Wednesday, August 30, 2006

Active Directory to hCard Web Service

I’ve been playing around further with microformats this week and I decided to come up with something practical I could use to transfer contact information between apps. As a starting point because most of my contact information is stored in active directory I wanted something that would be able to convert an Active Directory user object into a hCard contact. As a conduit I decided to go with a WebService as this was something that could be easily integrated into everything from a script to a fully blown windows application. There are some good tools already out there that can deal with the information once its in hCard form like Tails for Firefox or Technorati Contacts Feed Service .

The webservice itself is pretty basic it takes the useraccount name as an input parameter for which account you want to convert and then it returns a XML document that contains the user account information that has been extracted from various active directory attributes using the System.directoryservice namespace and then formatted as a hcard using the XMLtextwriter. Because the hcard format is based on the vcard format matching the information from AD wasn’t that hard (although a little time consuming) the only thing that took at little time to work out was mapping the office attribute to the extended-address.

What can you do with hcard’s probably the one of the best examples at the moment in the Live clipboard. Its still an emerging standard but the coolest thing about it is once you have the contact information in a hcard format its very easy to work with as compared to a standard vcard.

I put a downloadable copy of the code here the code itself looks like


using System;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
using System.DirectoryServices;
using System.Xml;
using System.IO;

[WebService(Namespace = "http://msgdev.mvps.org/ADhCardv2/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
public class Service : System.Web.Services.WebService
{
public Service () {

//Uncomment the following line if using designed components
//InitializeComponent();
}
public SearchResult GetADAccount(string snSamaccountname)
{

SearchResult srSearchResult;
DirectorySearcher dsDirectorySearcher = new DirectorySearcher();
string roRootDSE = dsDirectorySearcher.SearchRoot.Path;
DirectoryEntry deDirectoryEntry = new DirectoryEntry(roRootDSE);
dsDirectorySearcher.SearchScope = SearchScope.Subtree;
dsDirectorySearcher.Filter = "(sAMAccountName=" + snSamaccountname + ")";
dsDirectorySearcher.PropertiesToLoad.Add("co");
dsDirectorySearcher.PropertiesToLoad.Add("company");
dsDirectorySearcher.PropertiesToLoad.Add("displayName");
dsDirectorySearcher.PropertiesToLoad.Add("department");
dsDirectorySearcher.PropertiesToLoad.Add("distinguishedName");
dsDirectorySearcher.PropertiesToLoad.Add("description");
dsDirectorySearcher.PropertiesToLoad.Add("facsimileTelephoneNumber");
dsDirectorySearcher.PropertiesToLoad.Add("givenName");
dsDirectorySearcher.PropertiesToLoad.Add("homePhone");
dsDirectorySearcher.PropertiesToLoad.Add("info");
dsDirectorySearcher.PropertiesToLoad.Add("initials");
dsDirectorySearcher.PropertiesToLoad.Add("l");
dsDirectorySearcher.PropertiesToLoad.Add("mail");
dsDirectorySearcher.PropertiesToLoad.Add("middleName");
dsDirectorySearcher.PropertiesToLoad.Add("mobile");
dsDirectorySearcher.PropertiesToLoad.Add("name");
dsDirectorySearcher.PropertiesToLoad.Add("physicalDeliveryOfficeName");
dsDirectorySearcher.PropertiesToLoad.Add("postalCode");
dsDirectorySearcher.PropertiesToLoad.Add("postOfficeBox");
dsDirectorySearcher.PropertiesToLoad.Add("pager");
dsDirectorySearcher.PropertiesToLoad.Add("sn");
dsDirectorySearcher.PropertiesToLoad.Add("st");
dsDirectorySearcher.PropertiesToLoad.Add("streetAddress");
dsDirectorySearcher.PropertiesToLoad.Add("telephoneNumber");
dsDirectorySearcher.PropertiesToLoad.Add("title");
dsDirectorySearcher.PropertiesToLoad.Add("wWWHomePage");
srSearchResult = dsDirectorySearcher.FindOne();
return srSearchResult;
}
public XmlDocument CreatehCard(SearchResult srSearchResult)
{
string fnFirstname = "";
string snSurname = "";
string mnMiddleName = "";
string wwURLwebsite = "";
string emEmailAddress = "";
string hpHomephone = "";
string mpMobilephone = "";
string bpBusinessphone = "";
string saStreetAddress = "";
string pbPostofficeBox = "";
string stState = "";
string sbSuburb = "";
string cnCountry = "";
string pcPostcode = "";
string fnFaxNumber = "";
string tnTitle = "";
string cncompanyName = "";
string dnDepartmentName = "";
string noNote = "";
string eaExtendedAddress = "";


