Skip to main content

Reporting on Meeting Delegate Forward Rules in Outlook

Somebody sparked my interest to this last week, one of the functions of Outlook is the ability to delegate your calendar and forward the meeting invitations you receive to another user. What Outlook does in the background is creates a rule in the inbox to forward any Calendar request messages to this delegate user. A problem can occur if this delegate user is deleted or disabled and the original user doesn’t modify or delete their delegate rules. In this case anyone sending this person a meeting invitation may suddenly start receiving NDR’s because the account the delegate rule is forwarding to no longer exists or is no longer accepting messages something like what described by KB253557

To detect and report on forwarding rules what you can use is CDO 1.2 and the rule.dll component which you can download from here . The rule.dll com object is good for creating rules but it can also be used to report on rules that already exist(a good thing to keep in mind is that this can’t be used to modify rules that it didn’t create eg because the delegate rule was created in Outlook the rule.dll component can not be used to modify this rule in any fashion).

So putting it all together I’ve come up with a script that will check all the users on a server to firstly see if they have a delegate forwarding rule enabled and then check each of the accounts the rule references to see if there is a valid mailbox for this address. So basically the first part of the script takes one commandline parameter which is the name of the server you want to run this against. The next part is a ADSI query the retrieves the names of all the mailboxes on that server that aren’t hidden from the global address list.. To determine if a rule is a delegate rule the rule action property is checked if the rule action is 7 this equates to ACTION_DELEGATE . Basically its the same as reading the rules tables and equating to the OP_DELEGATE action type. Once its determined that a delegate rule exists the recipients that the rule forwards to are then checked to see if they are valid by first converting the recipient.id that is returned by the rule component into a address object which will then return the ExchangeDN of the user object which can then be searched for in active directory by using the LegacyExchangeDN property. The result of all these queries are then echoed to the commandline and also saved in a CSV on the c: drive called MeetingDelgatesForwards.csv.

This script is designed to by run from the commandline (cscript) with the servername you want to run it against as a commandline parameter. Eg cscript chkdelv4.vbs servername. Because this script logs on to each mailbox to check if a delegate rule exists its needs to be run with an account that has full right to everyones mailbox as per KB821897

Remediation: At first I was going to add a remediation function to this script so it would automatically delete any rules that it found where invalid but I decided to stop at just reporting because it’s possible that in some cases remediation of this problem is a lot more complicated that can be handled automatically in a script. Eg its possible to have meeting requests forwarded to multiple delegates where there would be one rule with multiple address’s is the rules action argument is this case you can’t modify the rule because it can only be modified by the agent that created it (eg Outlook) and deleting the rule would cause lose of data and functionality. In the end the hard work is mostly in identifying the accounts that this might be an issue with and then you can use whatever tools you need to remediate the action.

I’ve put a downloadable copy of the script here the script itself looks like

servername = wscript.arguments(0)
PR_HAS_RULES = &H663A000B
PR_URL_NAME = &H6707001E
PR_CREATOR = &H3FF8001E
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\MeetingDelgatesForwards.csv",2,true)
wfile.writeline("Mailbox,ForwadingAddress,Status")
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
svcQuery = ">LDAP://" & strNameingContext & "<(&(objectCategory=msExchExchangeServer)(cn=" & Servername & "));cn,name,legacyExchangeDN;subtree"
Com.ActiveConnection = Conn
Com.CommandText = svcQuery
Set Rs = Com.Execute
while not rs.eof
GALQueryFilter = "(&(&(&(& (mailnickname=*)(!msExchHideFromAddressLists=TRUE)(| (&(objectCategory=person)(objectClass=user)(msExchHomeServerName=" & rs.fields("legacyExchangeDN") & ")) )))))"
strQuery = ">LDAP://" & strDefaultNamingContext & "<" & GALQueryFilter & ";distinguishedName,mailnickname,mail;subtree"
com.Properties("Page Size") = 100
Com.CommandText = strQuery
Set Rs1 = Com.Execute
while not Rs1.eof
call procmailboxes(servername,rs1.fields("mail"))
wscript.echo rs1.fields("mail")
rs1.movenext
wend
rs.movenext
wend
rs.close
wfile.close
set fso = nothing
set conn = nothing
set com = nothing
wscript.echo "Done"




sub procmailboxes(servername,MailboxAlias)

