Somebody sparked my interest to this last week, one of the functions of Outlook is the ability to delegate your calendar and forward the meeting invitations you receive to another user. What Outlook does in the background is creates a rule in the inbox to forward any Calendar request messages to this delegate user. A problem can occur if this delegate user is deleted or disabled and the original user doesn’t modify or delete their delegate rules. In this case anyone sending this person a meeting invitation may suddenly start receiving NDR’s because the account the delegate rule is forwarding to no longer exists or is no longer accepting messages something like what described by KB253557
To detect and report on forwarding rules what you can use is CDO 1.2 and the rule.dll component which you can download from here . The rule.dll com object is good for creating rules but it can also be used to report on rules that already exist(a good thing to keep in mind is that this can’t be used to modify rules that it didn’t create eg because the delegate rule was created in Outlook the rule.dll component can not be used to modify this rule in any fashion).
So putting it all together I’ve come up with a script that will check all the users on a server to firstly see if they have a delegate forwarding rule enabled and then check each of the accounts the rule references to see if there is a valid mailbox for this address. So basically the first part of the script takes one commandline parameter which is the name of the server you want to run this against. The next part is a ADSI query the retrieves the names of all the mailboxes on that server that aren’t hidden from the global address list.. To determine if a rule is a delegate rule the rule action property is checked if the rule action is 7 this equates to ACTION_DELEGATE . Basically its the same as reading the rules tables and equating to the OP_DELEGATE action type. Once its determined that a delegate rule exists the recipients that the rule forwards to are then checked to see if they are valid by first converting the recipient.id that is returned by the rule component into a address object which will then return the ExchangeDN of the user object which can then be searched for in active directory by using the LegacyExchangeDN property. The result of all these queries are then echoed to the commandline and also saved in a CSV on the c: drive called MeetingDelgatesForwards.csv.
This script is designed to by run from the commandline (cscript) with the servername you want to run it against as a commandline parameter. Eg cscript chkdelv4.vbs servername. Because this script logs on to each mailbox to check if a delegate rule exists its needs to be run with an account that has full right to everyones mailbox as per KB821897
Remediation: At first I was going to add a remediation function to this script so it would automatically delete any rules that it found where invalid but I decided to stop at just reporting because it’s possible that in some cases remediation of this problem is a lot more complicated that can be handled automatically in a script. Eg its possible to have meeting requests forwarded to multiple delegates where there would be one rule with multiple address’s is the rules action argument is this case you can’t modify the rule because it can only be modified by the agent that created it (eg Outlook) and deleting the rule would cause lose of data and functionality. In the end the hard work is mostly in identifying the accounts that this might be an issue with and then you can use whatever tools you need to remediate the action.
I’ve put a downloadable copy of the script here the script itself looks like
servername = wscript.arguments(0)
PR_HAS_RULES = &H663A000B
PR_URL_NAME = &H6707001E
PR_CREATOR = &H3FF8001E
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\MeetingDelgatesForwards.csv",2,true)
wfile.writeline("Mailbox,ForwadingAddress,Status")
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
svcQuery = ">LDAP://" & strNameingContext & "<(&(objectCategory=msExchExchangeServer)(cn=" & Servername & "));cn,name,legacyExchangeDN;subtree"
Com.ActiveConnection = Conn
Com.CommandText = svcQuery
Set Rs = Com.Execute
while not rs.eof
GALQueryFilter = "(&(&(&(& (mailnickname=*)(!msExchHideFromAddressLists=TRUE)(| (&(objectCategory=person)(objectClass=user)(msExchHomeServerName=" & rs.fields("legacyExchangeDN") & ")) )))))"
strQuery = ">LDAP://" & strDefaultNamingContext & "<" & GALQueryFilter & ";distinguishedName,mailnickname,mail;subtree"
com.Properties("Page Size") = 100
Com.CommandText = strQuery
Set Rs1 = Com.Execute
while not Rs1.eof
call procmailboxes(servername,rs1.fields("mail"))
wscript.echo rs1.fields("mail")
rs1.movenext
wend
rs.movenext
wend
rs.close
wfile.close
set fso = nothing
set conn = nothing
set com = nothing
