Skip to main content

Posts

Showing posts from April, 2005

Reverse msExchMailboxSecurityDescriptor Permissions Audit script

There are a few places where you can assign mailbox rights with Exchange 2x one of these is from Active Directory User and Computer via the Mailbox rights tab which manipulates the msExchMailboxSecurityDescriptor active directory attribute. You can display who has access to a mailbox using a script which reads this attribute and there is a good sample of doing this here . But if you want to go the other way by displaying what mailboxes a particular User account has access to this can be a little more challenging. Essentially you need to enumerate the msExchMailboxSecurityDescriptor of every account in your domain and then relate this data. Fortunately this is where ADO Data shaping comes in real handy I’ve used data shaping before here . Data shaping allows you to build hierarchal data structures which in this case allows you to build a structure where the ACE objects (Trustees) on each mailbox relates to the User Account in Active Directory. So to put this together in a script you h...

ASP.NET and Exchange tips and samples

I’ve been writing some ASP.NET pages for my Exchange boxes at the moment and although there is a lot of good information out there about ASP.Net finding good information about using ASP.Net with Exchange can be a little challenging so I though I share some info and links that I found useful. For this post I’m looking at using NTLM authentication on a remote web server to access Exchange 200x box on another server (if your using Form Based Authentication have a look at this ) Authentication This was one of the hardest things for me to get my head around from classic asp. With “ASP.NET it provides an out-of-process execution model, which protects the server process from user code” this provides a good primer on the ASP.NET process model The import part of this is what account the ASP.NET process runs under by default in IIS5 it runs under a local SAM account “ASPNET”. On an IIS6 box (win 2003) the ASP.NET process runs under the default Network Service (system account) account. This bec...

Querying the MicrosoftExchangeV2 namespace remotely in WMI without admin rights

A few people asked about this today so I thought I'd share this with everyone Be default the Exchange WMI namespace root/MicrosoftExchangeV2 is only query-able remotely by Administrators because of the default security that is applied to it. If you need to query this namespace and any of the classes within it remotely using a user other then a administrator what you need to do is change the permissions on the root/MicrosoftExchangeV2 object so that this particular user has the Remote enable right.This is a per server thing so needs to be done on every server that you want these users to have this access. Giving a user Remote enable right gives them the right to connect to the namespace and issue a query but to actually return data from any of the class's like Exchange_Mailbox the user will still require View only Exchange Admin rights. Before you make any changes you should consider the security implications around doing this (eg your server is now less secure then it was befor...

Assigning the open address list permission on a Address list with ADSI

Somebody asked me what the ACE access mask is for Open Address List on an address list object in Exchange. I thought this should be a relatively straight forward thing to find but apparently not although most of the other ADSI permission enums are documented and used a fair bit this one seems to be a little neglected. There are some hidden gems in the Exchange SDK but unless you know what you looking at its easy to look straight over them. The SDK gives us a create GAL sample using ADSI . Within this sample the following line gives the accessmask and all the right setting needed to add an “open address list ACE” AddAce objCopyDACL, szUserGroup + "@" + szDomain, 256, 5, 2, 1, "{A1990816-4298-11D1-ADE2-00C04FD8D5CD}", 0 Unfortunately they haven’t used a constant in this script to tell you what the 256 access mask means but there is an easy way I use to work this out. Which is basically add a unique user to an address list and give it only the “Open address list” right...

Modify Public Folder custom attributes via script and .Net

Somebody asked today about a script to change the custom attributes of a public folder on Exchange 2x. I was supprised that i couldn't find any samples out there to do this (maybe i didn't look hard enough) so I thought i'd bolt one together. Its some pretty simple ADSI code just uses one LDAP filter to find the public folder's DN based on the public folders emailaddress (its about the only real unique property you can search on) and then connects to the folder and makes the mod using ADSI. Its designed to run with two commandline parameters the first is the email address of the public folder and the second is the value for the custom attribute. The script modifies extensionAttribute1 but its can be easly adapted to modify other attributes. I've also included a VB.NET sample that does the same thing using System.Directoryservices just for fun. I've posted a downloadable copy of both sample here The script looks like pfnamemail = wscript.arguments(0) customvalue...
All sample scripts and source code is provided by for illustrative purposes only. All examples are untested in different environments and therefore, I cannot guarantee or imply reliability, serviceability, or function of these programs.

All code contained herein is provided to you "AS IS" without any warranties of any kind. The implied warranties of non-infringement, merchantability and fitness for a particular purpose are expressly disclaimed.