When users are delegated exchange Administrator rights via Exchange System Manager’s delegation wizard these users are assigned specific rights depending on the role that is selected in Active Directory to Exchange objects that are in the configuration partition and the Exchange System objects container in the domain partition. If you want to show which users have been delegated rights via this method its a matter of checking the Access Control Entries in one of the DACL’s associated with one of these containers. Because these are defined roles the accessmask on the ACE will be consistent depending on the role you select. So after a little trial and error the following script can be used to check and display the users that have been assigned rights via the ESM delegation wizard. This script checks the root of the Exchange configuration container in the Active directory Configuration partition
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
sUserADsPath = "LDAP://CN=Microsoft Exchange,CN=Services," & strNameingContext
Set objadlist = GetObject(sUserADsPath)
Set oSecurityDescriptor = objadlist.Get("ntSecurityDescriptor")
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
For Each ace In dacl
if ace.AceFlags = 2 then
select case ace.AccessMask
case 131220 Wscript.echo ace.Trustee & " Exchange View Only Adiministrator"
case 197119 Wscript.echo ace.Trustee & " Exchange Administrator"
case 983551 Wscript.echo ace.Trustee & " Exchange Full Administrator"
wscript.echo "Done viewing descriptor"