wscript.echo "Done"
sub procmailboxes(servername,MailboxAlias)
Set msMapiSession = CreateObject("MAPI.Session")
on error Resume next
msMapiSession.Logon "","",False,True,True,True,Servername & vbLF & MailboxAlias
if err.number = 0 then
on error goto 0
Set mrMailboxRules = CreateObject("MSExchange.Rules")
mrMailboxRules.Folder = msMapiSession.Inbox
Wscript.echo "Checking For any Delegate forwarding Rules"
nfNonefound = 0
for Each roRule in mrMailboxRules
for each aoAction in roRule.actions
if aoAction.ActionType = 7 then
nfNonefound = 1
Wscript.echo "Delegate Rule found Forwards to"
for each aoAdressObject in aoAction.arg
Set objAddrEntry = msMapiSession.GetAddressEntry(aoAdressobject)
wscript.echo "Address = " & objAddrEntry.Address
if verifyaddress(objAddrEntry.Address) = 1 then
wfile.writeline(mailboxAlias & "," & objAddrEntry.Address & ",Account Valid")
wscript.echo "Account okay"
else
wscript.echo "Account not valid"
wfile.writeline(mailboxAlias & "," & objAddrEntry.Address & ",Account Invalid")
end if
next
end if
next
next
if nfNonefound = 0 then
wscript.echo "No Delegate forwarding rules found"
wfile.writeline(mailboxAlias & "," & "No Delegate forwarding rules found")
end if
else
Wscript.echo "Error Opening Mailbox"
wfile.writeline(mailboxAlias & "," & "Error Opening Mailbox")
end if
Set msMapiSession = Nothing
Set mrMailboxRules = Nothing
End Sub
function verifyaddress(exlegancydn)
vfQuery = ">LDAP://" & strDefaultNamingContext & "<(legacyExchangeDN=" & exlegancydn & ");name,distinguishedName;subtree"
Com.CommandText = vfQuery
Set Rschk = Com.Execute
aoAccountokay = 0
While Not Rschk.EOF
set objUser = getobject("LDAP://" & replace(rschk.fields("distinguishedName"),"/","\/"))
if objUser.AccountDisabled then
aoAccountokay = 0
else
aoAccountokay = 1
end if
rschk.movenext
wend
rschk.close
set rschk = nothing
set connchk = nothing
set comchk = nothing
verifyaddress = aoAccountokay
end function
To detect and report on forwarding rules what you can use is CDO 1.2 and the rule.dll component which you can download from here . The rule.dll com object is good for creating rules but it can also be used to report on rules that already exist(a good thing to keep in mind is that this can’t be used to modify rules that it didn’t create eg because the delegate rule was created in Outlook the rule.dll component can not be used to modify this rule in any fashion).
So putting it all together I’ve come up with a script that will check all the users on a server to firstly see if they have a delegate forwarding rule enabled and then check each of the accounts the rule references to see if there is a valid mailbox for this address. So basically the first part of the script takes one commandline parameter which is the name of the server you want to run this against. The next part is a ADSI query the retrieves the names of all the mailboxes on that server that aren’t hidden from the global address list.. To determine if a rule is a delegate rule the rule action property is checked if the rule action is 7 this equates to ACTION_DELEGATE . Basically its the same as reading the rules tables and equating to the OP_DELEGATE action type. Once its determined that a delegate rule exists the recipients that the rule forwards to are then checked to see if they are valid by first converting the recipient.id that is returned by the rule component into a address object which will then return the ExchangeDN of the user object which can then be searched for in active directory by using the LegacyExchangeDN property. The result of all these queries are then echoed to the commandline and also saved in a CSV on the c: drive called MeetingDelgatesForwards.csv.
This script is designed to by run from the commandline (cscript) with the servername you want to run it against as a commandline parameter. Eg cscript chkdelv4.vbs servername. Because this script logs on to each mailbox to check if a delegate rule exists its needs to be run with an account that has full right to everyones mailbox as per KB821897
Remediation: At first I was going to add a remediation function to this script so it would automatically delete any rules that it found where invalid but I decided to stop at just reporting because it’s possible that in some cases remediation of this problem is a lot more complicated that can be handled automatically in a script. Eg its possible to have meeting requests forwarded to multiple delegates where there would be one rule with multiple address’s is the rules action argument is this case you can’t modify the rule because it can only be modified by the agent that created it (eg Outlook) and deleting the rule would cause lose of data and functionality. In the end the hard work is mostly in identifying the accounts that this might be an issue with and then you can use whatever tools you need to remediate the action.
