Friday, December 02, 2005

Auditing Send-as and Receive As rights via script

A while ago I wrote this script to audit the Mailbox DACL in a reverse fashion so instead of the normal way where you would see these people have rights to this mailbox it did this person has rights to the following mailbox’s. The one thing this script didn’t check was for Send-as and receive-as rights. These particular rights are extended rights there a good description of what an extended right is here. The bit that is needed for this script is (quoted from that article)

“Extended rights are not defined by an access mask. Instead, each extended right is identified by a globally unique identifier (GUID). This GUID corresponds to a controlAccessRight object that is stored in the Extended-Rights container within a forest's Configuration container. An ACE that grants an extended right specifies a GUID corresponding to a particular controlAccessRight object.”

The ACE’s themselves that pertain to send-as and receive-as are added to the Active Directory User object Security descriptor and not the mailbox’s security descriptor (msExchMailboxSecurityDescriptor).
So adapting the script that is used before was pretty easy it’s a matter of changing it from checking the mailbox security descriptor via CDOEXM to just using ADSI to check the user’s security descriptor. Go though all the ACE’s on the DACL of that user and look for any GUID’s that match the send-as and receive as rights see this for a list of all the extended right’s GUIDS. Look for allows which have an AceFlags enum of 5 (6 is for deny) then using the same data-shaping logic I used previously display the result to the commandline.
I’ve put a download of this script here the script itself looks like

Set objSystemInfo = CreateObject("ADSystemInfo")
strdname = objSystemInfo.DomainShortName
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Query = "<LDAP://" & strNameingContext & ">;(&(&(& (mailnickname=*) (|
(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))

))));samaccountname,displayname,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = Query
Com.Properties("Page Size") = 1000
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
" NEW adVarChar(255) AS UOADDisplayName, " & _
" NEW adVarChar(255) AS UOADTrusteeName, " & _
" ((SHAPE APPEND " & _
" NEW adVarChar(255) AS MRmbox, " & _
" NEW adVarChar(255) AS MRTrusteeName, " & _
" NEW adVarChar(255) AS MRRights, " & _
" NEW adVarChar(255) AS MRAceflags) " & _
" RELATE UOADTrusteeName TO MRTrusteeName) AS rsUOMR"
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1

Set Rs = Com.Execute
While Not Rs.EOF
dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")
set objuser = getobject(dn)
Set oSecurityDescriptor = objuser.Get("ntSecurityDescriptor")
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
objParentRS.addnew
objParentRS("UOADDisplayName") = rs.fields("displayname")
objParentRS("UOADTrusteeName") = strdname & "\" & rs.fields("samaccountname")
objParentRS.update
Set objChildRS = objParentRS("rsUOMR").Value
For Each ace In dacl
if lcase(ace.ObjectType) = "{ab721a54-1e2f-11d0-9819-00aa0040529b}" and
ace.AceType = 5 then
if ace.Trustee <> "NT AUTHORITY\SELF" and ace.AceFlags <> 6 then
objChildRS.addnew
objChildRS("MRmbox") = rs.fields("displayname")
objChildRS("MRTrusteeName") = ace.Trustee
objChildRS("MRRights") = "Send As"
objChildRS("MRAceflags") = ace.AceFlags
objChildRS.update
end if
end if
if lcase(ace.ObjectType) = "{ab721a56-1e2f-11d0-9819-00aa0040529b}" and
ace.AceType = 5 then
if ace.Trustee <> "NT AUTHORITY\SELF" and ace.AceFlags <> 6 then
objChildRS.addnew
objChildRS("MRmbox") = rs.fields("displayname")
objChildRS("MRTrusteeName") = ace.Trustee
objChildRS("MRRights") = "Recieve As"
objChildRS("MRAceflags") = ace.AceFlags
objChildRS.update
end if
end if
Next
rs.movenext
Wend
wscript.echo "Number of Mailboxes Checked " & objParentRS.recordcount
Wscript.echo
objParentRS.MoveFirst
Do While Not objParentRS.EOF
Set objChildRS = objParentRS("rsUOMR").Value
crec = 0
if objChildRS.recordcount <> 0 then wscript.echo objParentRS("UOADDisplayName")
Do While Not objChildRS.EOF
wscript.echo " " & objChildRS.fields("MRmbox")
wscript.echo " -" & objChildRS.fields("MRRights")
objChildRS.movenext
loop
objParentRS.MoveNext
loop

5 comments:

Anonymous said...

Thank you. I have been looking for some way to determine this setting on my domain.

Anonymous said...

Thank you very much for making this available. I needed something like this, but did not quite know where to start. You have saved me a lot of time, and the links provided will help me understand the background. Great!

Anonymous said...

How do i edit this to have the output in a file?


Thank you,

Glen said...

Have a look at the GUI script which allows export to CSV http://gsexdev.blogspot.com/2008/04/exchange-permission-and-reverse.html

Cheers
Glen

Anonymous said...

Great script. However, how can the printout of the script be reversed? First print the displayName of the mailbox and below the list of displayNames of the accounts that have Send As and Receive As permissions.