Hobby Chef

November, 2008 - Jive into Messaging world - Site Home - MSDN Blogs

Blog - Title

November, 2008

  • Jive into Messaging world

    HOWTO: Get Exchange 2000/2003 mailbox statistics remotely using WMI

    • 1 Comments

    Of course you cannot use WMI to manage Exchange 2007, obviously Powershell is more power full and recommended to be used on Exchange 2007 Server.

    We will talk about Powershell and how to do same for 2007 later. For now you can use following script to get the statistics data from Exchange WMI Provider and Exchange_Mailbox class of it.

     

    On Error Resume Next
    
    Const wbemFlagReturnImmediately = &h10
    Const wbemFlagForwardOnly = &h20
    
    arrComputers = Array("Server1", "Server2", "Server3")
    
    For Each strComputer In arrComputers
        WScript.Echo
        WScript.Echo "=========================================="
        WScript.Echo "Exchange Server: " & strComputer
        WScript.Echo "=========================================="
    
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftExchangeV2")
        Set colItems = objWMIService.ExecQuery("SELECT * FROM Exchange_Mailbox", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
    
        For Each objItem In colItems
            WScript.Echo "AssocContentCount: " & objItem.AssocContentCount
            WScript.Echo "Caption: " & objItem.Caption
            WScript.Echo "DateDiscoveredAbsentInDS: " & WMIDateStringToDate(objItem.DateDiscoveredAbsentInDS)
            WScript.Echo "DeletedMessageSizeExtended: " & objItem.DeletedMessageSizeExtended
            WScript.Echo "Description: " & objItem.Description
            WScript.Echo "InstallDate: " & WMIDateStringToDate(objItem.InstallDate)
            WScript.Echo "LastLoggedOnUserAccount: " & objItem.LastLoggedOnUserAccount
            WScript.Echo "LastLogoffTime: " & WMIDateStringToDate(objItem.LastLogoffTime)
            WScript.Echo "LastLogonTime: " & WMIDateStringToDate(objItem.LastLogonTime)
            WScript.Echo "LegacyDN: " & objItem.LegacyDN
            WScript.Echo "MailboxDisplayName: " & objItem.MailboxDisplayName
            WScript.Echo "MailboxGUID: " & objItem.MailboxGUID
            WScript.Echo "Name: " & objItem.Name
            WScript.Echo "ServerName: " & objItem.ServerName
            WScript.Echo "Size: " & objItem.Size
            WScript.Echo "Status: " & objItem.Status
            WScript.Echo "StorageGroupName: " & objItem.StorageGroupName
            WScript.Echo "StorageLimitInfo: " & objItem.StorageLimitInfo
            WScript.Echo "StoreName: " & objItem.StoreName
            WScript.Echo "TotalItems: " & objItem.TotalItems
            WScript.Echo
        Next
    Next
    
    
    Function WMIDateStringToDate(dtmDate)
    
        WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _ 
                Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) & " " & _  
                Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
    End Function

    Feel free to ping me if you do not understand anything or need some help.

  • Jive into Messaging world

    HOWTO: Programmatically enumerate permissions on Exchange 2003 Mailbox Store

    • 4 Comments

    This was a tough one and was lots of learning for me as well. Me and my colleague was working on a customer issue where his intentions were to list all the permissions on Exchange 2003 Mailbox Store. Of course one can go to Exchange System Manager (ESM), but considering an environment with 20+ Exchange server and over 100 Mailbox stores it could be a tedious task to satisfy the Auditing Team.

    Exchange Mailbox Store Permissions

    There are tools that can give you that information to some extend like, PFDavAdmin and DSACLS but the information provided with those tools are not good enough when it comes to auditing the permissions.

    I have come up with a sample script which uses CDOEXM to list down all the Mailbox Stores. CDOEXM is no good in giving you permissions on the store but you can get the distinguishedName for the store where actually the permissions are stored in AD

    The distinguishedName would be something similar to this

    CN=Mailbox Store (R2-A),CN=First Storage Group,CN=InformationStore,CN=R2-A,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Contoso Exchange Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com

    You can map these permissions under ADSIEdit here

    image

    Using the script you can list the permissions in this format

    image

    Please find the script below and make sure you know what you are doing.

    This script should be run on an Exchange 2003 server since it uses CDOEXM. or atleast a machine where ESM is installed, do not copy-paste CDOEXM on another machine.

