A while ago I wrote this script to audit the Mailbox DACL in a reverse fashion so instead of the normal way where you would see these people have rights to this mailbox it did this person has rights to the following mailbox’s. The one thing this script didn’t check was for Send-as and receive-as rights. These particular rights are extended rights there a good description of what an extended right is here. The bit that is needed for this script is (quoted from that article)
“Extended rights are not defined by an access mask. Instead, each extended right is identified by a globally unique identifier (GUID). This GUID corresponds to a controlAccessRight object that is stored in the Extended-Rights container within a forest's Configuration container. An ACE that grants an extended right specifies a GUID corresponding to a particular controlAccessRight object.”
The ACE’s themselves that pertain to send-as and receive-as are added to the Active Directory User object Security descriptor and not the mailbox’s security descriptor (msExchMailboxSecurityDescriptor).
So adapting the script that is used before was pretty easy it’s a matter of changing it from checking the mailbox security descriptor via CDOEXM to just using ADSI to check the user’s security descriptor. Go though all the ACE’s on the DACL of that user and look for any GUID’s that match the send-as and receive as rights see this for a list of all the extended right’s GUIDS. Look for allows which have an AceFlags enum of 5 (6 is for deny) then using the same data-shaping logic I used previously display the result to the commandline.
I’ve put a download of this script here the script itself looks like
Set objSystemInfo = CreateObject("ADSystemInfo")
strdname = objSystemInfo.DomainShortName
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Query = "<LDAP://" & strNameingContext & ">;(&(&(& (mailnickname=*) (|
(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))
))));samaccountname,displayname,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = Query
Com.Properties("Page Size") = 1000
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
" NEW adVarChar(255) AS UOADDisplayName, " & _
" NEW adVarChar(255) AS UOADTrusteeName, " & _
" ((SHAPE APPEND " & _
" NEW adVarChar(255) AS MRmbox, " & _
" NEW adVarChar(255) AS MRTrusteeName, " & _
" NEW adVarChar(255) AS MRRights, " & _
" NEW adVarChar(255) AS MRAceflags) " & _
" RELATE UOADTrusteeName TO MRTrusteeName) AS rsUOMR"
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1
Set Rs = Com.Execute
While Not Rs.EOF
dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")
set objuser = getobject(dn)
Set oSecurityDescriptor = objuser.Get("ntSecurityDescriptor")
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
objParentRS.addnew
objParentRS("UOADDisplayName") = rs.fields("displayname")
objParentRS("UOADTrusteeName") = strdname & "\" & rs.fields("samaccountname")
objParentRS.update
Set objChildRS = objParentRS("rsUOMR").Value
For Each ace In dacl
if lcase(ace.ObjectType) = "{ab721a54-1e2f-11d0-9819-00aa0040529b}" and
ace.AceType = 5 then
if ace.Trustee <> "NT AUTHORITY\SELF" and ace.AceFlags <> 6 then
objChildRS.addnew
objChildRS("MRmbox") = rs.fields("displayname")
objChildRS("MRTrusteeName") = ace.Trustee
objChildRS("MRRights") = "Send As"
objChildRS("MRAceflags") = ace.AceFlags
objChildRS.update
end if
end if
if lcase(ace.ObjectType) = "{ab721a56-1e2f-11d0-9819-00aa0040529b}" and
ace.AceType = 5 then
if ace.Trustee <> "NT AUTHORITY\SELF" and ace.AceFlags <> 6 then
objChildRS.addnew
objChildRS("MRmbox") = rs.fields("displayname")
objChildRS("MRTrusteeName") = ace.Trustee
objChildRS("MRRights") = "Recieve As"
objChildRS("MRAceflags") = ace.AceFlags
objChildRS.update
end if
end if
Next
rs.movenext
Wend
wscript.echo "Number of Mailboxes Checked " & objParentRS.recordcount
Wscript.echo
objParentRS.MoveFirst
Do While Not objParentRS.EOF
Set objChildRS = objParentRS("rsUOMR").Value
crec = 0
if objChildRS.recordcount <> 0 then wscript.echo objParentRS("UOADDisplayName")
Do While Not objChildRS.EOF
wscript.echo " " & objChildRS.fields("MRmbox")
wscript.echo " -" & objChildRS.fields("MRRights")
objChildRS.movenext
loop
objParentRS.MoveNext
loop
“Extended rights are not defined by an access mask. Instead, each extended right is identified by a globally unique identifier (GUID). This GUID corresponds to a controlAccessRight object that is stored in the Extended-Rights container within a forest's Configuration container. An ACE that grants an extended right specifies a GUID corresponding to a particular controlAccessRight object.”