if (srSearchResult.Properties.Contains("givenName")) { fnFirstname = (string)srSearchResult.Properties["givenName"][0]; }
if (srSearchResult.Properties.Contains("sn")) { snSurname = (string)srSearchResult.Properties["sn"][0]; }
if (srSearchResult.Properties.Contains("middleName")) { mnMiddleName = (string)srSearchResult.Properties["middleName"][0]; }
if (srSearchResult.Properties.Contains("wWWHomePage")) { wwURLwebsite = (string)srSearchResult.Properties["wWWHomePage"][0]; }
if (srSearchResult.Properties.Contains("homePhone")) { hpHomephone = (string)srSearchResult.Properties["homePhone"][0]; }
if (srSearchResult.Properties.Contains("mobile")) { mpMobilephone = (string)srSearchResult.Properties["mobile"][0]; }
if (srSearchResult.Properties.Contains("telephoneNumber")) { bpBusinessphone = (string)srSearchResult.Properties["telephoneNumber"][0]; }
if (srSearchResult.Properties.Contains("mail")) { emEmailAddress = (string)srSearchResult.Properties["mail"][0]; }
if (srSearchResult.Properties.Contains("l")) { sbSuburb = (string)srSearchResult.Properties["l"][0]; }
if (srSearchResult.Properties.Contains("postalCode")) { pcPostcode = (string)srSearchResult.Properties["postalCode"][0]; }
if (srSearchResult.Properties.Contains("streetAddress")) { saStreetAddress = (string)srSearchResult.Properties["streetAddress"][0]; }
if (srSearchResult.Properties.Contains("co")) { cnCountry = (string)srSearchResult.Properties["co"][0]; }
if (srSearchResult.Properties.Contains("st")) { stState = (string)srSearchResult.Properties["st"][0]; }
if (srSearchResult.Properties.Contains("facsimileTelephoneNumber")) { fnFaxNumber = (string)srSearchResult.Properties["facsimileTelephoneNumber"][0]; }
if (srSearchResult.Properties.Contains("postOfficeBox")) { pbPostofficeBox = (string)srSearchResult.Properties["postOfficeBox"][0]; }
if (srSearchResult.Properties.Contains("title")) { tnTitle = (string)srSearchResult.Properties["title"][0]; }
if (srSearchResult.Properties.Contains("company")) { cncompanyName = (string)srSearchResult.Properties["company"][0]; }
if (srSearchResult.Properties.Contains("department")) { dnDepartmentName = (string)srSearchResult.Properties["department"][0]; }
if (srSearchResult.Properties.Contains("description")) { noNote = (string)srSearchResult.Properties["description"][0]; }
if (srSearchResult.Properties.Contains("physicalDeliveryOfficeName")) { eaExtendedAddress = (string)srSearchResult.Properties["physicalDeliveryOfficeName"][0]; }

XmlDocument hcHcardDocuemnt = new XmlDocument();
StringWriter xsXmlString = new StringWriter();
XmlWriter xrXmlWritter = new XmlTextWriter(xsXmlString);
// write Div
xrXmlWritter.WriteStartDocument();
xrXmlWritter.WriteStartElement("div");
xrXmlWritter.WriteAttributeString("class", "vcard");