Set msMapiSession = CreateObject("MAPI.Session")
on error Resume next
msMapiSession.Logon "","",False,True,True,True,Servername & vbLF & MailboxAlias
if err.number = 0 then
on error goto 0
Set mrMailboxRules = CreateObject("MSExchange.Rules")
mrMailboxRules.Folder = msMapiSession.Inbox
Wscript.echo "Checking For any Delegate forwarding Rules"
nfNonefound = 0
for Each roRule in mrMailboxRules
for each aoAction in roRule.actions
if aoAction.ActionType = 7 then
nfNonefound = 1
Wscript.echo "Delegate Rule found Forwards to"
for each aoAdressObject in aoAction.arg
Set objAddrEntry = msMapiSession.GetAddressEntry(aoAdressobject)
wscript.echo "Address = " & objAddrEntry.Address
if verifyaddress(objAddrEntry.Address) = 1 then
wfile.writeline(mailboxAlias & "," & objAddrEntry.Address & ",Account Valid")
wscript.echo "Account okay"
else
wscript.echo "Account not valid"
wfile.writeline(mailboxAlias & "," & objAddrEntry.Address & ",Account Invalid")
end if
next
end if
next
next
if nfNonefound = 0 then
wscript.echo "No Delegate forwarding rules found"
wfile.writeline(mailboxAlias & "," & "No Delegate forwarding rules found")
end if
else
Wscript.echo "Error Opening Mailbox"
wfile.writeline(mailboxAlias & "," & "Error Opening Mailbox")
end if
Set msMapiSession = Nothing
Set mrMailboxRules = Nothing

End Sub

function verifyaddress(exlegancydn)

vfQuery = ">LDAP://" & strDefaultNamingContext & "<(legacyExchangeDN=" & exlegancydn & ");name,distinguishedName;subtree"
Com.CommandText = vfQuery
Set Rschk = Com.Execute
aoAccountokay = 0
While Not Rschk.EOF
set objUser = getobject("LDAP://" & replace(rschk.fields("distinguishedName"),"/","\/"))
if objUser.AccountDisabled then
aoAccountokay = 0
else
aoAccountokay = 1
end if
rschk.movenext
wend
rschk.close
set rschk = nothing
set connchk = nothing
set comchk = nothing
verifyaddress = aoAccountokay

end function

Popular posts from this blog

Downloading a shared file from Onedrive for business using Powershell

I thought I'd quickly share this script I came up with to download a file that was shared using One Drive for Business (which is SharePoint under the covers) with Powershell. The following script takes a OneDrive for business URL which would look like https://mydom-my.sharepoint.com/personal/gscales_domain_com/Documents/Email%20attachments/filename.txt This script is pretty simple it uses the SharePoint CSOM (Client side object Model) which it loads in the first line. It uses the URI object to separate the host and relative URL which the CSOM requires and also the SharePointOnlineCredentials object to handle the Office365 SharePoint online authentication. The following script is a function that take the OneDrive URL, Credentials for Office365 and path you want to download the file to and downloads the file. eg to run the script you would use something like ./spdownload.ps1 ' https://mydom-my.sharepoint.com/personal/gscales_domain_com/Documents/Email%20attachments/filena

How to test SMTP using Opportunistic TLS with Powershell and grab the public certificate a SMTP server is using

Most email services these day employ Opportunistic TLS when trying to send Messages which means that wherever possible the Messages will be encrypted rather then the plain text legacy of SMTP.  This method was defined in RFC 3207 "SMTP Service Extension for Secure SMTP over Transport Layer Security" and  there's a quite a good explanation of Opportunistic TLS on Wikipedia  https://en.wikipedia.org/wiki/Opportunistic_TLS .  This is used for both Server to Server (eg MTA to MTA) and Client to server (Eg a Message client like Outlook which acts as a MSA) the later being generally Authenticated. Basically it allows you to have a normal plain text SMTP conversation that is then upgraded to TLS using the STARTTLS verb. Not all servers will support this verb so if its not supported then a message is just sent as Plain text. TLS relies on PKI certificates and the administrative issue s that come around certificate management like expired certificates which is why I wrote th

Export calendar Items to a CSV file using EWS and Powershell

Somebody asked about this last week and while I have a lot of EWS scripts that do access the Calendar I didn't have a simple example that just exported a list of the Calendar events with relevant information to a CSV file so here it is. I've talked on this one before in this howto  but when you query the calendar folder using EWS you need to use a CalendarView which will expand any recurring appointments in a calendar. There are some limits when you use a calendarview in that you can only return a maximum of 2 years of appointments at a time and paging will limit the max number of items to 1000 per call. So if you have a calendar with a very large number of appointments you need to break your query into small date time blocks. In this example script I'm just grabbing the next 7 days of appointments if you want to query a longer period you need to adjust the following lines (keeping in mind what I just mentioned) #Define Date to Query $StartDate = (Get-Date) $EndDate
All sample scripts and source code is provided by for illustrative purposes only. All examples are untested in different environments and therefore, I cannot guarantee or imply reliability, serviceability, or function of these programs.

All code contained herein is provided to you "AS IS" without any warranties of any kind. The implied warranties of non-infringement, merchantability and fitness for a particular purpose are expressly disclaimed.