The ACE’s themselves that pertain to send-as and receive-as are added to the Active Directory User object Security descriptor and not the mailbox’s security descriptor (msExchMailboxSecurityDescriptor).
So adapting the script that is used before was pretty easy it’s a matter of changing it from checking the mailbox security descriptor via CDOEXM to just using ADSI to check the user’s security descriptor. Go though all the ACE’s on the DACL of that user and look for any GUID’s that match the send-as and receive as rights see this for a list of all the extended right’s GUIDS. Look for allows which have an AceFlags enum of 5 (6 is for deny) then using the same data-shaping logic I used previously display the result to the commandline.
I’ve put a download of this script here the script itself looks like
Set objSystemInfo = CreateObject("ADSystemInfo")
strdname = objSystemInfo.DomainShortName
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Query = "<LDAP://" & strNameingContext & ">;(&(&(& (mailnickname=*) (|
(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))
))));samaccountname,displayname,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = Query
Com.Properties("Page Size") = 1000
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
" NEW adVarChar(255) AS UOADDisplayName, " & _
" NEW adVarChar(255) AS UOADTrusteeName, " & _
" ((SHAPE APPEND " & _
" NEW adVarChar(255) AS MRmbox, " & _
" NEW adVarChar(255) AS MRTrusteeName, " & _
" NEW adVarChar(255) AS MRRights, " & _
" NEW adVarChar(255) AS MRAceflags) " & _
" RELATE UOADTrusteeName TO MRTrusteeName) AS rsUOMR"
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1
Set Rs = Com.Execute
While Not Rs.EOF
dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")
set objuser = getobject(dn)
Set oSecurityDescriptor = objuser.Get("ntSecurityDescriptor")
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
objParentRS.addnew
objParentRS("UOADDisplayName") = rs.fields("displayname")
objParentRS("UOADTrusteeName") = strdname & "\" & rs.fields("samaccountname")
objParentRS.update
Set objChildRS = objParentRS("rsUOMR").Value
For Each ace In dacl
if lcase(ace.ObjectType) = "{ab721a54-1e2f-11d0-9819-00aa0040529b}" and
ace.AceType = 5 then
if ace.Trustee <> "NT AUTHORITY\SELF" and ace.AceFlags <> 6 then
objChildRS.addnew
objChildRS("MRmbox") = rs.fields("displayname")
objChildRS("MRTrusteeName") = ace.Trustee
objChildRS("MRRights") = "Send As"
objChildRS("MRAceflags") = ace.AceFlags
objChildRS.update
end if
end if
if lcase(ace.ObjectType) = "{ab721a56-1e2f-11d0-9819-00aa0040529b}" and
ace.AceType = 5 then
if ace.Trustee <> "NT AUTHORITY\SELF" and ace.AceFlags <> 6 then
objChildRS.addnew
objChildRS("MRmbox") = rs.fields("displayname")
objChildRS("MRTrusteeName") = ace.Trustee
objChildRS("MRRights") = "Recieve As"
objChildRS("MRAceflags") = ace.AceFlags
objChildRS.update
end if
end if
Next
rs.movenext
Wend
wscript.echo "Number of Mailboxes Checked " & objParentRS.recordcount
Wscript.echo
objParentRS.MoveFirst
Do While Not objParentRS.EOF
Set objChildRS = objParentRS("rsUOMR").Value
crec = 0
if objChildRS.recordcount <> 0 then wscript.echo objParentRS("UOADDisplayName")
Do While Not objChildRS.EOF
wscript.echo " " & objChildRS.fields("MRmbox")
wscript.echo " -" & objChildRS.fields("MRRights")
objChildRS.movenext
loop
objParentRS.MoveNext
loop