//Name Element
xrXmlWritter.WriteStartElement("a");
xrXmlWritter.WriteAttributeString("class","url fn n");
xrXmlWritter.WriteAttributeString("href", wwURLwebsite);
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "given-name");
xrXmlWritter.WriteValue(fnFirstname);
xrXmlWritter.WriteEndElement();
if (mnMiddleName != "")
{
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "additional-name");
xrXmlWritter.WriteValue(mnMiddleName);
xrXmlWritter.WriteEndElement();
}
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "family-name");
xrXmlWritter.WriteValue(snSurname);
xrXmlWritter.WriteEndElement();
// End Name element
// Email Element Start
xrXmlWritter.WriteEndElement();
xrXmlWritter.WriteStartElement("a");
xrXmlWritter.WriteAttributeString("class", "email fn");
xrXmlWritter.WriteAttributeString("href","mailto:" + emEmailAddress);
xrXmlWritter.WriteValue(fnFirstname + " " + snSurname);
xrXmlWritter.WriteEndElement();
if (bpBusinessphone != "")
{
//Primary Telephone Element
xrXmlWritter.WriteStartElement("div");
xrXmlWritter.WriteAttributeString("class", "tel");
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "value");
xrXmlWritter.WriteValue(bpBusinessphone);
xrXmlWritter.WriteEndElement();
xrXmlWritter.WriteStartElement("abbr");
xrXmlWritter.WriteAttributeString("class", "type");
xrXmlWritter.WriteAttributeString("title", "work");
xrXmlWritter.WriteValue("business");
xrXmlWritter.WriteEndElement();
xrXmlWritter.WriteEndElement();
}
//Home Telephone Elemenet
if (hpHomephone != "")
{
xrXmlWritter.WriteStartElement("div");
xrXmlWritter.WriteAttributeString("class", "tel");
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "value");
xrXmlWritter.WriteValue(hpHomephone);
xrXmlWritter.WriteEndElement();
xrXmlWritter.WriteStartElement("abbr");
xrXmlWritter.WriteAttributeString("class", "type");
xrXmlWritter.WriteAttributeString("title", "home");
xrXmlWritter.WriteValue("home");
xrXmlWritter.WriteEndElement();
xrXmlWritter.WriteEndElement();
}
//Mobile Phone Elemenet
if (mpMobilephone != "")
{
xrXmlWritter.WriteStartElement("div");
xrXmlWritter.WriteAttributeString("class", "tel");
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "value");
xrXmlWritter.WriteValue(mpMobilephone);
xrXmlWritter.WriteEndElement();
xrXmlWritter.WriteStartElement("abbr");
xrXmlWritter.WriteAttributeString("class", "type");
xrXmlWritter.WriteAttributeString("title", "cell");
xrXmlWritter.WriteValue("cell");
xrXmlWritter.WriteEndElement();
xrXmlWritter.WriteEndElement();
}
//Fax Elemenet
if (fnFaxNumber != "")
{
xrXmlWritter.WriteStartElement("div");
xrXmlWritter.WriteAttributeString("class", "tel");
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "value");
xrXmlWritter.WriteValue(fnFaxNumber);
xrXmlWritter.WriteEndElement();
xrXmlWritter.WriteStartElement("abbr");
xrXmlWritter.WriteAttributeString("class", "type");
xrXmlWritter.WriteAttributeString("title", "fax");
xrXmlWritter.WriteValue("fax");
xrXmlWritter.WriteEndElement();
xrXmlWritter.WriteEndElement();
}
// Address Element
xrXmlWritter.WriteStartElement("div");
xrXmlWritter.WriteAttributeString("class", "adr");
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "type");
xrXmlWritter.WriteValue("work");
xrXmlWritter.WriteEndElement();
if (pbPostofficeBox != "")
{
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "post-office-box");
xrXmlWritter.WriteString(pbPostofficeBox);
xrXmlWritter.WriteEndElement();
}
if (eaExtendedAddress != "")
{
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "extended-address");
xrXmlWritter.WriteString(eaExtendedAddress);
xrXmlWritter.WriteEndElement();
}
if (saStreetAddress != "")
{
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "street-address");
xrXmlWritter.WriteString(saStreetAddress);
xrXmlWritter.WriteEndElement();
}
if (sbSuburb != "")
{
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "locality");
xrXmlWritter.WriteString(sbSuburb);
xrXmlWritter.WriteEndElement();
}
if (stState != "")
{
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "region");
xrXmlWritter.WriteString(stState);
xrXmlWritter.WriteEndElement();
}
if (cnCountry != "")
{
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "country-name");
xrXmlWritter.WriteString(cnCountry);
xrXmlWritter.WriteEndElement();
}
if (pcPostcode != "")
{
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "postal-code");
xrXmlWritter.WriteString(pcPostcode);
xrXmlWritter.WriteEndElement();
}
xrXmlWritter.WriteEndElement();
//End Address Element
//Title Element
if (tnTitle != "")
{
xrXmlWritter.WriteStartElement("div");
xrXmlWritter.WriteAttributeString("class", "title");
xrXmlWritter.WriteString(tnTitle);
xrXmlWritter.WriteEndElement();
}
// OrgElement
if (cncompanyName != "" | dnDepartmentName != "") {
xrXmlWritter.WriteStartElement("div");
xrXmlWritter.WriteAttributeString("class", "org");
if (cncompanyName != "")
{
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "organization-name");
xrXmlWritter.WriteString(cncompanyName);
xrXmlWritter.WriteEndElement();
}
if (dnDepartmentName != "")
{
xrXmlWritter.WriteStartElement("span");
xrXmlWritter.WriteAttributeString("class", "organization-unit");
xrXmlWritter.WriteString(dnDepartmentName);
xrXmlWritter.WriteEndElement();
}
xrXmlWritter.WriteEndElement();
}
if (noNote != "") {
xrXmlWritter.WriteStartElement("div");
xrXmlWritter.WriteAttributeString("class", "note");
xrXmlWritter.WriteString(noNote);
xrXmlWritter.WriteEndElement();
}
// Div vcard End element
xrXmlWritter.WriteEndElement();
xrXmlWritter.WriteEndDocument();
// Load and Return a XML Document
hcHcardDocuemnt.LoadXml(xsXmlString.ToString());
return hcHcardDocuemnt;

