = &H00020000
    Const ADS_RIGHT_WRITE_DAC = &H00040000
    Const ADS_RIGHT_WRITE_OWNER = &H00080000
    Const ADS_RIGHT_SYNCHRONIZE = &H00100000
    Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H01000000
    Const ADS_RIGHT_GENERIC_READ = &H80000000
    Const ADS_RIGHT_GENERIC_WRITE = &H40000000
    Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
    Const ADS_RIGHT_GENERIC_ALL = &H10000000
    Const ADS_RIGHT_DS_CREATE_CHILD = &H00000001
    Const ADS_RIGHT_DS_DELETE_CHILD = &H00000002
    Const ADS_RIGHT_ACTRL_DS_LIST = &H00000004
    Const ADS_RIGHT_DS_SELF = &H00000008
    Const ADS_RIGHT_DS_READ_PROP = &H00000010
    Const ADS_RIGHT_DS_WRITE_PROP = &H00000020
    Const ADS_RIGHT_DS_DELETE_TREE = &H00000040
    Const ADS_RIGHT_DS_LIST_OBJECT = &H00000080
    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H00000100
     
    Const FULLCONTROL = 983551
     
    Const ReceiveAs = "{AB721A56-1E2F-11D0-9819-00AA0040529B}"
    Const SendAs = "{AB721A54-1E2F-11D0-9819-00AA0040529B}"
     
    Dim objUser
    Dim oSecurityDescriptor 
    Dim dacl 
    Dim ace 
    Dim strOutput
    Dim strPath
    Dim strOutputPath
    Dim fso
    Dim fOutput
    Dim strAccount 
    Dim strAccess
    Dim Conn
    Dim Comm
    Dim RSAll
    Dim iAdRootDSE
    Dim strNameingContext
    Dim Query
     
     
    strOutput = InputBox("File Output", "", "ExportData.csv")
     
    strPath = WScript.ScriptFullName
    stroutputPath = Left(strPath, InStrRev(strPath, "\"))
     
    set fso = CreateObject("Scripting.FileSystemObject")
    set fOutput = fso.CreateTextFile(strOutputPath & strOutput, 8)
     
     
    Set iAdRootDSE = GetObject("LDAP://RootDSE")
    strNameingContext = iAdRootDSE.Get("defaultNamingContext")
    Query = "<LDAP://" & strNameingContext & ">;(&(mailnickname=*)(objectCategory=person)(objectClass=user));samaccountname,displayname,distinguishedName;subtree"
     
     
    set conn = createobject("ADODB.Connection")
     
    Conn.Provider = "ADsDSOObject"
    Conn.Open "ADs Provider"
     
    set comm = createobject("ADODB.Command")
    Comm.ActiveConnection = conn
    Comm.CommandText = Query
    Comm.Properties("Page Size") = 1000
     
    Set RsAll = Comm.Execute
     
    Dim dn
    While Not RSAll.EOF
        dn = "LDAP://" & replace(RSAll.Fields("distinguishedName").Value,"/","\/")
        GetPermissions(dn)
        RSAll.movenext
    Wend
     
    WScript.Echo "Done viewing the security descriptor"
    WScript.Quit
        
     
    '====================================================================
    ' Get the msExchMailboxSecurityDescriptor attribute and break it down
    '====================================================================
    sub GetPermissions(DN)
     
    'Get directory user object.
    Set objUser = GetObject(DN)
    'Here we can use Display name as well to print.
    strAccount = objUser.Get("samAccountName")
    'strAccount = objUser.Get("displayName")
    fWriteLine("*Permission Info for :" & strAccount & vbcrlf) 
    Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")
     
    Set dacl = oSecurityDescriptor.DiscretionaryAcl
    Set ace = CreateObject("AccessControlEntry")
     
    For Each ace In dacl
    ' Display all the properties of the ACEs using the IADsAccessControlEntry interface.
     
    strAccess = "Access Mask: " & vbcrlf
     
    if (ace.AccessMask AND ADS_RIGHT_DELETE ) then strAccess = strAccess & " Delete Permission" & vbcrlf
    if (ace.AccessMask AND ADS_RIGHT_READ_CONTROL ) then strAccess = strAccess & " Read Permission " & vbcrlf
    if (ace.AccessMask AND ADS_RIGHT_WRITE_DAC ) then strAccess = strAccess & " Change Permission" & vbcrlf
    if (ace.AccessMask AND ADS_RIGHT_WRITE_OWNER ) then strAccess = strAccess & " Take Ownership " & vbcrlf
    if (ace.AccessMask AND ADS_RIGHT_ACTRL_DS_LIST ) then strAccess = strAccess & " Associated External Account" & vbcrlf
    if (ace.AccessMask AND ADS_RIGHT_DS_CREATE_CHILD ) then strAccess = strAccess & " Full Rights " & vbcrlf
     
    fWriteLine("*==========================================================================*")
    'fWriteLine("* RAW Info:" & vbcrlf & "TRUSTEE :" & vbcrlf & " " & ace.Trustee & vbcrlf & _
    '"AccessMask:" & vbcrlf & " " & ace.AccessMask & vbcrlf & _
    '"AceType :" & vbcrlf & " " & ace.AceType & vbcrlf & _
    '"AceFlags :" & vbcrlf & " " & ace.AceFlags & vbcrlf & _
    '"Flags :" & vbcrlf & " " & ace.Flags & vbcrlf & _
    '"ObjectType:" & vbcrlf & " " & ace.ObjectType & vbcrlf & _
    '"Inherited :" & vbcrlf & " " & ace.InheritedObjectType)
     
    'fWriteLine("*--------------------------------------------------------------------------*")
    fWriteLine("* Access Info:" & vbcrlf & "TRUSTEE :" & vbcrlf & " " & ace.Trustee & vbcrlf & strAccess)
    Next
     
     
    End Sub
     
     
    '====================================================================
    ' Write the data to a file
    '====================================================================
    sub fWriteLine(data)
    fOutput.WriteLine data
    end sub

    For a version of the above script which uses CDOEXM checkout my colleague's post @ http://blogs.msdn.com/vikas/archive/2008/11/01/howto-programmatically-enumerate-permissions-on-exchange-2003-mailbox-store.aspx
Page 1 of 1 (1 items)