Skip to main content

Reporting on Meeting Delegate Forward Rules in Outlook

Somebody sparked my interest to this last week, one of the functions of Outlook is the ability to delegate your calendar and forward the meeting invitations you receive to another user. What Outlook does in the background is creates a rule in the inbox to forward any Calendar request messages to this delegate user. A problem can occur if this delegate user is deleted or disabled and the original user doesn’t modify or delete their delegate rules. In this case anyone sending this person a meeting invitation may suddenly start receiving NDR’s because the account the delegate rule is forwarding to no longer exists or is no longer accepting messages something like what described by KB253557

To detect and report on forwarding rules what you can use is CDO 1.2 and the rule.dll component which you can download from here . The rule.dll com object is good for creating rules but it can also be used to report on rules that already exist(a good thing to keep in mind is that this can’t be used to modify rules that it didn’t create eg because the delegate rule was created in Outlook the rule.dll component can not be used to modify this rule in any fashion).

So putting it all together I’ve come up with a script that will check all the users on a server to firstly see if they have a delegate forwarding rule enabled and then check each of the accounts the rule references to see if there is a valid mailbox for this address. So basically the first part of the script takes one commandline parameter which is the name of the server you want to run this against. The next part is a ADSI query the retrieves the names of all the mailboxes on that server that aren’t hidden from the global address list.. To determine if a rule is a delegate rule the rule action property is checked if the rule action is 7 this equates to ACTION_DELEGATE . Basically its the same as reading the rules tables and equating to the OP_DELEGATE action type. Once its determined that a delegate rule exists the recipients that the rule forwards to are then checked to see if they are valid by first converting the recipient.id that is returned by the rule component into a address object which will then return the ExchangeDN of the user object which can then be searched for in active directory by using the LegacyExchangeDN property. The result of all these queries are then echoed to the commandline and also saved in a CSV on the c: drive called MeetingDelgatesForwards.csv.

This script is designed to by run from the commandline (cscript) with the servername you want to run it against as a commandline parameter. Eg cscript chkdelv4.vbs servername. Because this script logs on to each mailbox to check if a delegate rule exists its needs to be run with an account that has full right to everyones mailbox as per KB821897

Remediation: At first I was going to add a remediation function to this script so it would automatically delete any rules that it found where invalid but I decided to stop at just reporting because it’s possible that in some cases remediation of this problem is a lot more complicated that can be handled automatically in a script. Eg its possible to have meeting requests forwarded to multiple delegates where there would be one rule with multiple address’s is the rules action argument is this case you can’t modify the rule because it can only be modified by the agent that created it (eg Outlook) and deleting the rule would cause lose of data and functionality. In the end the hard work is mostly in identifying the accounts that this might be an issue with and then you can use whatever tools you need to remediate the action.

I’ve put a downloadable copy of the script here the script itself looks like

servername = wscript.arguments(0)
PR_HAS_RULES = &H663A000B
PR_URL_NAME = &H6707001E
PR_CREATOR = &H3FF8001E
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\MeetingDelgatesForwards.csv",2,true)
wfile.writeline("Mailbox,ForwadingAddress,Status")
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
svcQuery = ">LDAP://" & strNameingContext & "<(&(objectCategory=msExchExchangeServer)(cn=" & Servername & "));cn,name,legacyExchangeDN;subtree"
Com.ActiveConnection = Conn
Com.CommandText = svcQuery
Set Rs = Com.Execute
while not rs.eof
GALQueryFilter = "(&(&(&(& (mailnickname=*)(!msExchHideFromAddressLists=TRUE)(| (&(objectCategory=person)(objectClass=user)(msExchHomeServerName=" & rs.fields("legacyExchangeDN") & ")) )))))"
strQuery = ">LDAP://" & strDefaultNamingContext & "<" & GALQueryFilter & ";distinguishedName,mailnickname,mail;subtree"
com.Properties("Page Size") = 100
Com.CommandText = strQuery
Set Rs1 = Com.Execute
while not Rs1.eof
call procmailboxes(servername,rs1.fields("mail"))
wscript.echo rs1.fields("mail")
rs1.movenext
wend
rs.movenext
wend
rs.close
wfile.close
set fso = nothing
set conn = nothing
set com = nothing
wscript.echo "Done"




sub procmailboxes(servername,MailboxAlias)