}

[WebMethod]
public XmlDocument GethCard(string snSamaccountname)
{
XmlDocument xrXmldocresult;
try
{
SearchResult srSearchResult = this.GetADAccount(snSamaccountname);
if (srSearchResult != null) { xrXmldocresult = this.CreatehCard(srSearchResult); }
else
{
xrXmldocresult = new XmlDocument();
XmlElement xeFirstDivElement = xrXmldocresult.CreateElement("div");
xeFirstDivElement.InnerText = "Active Directory Account not Found";
xrXmldocresult.AppendChild(xeFirstDivElement);
}
}
catch(Exception e) {
xrXmldocresult = new XmlDocument();
XmlElement xeFirstDivElement = xrXmldocresult.CreateElement("ErrorOccured");
xeFirstDivElement.InnerText = e.Message.ToString();
xrXmldocresult.AppendChild(xeFirstDivElement);
XmlElement xeFirstDivElement1 = xrXmldocresult.CreateElement("ErrorLineNumber");
xeFirstDivElement1.InnerText = e.Source.ToString();
xrXmldocresult.AppendChild(xeFirstDivElement1);
}
return xrXmldocresult;
;

}

}

Thursday, August 24, 2006

Creating a portable calendar RSS feed for Exchange with SSE extensions – version 0.5

A few years ago I came up with this simple RSS feed for a Exchange calendar that used an Exchange store event sink to generate a feed of calendar items for a certain number of days. This was a fun thing to do at the time maybe not that useful at the end of the day because it lacks the ability to be able to integrate it into anything really live. The other day someone asked me about SSE which is “The objective of Simple Sharing Extensions (SSE) is to define the minimum extensions necessary to enable loosely-cooperating apps”. Put basically its about creating wiring or a method that will allow too endpoints (whatever they are) to exchange and share data easily. For example you could syndicate your family’s calendars so In Outlook you would have side-by-side or maybe in a different calendar appointments from family members etc that you subscribed to via a normal RSS feed you can then syndicate this information to other people in a combined RSS etc. Now that sounds really simple by like most things in life well …. . Putting everything else aside for a moment there are some very cool technologies coming online that are going to facilitate all this microformats is a good example where they have evolved the ical format into hcalendar.

This really got me thinking about how to make an exchange calendar portable currently a calendar sitting inside a Exchange Database can present some challenges to anybody wanting to take it and synchronize it with another end point. But there are a few cool bits and pieces in the existing Exchange API’s that can help aid this. For instance if you look at the stream of an appointment item with CDOEX or WebDAV you can retrieve the vCalendar message part of the item which basically contains enough information to recreate that appointment on another device or calendar. (with the notable exception of some MAPI properties). The other thing that is in the current exchange API which is useful for this type of project is WebDAV replication. WebDAV replication is a replication mechanism to synchronize changes against a defined collection have a look at this for more detail.