    '===================================================================
      ' DISCLAIMER:
      '-------------------------------------------------------------------
      '
      ' This sample is provided as is and is not meant for use on a
      ' production environment. It is provided only for illustrative
      ' purposes. The end user must test and modify the sample to suit
      ' their target environment.
      '
      ' Microsoft can make no representation concerning the content of
      ' this sample. Microsoft is providing this information only as a
      ' convenience to you. This is to inform you that Microsoft has not
      ' tested the sample and therefore cannot make any representations
      ' regarding the quality, safety, or suitability of any code or
      ' information found here.
      '
      '===================================================================
    
    '
    ' Define some constants:
    '
    '
    ' Define a ADS_RIGHTS_ENUM constants constants:
    '
      Const ADS_RIGHT_DELETE = &H10000
      Const ADS_RIGHT_READ_CONTROL = &H20000
      Const ADS_RIGHT_WRITE_DAC = &H40000
      Const ADS_RIGHT_WRITE_OWNER = &H80000
      Const ADS_RIGHT_SYNCHRONIZE = &H100000
      Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000
      Const ADS_RIGHT_GENERIC_READ = &H80000000
      Const ADS_RIGHT_GENERIC_WRITE = &H40000000
      Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
      Const ADS_RIGHT_GENERIC_ALL = &H10000000
      Const ADS_RIGHT_DS_CREATE_CHILD = &H1
      Const ADS_RIGHT_DS_DELETE_CHILD = &H2
      Const ADS_RIGHT_ACTRL_DS_LIST = &H4
      Const ADS_RIGHT_DS_SELF = &H8
      Const ADS_RIGHT_DS_READ_PROP = &H10
      Const ADS_RIGHT_DS_WRITE_PROP = &H20
      Const ADS_RIGHT_DS_DELETE_TREE = &H40
      Const ADS_RIGHT_DS_LIST_OBJECT = &H80
      Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' Ace Type definitions
    '
      Const ADS_ACETYPE_ACCESS_ALLOWED = 0
      Const ADS_ACETYPE_ACCESS_DENIED = &H1
      Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
      Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
      Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
      Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' Ace Flag Constants
    '
      Const ADS_ACEFLAG_UNKNOWN = &H1
      Const ADS_ACEFLAG_INHERIT_ACE = &H2
      Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4
      Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8
      Const ADS_ACEFLAG_INHERITED_ACE = &H10
      Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1F
      Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
      Const ADS_ACEFLAG_FAILED_ACCESS = &H80
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ' Flags constants for AD objects
    '
      Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
      Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    
    
    
    
    Sub EnumStores(strServer)
    Dim objServer
    Dim objSG
    Dim objMSDB
    Dim iDS
    Dim storageGroup
    Dim MBX
    
    
    Set objServer = CreateObject("CDOEXM.ExchangeServer")
    Set objSG = CreateObject("CDOEXM.StorageGroup")
    Set objMSDB = CreateObject("CDOEXM.MailboxStoreDB")
    
    Set iDS = objServer.GetInterface("IDataSource")
    iDS.Open strServer
    
    For Each storageGroup In objServer.StorageGroups
        objSG.DataSource.Open storageGroup
        For Each MBX In objSG.MailboxStoreDBs
            objMSDB.DataSource.Open MBX
            wscript.echo "Permissions on : " & MBX
            ListPermissions objMSDB.Fields("adsPath").Value
        Next
    Next
    
    End Sub
    
    Sub ListPermissions(adspath)
    
    Dim objSecurityDescriptor
    Dim objDacl
    Dim oAce
    Dim objMailbox
        
    'Get target User object
    Set objMailbox = GetObject(adspath)
    Set objSecurityDescriptor = objMailbox.ntsecuritydescriptor   'Get the security descriptors for mailbox rights
    Set objDacl = objSecurityDescriptor.DiscretionaryAcl
        For Each oAce In objDacl
         If ((oAce.AceFlags And ADS_ACEFLAG_INHERITED_ACE) = ADS_ACEFLAG_INHERITED_ACE) Then
             Select Case oAce.AceType
                Case ADS_ACETYPE_ACCESS_ALLOWED
                        If oAce.AccessMask = oAce.AccessMask = ADS_RIGHT_DELETE Or _
                        ADS_RIGHT_READ_CONTROL Or ADS_RIGHT_WRITE_DAC Or ADS_RIGHT_WRITE_OWNER Or _
                        ADS_RIGHT_DS_CREATE_CHILD Or ADS_RIGHT_DS_DELETE_CHILD Or ADS_RIGHT_ACTRL_DS_LIST Or _
                        ADS_RIGHT_DS_SELF Or ADS_RIGHT_DS_READ_PROP Or ADS_RIGHT_DS_WRITE_PROP Or _
                        ADS_RIGHT_DS_DELETE_TREE Or ADS_RIGHT_DS_LIST_OBJECT Or ADS_RIGHT_DS_CONTROL_ACCESS Then
                            wscript.echo "Trustee : " & oAce.Trustee
                            wscript.echo " Full Control => ACCESS_ALLOWED"
                                                '
                                        ' We have a implicit Deny ACE
                                '
                                                If oAce.ObjectType = "{AB721A56-1E2F-11D0-9819-00AA0040529B}" Then
                                                    wscript.echo " Receive As => ACCESS_ALLOwED"
                                                End If
                                        If oAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
                                                    wscript.echo " Send As => ACCESS_ALLOWED"
                                        End If
    