I’ve put a downloadable copy of the script here the script itself looks like
servername = wscript.arguments(0)
PR_HAS_RULES = &H663A000B
PR_URL_NAME = &H6707001E
PR_CREATOR = &H3FF8001E
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\MeetingDelgatesForwards.csv",2,true)
wfile.writeline("Mailbox,ForwadingAddress,Status")
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
svcQuery = ">LDAP://" & strNameingContext & "<(&(objectCategory=msExchExchangeServer)(cn=" & Servername & "));cn,name,legacyExchangeDN;subtree"
Com.ActiveConnection = Conn
Com.CommandText = svcQuery
Set Rs = Com.Execute
while not rs.eof
GALQueryFilter = "(&(&(&(& (mailnickname=*)(!msExchHideFromAddressLists=TRUE)(| (&(objectCategory=person)(objectClass=user)(msExchHomeServerName=" & rs.fields("legacyExchangeDN") & ")) )))))"
strQuery = ">LDAP://" & strDefaultNamingContext & "<" & GALQueryFilter & ";distinguishedName,mailnickname,mail;subtree"
com.Properties("Page Size") = 100
Com.CommandText = strQuery
Set Rs1 = Com.Execute
while not Rs1.eof
call procmailboxes(servername,rs1.fields("mail"))
wscript.echo rs1.fields("mail")
rs1.movenext
wend
rs.movenext
wend
rs.close
wfile.close
set fso = nothing
set conn = nothing
set com = nothing
wscript.echo "Done"
sub procmailboxes(servername,MailboxAlias)
Set msMapiSession = CreateObject("MAPI.Session")
on error Resume next
msMapiSession.Logon "","",False,True,True,True,Servername & vbLF & MailboxAlias
if err.number = 0 then
on error goto 0
Set mrMailboxRules = CreateObject("MSExchange.Rules")
mrMailboxRules.Folder = msMapiSession.Inbox
Wscript.echo "Checking For any Delegate forwarding Rules"
nfNonefound = 0
for Each roRule in mrMailboxRules
for each aoAction in roRule.actions
if aoAction.ActionType = 7 then
nfNonefound = 1
Wscript.echo "Delegate Rule found Forwards to"
for each aoAdressObject in aoAction.arg
Set objAddrEntry = msMapiSession.GetAddressEntry(aoAdressobject)
wscript.echo "Address = " & objAddrEntry.Address
if verifyaddress(objAddrEntry.Address) = 1 then
wfile.writeline(mailboxAlias & "," & objAddrEntry.Address & ",Account Valid")
wscript.echo "Account okay"
else
wscript.echo "Account not valid"
wfile.writeline(mailboxAlias & "," & objAddrEntry.Address & ",Account Invalid")
end if
next
end if
next
next
if nfNonefound = 0 then
wscript.echo "No Delegate forwarding rules found"
wfile.writeline(mailboxAlias & "," & "No Delegate forwarding rules found")
end if
else
Wscript.echo "Error Opening Mailbox"
wfile.writeline(mailboxAlias & "," & "Error Opening Mailbox")
end if
Set msMapiSession = Nothing
Set mrMailboxRules = Nothing
End Sub
function verifyaddress(exlegancydn)
vfQuery = ">LDAP://" & strDefaultNamingContext & "<(legacyExchangeDN=" & exlegancydn & ");name,distinguishedName;subtree"
Com.CommandText = vfQuery
Set Rschk = Com.Execute
aoAccountokay = 0
While Not Rschk.EOF
set objUser = getobject("LDAP://" & replace(rschk.fields("distinguishedName"),"/","\/"))
if objUser.AccountDisabled then
aoAccountokay = 0
else
aoAccountokay = 1
end if
rschk.movenext
wend
rschk.close
set rschk = nothing
set connchk = nothing
set comchk = nothing
verifyaddress = aoAccountokay
end function