As a starting point feed what I decided to try and do was create a RSS feed that represented the items in a Exchange Calendar. Now because an appointment can be reoccurring and have exceptions this can start to become a little cloudy and complicated. One assumption that this feed makes is that there will be enough information in the Rrule and ExRule of the master instance of the appointment to reconstruct all the appointments (one problem is that Exchange doesn’t seem to follow the spec in regards to the ExRule so I although the RRule did work okay the EXrule didn’t seem to work at all). The other thing I did with this feed is that I haven’t included a time windows so it’s a raw output of all the items that are in the calendar. There where a couple of reasons for this one is that with WebDAV replication you have to specify a query that represents that collection you’re replicating. If you start modifying the dates of this query you’re using this makes the collblob you have invalid and you start the replication from scratch each time. The other problem is that if you try to time limit the query you need to start worrying about expanding reoccurring appointments etc. So the method I used was a little simpler in that the collection I used excludes any expanded items and only includes master instances of recurring appointments and the normal appointment objects the downside of this is that you get every object which includes those appointments from the past. On a calendar with a lot of appointments this could make the feed file quite large.

Because this feed is designed to sync an exchange calendar most probably with another exchange calendar I decided to create my own namespace to use in the RSS feed file. Extendeding RSS is pretty easy this is basically what the SSE spec does as well but I’ve just create a new namespace so I could firstly store the colbbloob and some other information such as the StoreEntryID of the object. The information I think will come in handy when you go to recreate the object in the exchange store or you are working on conflict resolution. For a description of the namespace I created and what the properties do and are for I’ve put up a quick namespace definition here .

The feed itself essentially contains the Vcalendar message part of the appointment in an Exchange calendar contained as a CDATA part of the description element of an item in the RSS feed. Using the CDATA part means the Vcalendar part can be stored “as is” in the feed file which means that it should be able to be used at the other end without any problems. This is where the hcalender spec would could in handy because it defines a proper XML spec for the ical information one reason for not using it that it would have required extra code to do the translation. I hope to do this in a future version though (sometime).

To incorporate the SSE spec from Microsoft I’ve included the SSE namespace declarations at the start of the RSS feeds as well as the required version tag. As at the time of writing the version of the SSE spec I used was .91 I expect this would change and make this whole thing completely invalid (hey you’ve got love technology). The main SSE changes are implemented within the item element where the sx:sync and sx:history elements are used to track the version on the calendar appointment and its change history. I’ve used the storeEntryID as the sync ID as this should be unique across any store this appointment is replicated to and can also be usefully for locating the appointment or resolving conflicts as needed. The other change tracking elements are added as per the existing .91 spec where delete items are represented by setting the deteleted attribute to true and maintaining the tombstone. The only thing I did with the delete function in the code is that I make it also remove the Vcalendar message part from the description element this was mainly to conserve space with the feed itself. One part of the SSE spec that is not implemented in the code is conflict resolution this is something that really needs to be done later by the agents that may be reading this feeds and incorporating the change into a calendar and I haven’t really gotten that far yet so this is a to do. A sample of what the feed it produces looks like is here.

What doesn’t work: Well exceptions to recurring appointments pulling the VCalendar body part from the Exchange store is a great way to say time in the code but because of the intricacies of MAPI the accuracy of this method doesn’t really seem to be there this means I really need to change the method Im using for the next version of this although I still think webdav replication will still be a good method of tracking changes on a collection.

Where to next after the things I’ve learned while writing this script I really think I need to change track. Firstly going from ical to hcalendar would make this thing a lot more functional when it comes to integrating into non exchange end points (eg Sunbird/lightning etc). Also going to a time windowed feed and writing a proper Mapi to hcalander library is really needed to do this properly. So this means its time to ditch the script and write some proper class libraries.

To run this code because it uses WebDAV replication you need to schedule it to run at regular intervals to check for updates. The flow of the code is such when it’s first runs it checks to see if the feed file exists and if it does it opens the file and retrieves the collblob from the file. If the file doesn’t exist then it creates the file and does a query with a blank collblob this will return all items in the collection. The DAV:href returned by the replication query is used to get the stream of each of the items in the collection and create a corresponding item in the xml feed. When the file does exist and there is a current collblob it makes a query with that blob which the retireves the manifest of changes. The logic in the script then processes this as changes, deletes or additions. As the GUID I’ve used the repl-uid which allows the location in the feed of any item that gets changed in the replication manifest.

Well that’s about it this is still very much a work in progress and at the moment I’m more inclined as I said to start developing the hcalendar side of this process rather then the agent that would make it useful in synchronization. I posted a downloadable copy of the code I talked about here there’s a FBA and non FBA version depending on what authentication you running on you server the variables in the top of the code you need to fill in are pretty self explanatory. I wont post the code itself because it just too large.