                        End If
                Case ADS_ACETYPE_ACCESS_DENIED
                        If oAce.AccessMask = oAce.AccessMask = ADS_RIGHT_DELETE Or _
                        ADS_RIGHT_READ_CONTROL Or ADS_RIGHT_WRITE_DAC Or ADS_RIGHT_WRITE_OWNER Or _
                        ADS_RIGHT_DS_CREATE_CHILD Or ADS_RIGHT_DS_DELETE_CHILD Or ADS_RIGHT_ACTRL_DS_LIST Or _
                        ADS_RIGHT_DS_SELF Or ADS_RIGHT_DS_READ_PROP Or ADS_RIGHT_DS_WRITE_PROP Or _
                        ADS_RIGHT_DS_DELETE_TREE Or ADS_RIGHT_DS_LIST_OBJECT Or ADS_RIGHT_DS_CONTROL_ACCESS Then
                            wscript.echo "Trustee : " & oAce.Trustee
                            wscript.echo " Full Control => ACCESS_DENIED"
                                                '
                                        ' We have a implicit Deny ACE
                                '
                                                If oAce.ObjectType = "{AB721A56-1E2F-11D0-9819-00AA0040529B}" Then
                                                    wscript.echo " Receive As => ACCESS_DENIED"
                                                End If
                                        If oAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
                                                    wscript.echo " Send As => ACCESS_DENIED"
                                        End If
    
                        End If
                        Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
                            '
                        ' We have an object allowed ace
                        ' Does it apply to a property? or an Object?
                        '
                                If oAce.ObjectType = "{AB721A56-1E2F-11D0-9819-00AA0040529B}" Then
                            wscript.echo "Trustee : " & oAce.Trustee
                            wscript.echo " Receive As => ACCESS_ALLOWED_OBJECT"
                        End If
                                If oAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
                            wscript.echo "Trustee : " & oAce.Trustee
                                    wscript.echo " Send As => ACCESS_ALLOWED_OBJECT"
                                End If
                Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
                    '
                        ' We have a object Deny ace
                        '
                        If oAce.ObjectType = "{AB721A56-1E2F-11D0-9819-00AA0040529B}" Then
                                    wscript.echo "Trustee : " & oAce.Trustee
                                    wscript.echo " Receive As => ACCESS_DENIED_OBJECT"
                        End If
                                If oAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
                            wscript.echo "Trustee : " & oAce.Trustee
                                    wscript.echo " Send As => ACCESS_DENIED_OBJECT"
                                End If
                Case Else
                    '
                        ' Missed a bin?
                        '
            End Select
          Else
             '
             ' We have an Implicit ACE, lets put it the proper pool
             '
             Select Case oAce.AceType
                Case ADS_ACETYPE_ACCESS_ALLOWED
                    '
                        ' We have an implicit allow ace
                        '
                If oAce.ObjectType = "{AB721A56-1E2F-11D0-9819-00AA0040529B}" Then
                    wscript.echo "Trustee : " & oAce.Trustee
                    wscript.echo " Receive As => ACCESS_ALLOWED"
                End If
                If oAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
                    wscript.echo "Trustee : " & oAce.Trustee
                    wscript.echo " Send As => ACCESS_ALLOWED"
                End If
                Case ADS_ACETYPE_ACCESS_DENIED
                    '
                        ' We have a implicit Deny ACE
                        '
                If oAce.ObjectType = "{AB721A56-1E2F-11D0-9819-00AA0040529B}" Then
                    wscript.echo "Trustee : " & oAce.Trustee
                    wscript.echo " Receive As => ACCESS_DENIED"
                End If
                If oAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
                    wscript.echo "Trustee : " & oAce.Trustee
                    wscript.echo " Send As => ACCESS_DENIED"
                End If
                Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
                    '
                        ' We have an object allowed ace
                        ' Does it apply to a property? or an Object?
                        '
                If oAce.ObjectType = "{AB721A56-1E2F-11D0-9819-00AA0040529B}" Then
                    wscript.echo "Trustee : " & oAce.Trustee
                    wscript.echo " Receive As => ACCESS_ALLOWED_OBJECT"
                End If
                If oAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
                    wscript.echo "Trustee : " & oAce.Trustee
                    wscript.echo " Send As => ACCESS_ALLOWED_OBJECT"
                End If
                Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
                    '
                        ' We have a object Deny ace
                        '
                If oAce.ObjectType = "{AB721A56-1E2F-11D0-9819-00AA0040529B}" Then
                    wscript.echo "Trustee : " & oAce.Trustee
                    wscript.echo " Receive As => ACCESS_DENIED_OBJECT"
                End If
                If oAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
                    wscript.echo "Trustee : " & oAce.Trustee
                    wscript.echo " Send As => ACCESS_DENIED_OBJECT"
                End If
                Case Else
                    '
                        ' Missed a bin?
                        '
            End Select
    End If
    
    Next
    End Sub
    
    
    EnumStores "Put Your Server Name Here"
Page 1 of 1 (2 items)