Set msMapiSession = CreateObject("MAPI.Session")
on error Resume next
msMapiSession.Logon "","",False,True,True,True,Servername & vbLF & MailboxAlias
if err.number = 0 then
on error goto 0
Set mrMailboxRules = CreateObject("MSExchange.Rules")
mrMailboxRules.Folder = msMapiSession.Inbox
Wscript.echo "Checking For any Delegate forwarding Rules"
nfNonefound = 0
for Each roRule in mrMailboxRules
for each aoAction in roRule.actions
if aoAction.ActionType = 7 then
nfNonefound = 1
Wscript.echo "Delegate Rule found Forwards to"
for each aoAdressObject in aoAction.arg
Set objAddrEntry = msMapiSession.GetAddressEntry(aoAdressobject)
wscript.echo "Address = " & objAddrEntry.Address
if verifyaddress(objAddrEntry.Address) = 1 then
wfile.writeline(mailboxAlias & "," & objAddrEntry.Address & ",Account Valid")
wscript.echo "Account okay"
else
wscript.echo "Account not valid"
wfile.writeline(mailboxAlias & "," & objAddrEntry.Address & ",Account Invalid")
end if
next
end if
next
next
if nfNonefound = 0 then
wscript.echo "No Delegate forwarding rules found"
wfile.writeline(mailboxAlias & "," & "No Delegate forwarding rules found")
end if
else
Wscript.echo "Error Opening Mailbox"
wfile.writeline(mailboxAlias & "," & "Error Opening Mailbox")
end if
Set msMapiSession = Nothing
Set mrMailboxRules = Nothing

End Sub

function verifyaddress(exlegancydn)

vfQuery = ">LDAP://" & strDefaultNamingContext & "<(legacyExchangeDN=" & exlegancydn & ");name,distinguishedName;subtree"
Com.CommandText = vfQuery
Set Rschk = Com.Execute
aoAccountokay = 0
While Not Rschk.EOF
set objUser = getobject("LDAP://" & replace(rschk.fields("distinguishedName"),"/","\/"))
if objUser.AccountDisabled then
aoAccountokay = 0
else
aoAccountokay = 1
end if
rschk.movenext
wend
rschk.close
set rschk = nothing
set connchk = nothing
set comchk = nothing
verifyaddress = aoAccountokay

end function

Popular posts from this blog

The MailboxConcurrency limit and using Batching in the Microsoft Graph API

If your getting an error such as Application is over its MailboxConcurrency limit while using the Microsoft Graph API this post may help you understand why. Background   The Mailbox  concurrency limit when your using the Graph API is 4 as per https://docs.microsoft.com/en-us/graph/throttling#outlook-service-limits . This is evaluated for each app ID and mailbox combination so this means you can have different apps running under the same credentials and the poor behavior of one won't cause the other to be throttled. If you compared that to EWS you could have up to 27 concurrent connections but they are shared across all apps on a first come first served basis. Batching Batching in the Graph API is a way of combining multiple requests into a single HTTP request. Batching in the Exchange Mail API's EWS and MAPI has been around for a long time and its common, for email Apps to process large numbers of smaller items for a variety of reasons.  Batching in the Gr...

Sending a Message in Exchange Online via REST from an Arduino MKR1000

This is part 2 of my MKR1000 article, in this previous post  I looked at sending a Message via EWS using Basic Authentication.  In this Post I'll look at using the new Outlook REST API  which requires using OAuth authentication to get an Access Token. The prerequisites for this sketch are the same as in the other post with the addition of the ArduinoJson library  https://github.com/bblanchon/ArduinoJson  which is used to parse the Authentication Results to extract the Access Token. Also the SSL certificates for the login.windows.net  and outlook.office365.com need to be uploaded to the devices using the wifi101 Firmware updater. To use Token Authentication you need to register an Application in Azure https://msdn.microsoft.com/en-us/office/office365/howto/add-common-consent-manually  with the Mail.Send permission. The application should be a Native Client app that use the Out of Band Callback urn:ietf:wg:oauth:2.0:oob. You ...

How to test SMTP using Opportunistic TLS with Powershell and grab the public certificate a SMTP server is using

Most email services these day employ Opportunistic TLS when trying to send Messages which means that wherever possible the Messages will be encrypted rather then the plain text legacy of SMTP.  This method was defined in RFC 3207 "SMTP Service Extension for Secure SMTP over Transport Layer Security" and  there's a quite a good explanation of Opportunistic TLS on Wikipedia  https://en.wikipedia.org/wiki/Opportunistic_TLS .  This is used for both Server to Server (eg MTA to MTA) and Client to server (Eg a Message client like Outlook which acts as a MSA) the later being generally Authenticated. Basically it allows you to have a normal plain text SMTP conversation that is then upgraded to TLS using the STARTTLS verb. Not all servers will support this verb so if its not supported then a message is just sent as Plain text. TLS relies on PKI certificates and the administrative issue s that come around certificate management like expired certificates which is why ...
All sample scripts and source code is provided by for illustrative purposes only. All examples are untested in different environments and therefore, I cannot guarantee or imply reliability, serviceability, or function of these programs.

All code contained herein is provided to you "AS IS" without any warranties of any kind. The implied warranties of non-infringement, merchantability and fitness for a particular purpose are expressly disclaimed.