Tuesday, August 15, 2006

Reporting on Meeting Delegate Forward Rules in Outlook

Somebody sparked my interest to this last week, one of the functions of Outlook is the ability to delegate your calendar and forward the meeting invitations you receive to another user. What Outlook does in the background is creates a rule in the inbox to forward any Calendar request messages to this delegate user. A problem can occur if this delegate user is deleted or disabled and the original user doesn’t modify or delete their delegate rules. In this case anyone sending this person a meeting invitation may suddenly start receiving NDR’s because the account the delegate rule is forwarding to no longer exists or is no longer accepting messages something like what described by KB253557

To detect and report on forwarding rules what you can use is CDO 1.2 and the rule.dll component which you can download from here . The rule.dll com object is good for creating rules but it can also be used to report on rules that already exist(a good thing to keep in mind is that this can’t be used to modify rules that it didn’t create eg because the delegate rule was created in Outlook the rule.dll component can not be used to modify this rule in any fashion).

So putting it all together I’ve come up with a script that will check all the users on a server to firstly see if they have a delegate forwarding rule enabled and then check each of the accounts the rule references to see if there is a valid mailbox for this address. So basically the first part of the script takes one commandline parameter which is the name of the server you want to run this against. The next part is a ADSI query the retrieves the names of all the mailboxes on that server that aren’t hidden from the global address list.. To determine if a rule is a delegate rule the rule action property is checked if the rule action is 7 this equates to ACTION_DELEGATE . Basically its the same as reading the rules tables and equating to the OP_DELEGATE action type. Once its determined that a delegate rule exists the recipients that the rule forwards to are then checked to see if they are valid by first converting the recipient.id that is returned by the rule component into a address object which will then return the ExchangeDN of the user object which can then be searched for in active directory by using the LegacyExchangeDN property. The result of all these queries are then echoed to the commandline and also saved in a CSV on the c: drive called MeetingDelgatesForwards.csv.

This script is designed to by run from the commandline (cscript) with the servername you want to run it against as a commandline parameter. Eg cscript chkdelv4.vbs servername. Because this script logs on to each mailbox to check if a delegate rule exists its needs to be run with an account that has full right to everyones mailbox as per KB821897

Remediation: At first I was going to add a remediation function to this script so it would automatically delete any rules that it found where invalid but I decided to stop at just reporting because it’s possible that in some cases remediation of this problem is a lot more complicated that can be handled automatically in a script. Eg its possible to have meeting requests forwarded to multiple delegates where there would be one rule with multiple address’s is the rules action argument is this case you can’t modify the rule because it can only be modified by the agent that created it (eg Outlook) and deleting the rule would cause lose of data and functionality. In the end the hard work is mostly in identifying the accounts that this might be an issue with and then you can use whatever tools you need to remediate the action.

I’ve put a downloadable copy of the script here the script itself looks like

servername = wscript.arguments(0)
PR_HAS_RULES = &H663A000B
PR_URL_NAME = &H6707001E
PR_CREATOR = &H3FF8001E
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\MeetingDelgatesForwards.csv",2,true)
wfile.writeline("Mailbox,ForwadingAddress,Status")
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
svcQuery = ">LDAP://" & strNameingContext & "<(&(objectCategory=msExchExchangeServer)(cn=" & Servername & "));cn,name,legacyExchangeDN;subtree"
Com.ActiveConnection = Conn
Com.CommandText = svcQuery
Set Rs = Com.Execute
while not rs.eof
GALQueryFilter = "(&(&(&(& (mailnickname=*)(!msExchHideFromAddressLists=TRUE)(| (&(objectCategory=person)(objectClass=user)(msExchHomeServerName=" & rs.fields("legacyExchangeDN") & ")) )))))"
strQuery = ">LDAP://" & strDefaultNamingContext & "<" & GALQueryFilter & ";distinguishedName,mailnickname,mail;subtree"
com.Properties("Page Size") = 100
Com.CommandText = strQuery
Set Rs1 = Com.Execute
while not Rs1.eof
call procmailboxes(servername,rs1.fields("mail"))
wscript.echo rs1.fields("mail")
rs1.movenext
wend
rs.movenext
wend
rs.close
wfile.close
set fso = nothing
set conn = nothing
set com = nothing
wscript.echo "Done"




sub procmailboxes(servername,MailboxAlias)

Set msMapiSession = CreateObject("MAPI.Session")
on error Resume next
msMapiSession.Logon "","",False,True,True,True,Servername & vbLF & MailboxAlias
if err.number = 0 then
on error goto 0
Set mrMailboxRules = CreateObject("MSExchange.Rules")
mrMailboxRules.Folder = msMapiSession.Inbox
Wscript.echo "Checking For any Delegate forwarding Rules"
nfNonefound = 0
for Each roRule in mrMailboxRules
for each aoAction in roRule.actions
if aoAction.ActionType = 7 then
nfNonefound = 1
Wscript.echo "Delegate Rule found Forwards to"
for each aoAdressObject in aoAction.arg
Set objAddrEntry = msMapiSession.GetAddressEntry(aoAdressobject)
wscript.echo "Address = " & objAddrEntry.Address
if verifyaddress(objAddrEntry.Address) = 1 then
wfile.writeline(mailboxAlias & "," & objAddrEntry.Address & ",Account Valid")
wscript.echo "Account okay"
else
wscript.echo "Account not valid"
wfile.writeline(mailboxAlias & "," & objAddrEntry.Address & ",Account Invalid")
end if
next
end if
next
next
if nfNonefound = 0 then
wscript.echo "No Delegate forwarding rules found"
wfile.writeline(mailboxAlias & "," & "No Delegate forwarding rules found")
end if
else
Wscript.echo "Error Opening Mailbox"
wfile.writeline(mailboxAlias & "," & "Error Opening Mailbox")
end if
Set msMapiSession = Nothing
Set mrMailboxRules = Nothing

End Sub

function verifyaddress(exlegancydn)

vfQuery = ">LDAP://" & strDefaultNamingContext & "<(legacyExchangeDN=" & exlegancydn & ");name,distinguishedName;subtree"
Com.CommandText = vfQuery
Set Rschk = Com.Execute
aoAccountokay = 0
While Not Rschk.EOF
set objUser = getobject("LDAP://" & replace(rschk.fields("distinguishedName"),"/","\/"))
if objUser.AccountDisabled then
aoAccountokay = 0
else
aoAccountokay = 1
end if
rschk.movenext
wend
rschk.close
set rschk = nothing
set connchk = nothing
set comchk = nothing
verifyaddress = aoAccountokay

end function

Friday, August 04, 2006

Reporting on what System Policies are applied via a script

Someone asked me about auditing System polices today I’m not a big user of these myself but a lot of the routines I’ve used before in scripts posted to this blog can be applied to get this information. In Exchange 2003 there are three system polices for Mailbox Stores, Public Folders and Servers. Exchange system policys can have a number of property pages which is turn affect the configuration of whatever mailbox store, public folder store or server you apply them to. All the information is stored in Active Directory so if you want to report on it via a script you can use ADSI as an entry point for accessing this information.

So what I’ve come up with is a script that first queries for all the msExchPrivateMDBPolicy objects in Active Directory. It then uses the msExchPolicyOptionList attribute which stores the property pages that this policy will apply to. This attribute in an octant array so a function is included to convert this to a hex value so it can be used in a case statement which builds a list what tabs have been selected in the policy this is then used at both the command line and logged to a file. The msExchPolicyListBL attribute holds the Distinguished names of all the store objects that this policy is applied to so each of these store objects are then opened and details on servename is extracted. The policy details themselves are stored in a scripting dictionary for use in a later report. The process is repeated with the public folder and server polices the results are displayed interactively to the command line as the script runs. After the policy specific queries are finished two other queries are run that get information about all the mailstores and public folder stores in a domain. This information is then compiled into a CSV file that reports on all the mailstores and public folder stores in the domain which have policies applied by using the scripting directory to retrieve the specific policy details it also reports on those which don’t have policies applied.

Nothing needs to be configured to run this script is will report on the domain its run in. The script itself is designed to be run at the commandline using cscript and it will echo out the result of the queries and also create a file on the root of the c: drive called exchpolices.csv

I’ve put a downloadable copy of the script here the script itself look like.


set shell = createobject("wscript.shell")
Set objDictionary = CreateObject("Scripting.Dictionary")
strValueName = "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias"
minTimeOffset = shell.regread(strValueName)
toffset = datediff("h",DateAdd("n", minTimeOffset, now()),now())
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
rangeStep = 999
lowRange = 0
highRange = lowRange + rangeStep
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
mbQuery = ";(objectCategory=msExchPrivateMDBPolicy);name,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Mailbox Stores Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))
pstring = ""
if isarray(objmailstorepolicy.msExchPolicyOptionList) then
tarray = objmailstorepolicy.GetEx("msExchPolicyOptionList")
for each ent in tarray
if pstring "" then pstring = pstring & ","
select case Octenttohex(ent)
case "B202F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Limits"
case "B102F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Database"
case "B002F16F3FBAD211994500C04F79F1C9" pstring = pstring & "General"
case "B302F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Full Text Indexing"
end select
next
end if
objDictionary.Add objmailstorepolicy.distinguishedName , dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime) & "," & pstring
wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo "Policy Tabs Included : " & pstring
wscript.echo
wscript.echo "Servername,StoreName"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailstore = getobject("LDAP://" & storeobj)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailstore = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
else
Wscript.echo "Policy Not Applied to any Stores"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchPublicMDBPolicy);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Public Stores Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))
pstring = ""
if isarray(objmailstorepolicy.msExchPolicyOptionList) then
tarray = objmailstorepolicy.GetEx("msExchPolicyOptionList")
for each ent in tarray
if pstring "" then pstring = pstring & ","
select case Octenttohex(ent)
case "A402F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Limits"
case "A302F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Database"
case "A102F16F3FBAD211994500C04F79F1C9" pstring = pstring & "General"
case "A502F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Full Text Indexing"
case "A202F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Replication"
end select
next
end if
objDictionary.Add objmailstorepolicy.distinguishedName , dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime) & "," & pstring
wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo "Policy Tabs Included : " & pstring
wscript.echo
wscript.echo "Servername,StoreName"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailstore = getobject("LDAP://" & storeobj)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailstore = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
else
Wscript.echo "Policy Not Applied to any Stores"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchExchangeServerPolicy);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Exchange Server Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))

wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo
wscript.echo "Servername"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailserver = getobject("LDAP://" & storeobj)
wscript.echo objmailserver.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailserver = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
wscript.echo objmailserver.cn
else
Wscript.echo "Policy Not Applied to any Servers"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\exchpolices.csv",2,true)
wfile.writeline("""Servername"",""Storage Group"",""StoreName"",""Last Applied"",""Policy Tabs""")
mbQuery = ";(objectCategory=msExchPrivateMDB);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
While Not Rs.EOF
set objmailstore = getobject("LDAP://" & Rs.Fields("distinguishedName"))
sgname = mid(rs.fields("distinguishedName"),(instr(3,rs.fields("distinguishedName"),",CN=")+4),(instr(rs.fields("distinguishedName"),",CN=InformationStore,") - (instr(3,rs.fields("distinguishedName"),",CN=")+4)))
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
if isarray(objmailstore.msExchPolicyList) then
tarray = objmailstore.GetEx("msExchPolicyList")
for each ent in tarray
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(ent)

next
else
if objmailstore.msExchPolicyList "" then
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(objmailstore.msExchPolicyList)
else
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & ",,No Polices"
end if
end if
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchPublicMDB);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
While Not Rs.EOF
set objmailstore = getobject("LDAP://" & Rs.Fields("distinguishedName"))
sgname = mid(rs.fields("distinguishedName"),(instr(3,rs.fields("distinguishedName"),",CN=")+4),(instr(rs.fields("distinguishedName"),",CN=InformationStore,") - (instr(3,rs.fields("distinguishedName"),",CN=")+4)))
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
if isarray(objmailstore.msExchPolicyList) then
tarray = objmailstore.GetEx("msExchPolicyList")
for each ent in tarray
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(ent)

next
else
if objmailstore.msExchPolicyList "" then
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(objmailstore.msExchPolicyList)
else
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & ",,No Polices"
end if
end if
Rs.MoveNext

Wend
Rs.Close


Set Rs = Nothing
Set Com = Nothing
Set Conn = Nothing


Function Octenttohex(OctenArry)
ReDim aOut(UBound(OctenArry))
For i = 1 to UBound(OctenArry) + 1
if len(hex(ascb(midb(OctenArry,i,1)))) = 1 then
aOut(i-1) = "0" & hex(ascb(midb(OctenArry,i,1)))
else
aOut(i-1) = hex(ascb(midb(OctenArry,i,1)))
end if
Next
Octenttohex = join(aOUt,"")
End Function