Skip to main content

Reporting on what System Policies are applied via a script

Someone asked me about auditing System polices today I’m not a big user of these myself but a lot of the routines I’ve used before in scripts posted to this blog can be applied to get this information. In Exchange 2003 there are three system polices for Mailbox Stores, Public Folders and Servers. Exchange system policys can have a number of property pages which is turn affect the configuration of whatever mailbox store, public folder store or server you apply them to. All the information is stored in Active Directory so if you want to report on it via a script you can use ADSI as an entry point for accessing this information.

So what I’ve come up with is a script that first queries for all the msExchPrivateMDBPolicy objects in Active Directory. It then uses the msExchPolicyOptionList attribute which stores the property pages that this policy will apply to. This attribute in an octant array so a function is included to convert this to a hex value so it can be used in a case statement which builds a list what tabs have been selected in the policy this is then used at both the command line and logged to a file. The msExchPolicyListBL attribute holds the Distinguished names of all the store objects that this policy is applied to so each of these store objects are then opened and details on servename is extracted. The policy details themselves are stored in a scripting dictionary for use in a later report. The process is repeated with the public folder and server polices the results are displayed interactively to the command line as the script runs. After the policy specific queries are finished two other queries are run that get information about all the mailstores and public folder stores in a domain. This information is then compiled into a CSV file that reports on all the mailstores and public folder stores in the domain which have policies applied by using the scripting directory to retrieve the specific policy details it also reports on those which don’t have policies applied.

Nothing needs to be configured to run this script is will report on the domain its run in. The script itself is designed to be run at the commandline using cscript and it will echo out the result of the queries and also create a file on the root of the c: drive called exchpolices.csv

I’ve put a downloadable copy of the script here the script itself look like.


set shell = createobject("wscript.shell")
Set objDictionary = CreateObject("Scripting.Dictionary")
strValueName = "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias"
minTimeOffset = shell.regread(strValueName)
toffset = datediff("h",DateAdd("n", minTimeOffset, now()),now())
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
rangeStep = 999
lowRange = 0
highRange = lowRange + rangeStep
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
mbQuery = ";(objectCategory=msExchPrivateMDBPolicy);name,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Mailbox Stores Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))
pstring = ""
if isarray(objmailstorepolicy.msExchPolicyOptionList) then
tarray = objmailstorepolicy.GetEx("msExchPolicyOptionList")
for each ent in tarray
if pstring "" then pstring = pstring & ","
select case Octenttohex(ent)
case "B202F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Limits"
case "B102F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Database"
case "B002F16F3FBAD211994500C04F79F1C9" pstring = pstring & "General"
case "B302F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Full Text Indexing"
end select
next
end if
objDictionary.Add objmailstorepolicy.distinguishedName , dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime) & "," & pstring
wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo "Policy Tabs Included : " & pstring
wscript.echo
wscript.echo "Servername,StoreName"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailstore = getobject("LDAP://" & storeobj)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailstore = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
else
Wscript.echo "Policy Not Applied to any Stores"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchPublicMDBPolicy);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Public Stores Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))
pstring = ""
if isarray(objmailstorepolicy.msExchPolicyOptionList) then
tarray = objmailstorepolicy.GetEx("msExchPolicyOptionList")
for each ent in tarray
if pstring "" then pstring = pstring & ","
select case Octenttohex(ent)
case "A402F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Limits"
case "A302F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Database"
case "A102F16F3FBAD211994500C04F79F1C9" pstring = pstring & "General"
case "A502F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Full Text Indexing"
case "A202F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Replication"
end select
next
end if
objDictionary.Add objmailstorepolicy.distinguishedName , dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime) & "," & pstring
wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo "Policy Tabs Included : " & pstring
wscript.echo
wscript.echo "Servername,StoreName"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailstore = getobject("LDAP://" & storeobj)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailstore = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
else
Wscript.echo "Policy Not Applied to any Stores"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchExchangeServerPolicy);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Exchange Server Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))

wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo
wscript.echo "Servername"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailserver = getobject("LDAP://" & storeobj)
wscript.echo objmailserver.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailserver = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
wscript.echo objmailserver.cn
else
Wscript.echo "Policy Not Applied to any Servers"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\exchpolices.csv",2,true)
wfile.writeline("""Servername"",""Storage Group"",""StoreName"",""Last Applied"",""Policy Tabs""")
mbQuery = ";(objectCategory=msExchPrivateMDB);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
While Not Rs.EOF
set objmailstore = getobject("LDAP://" & Rs.Fields("distinguishedName"))
sgname = mid(rs.fields("distinguishedName"),(instr(3,rs.fields("distinguishedName"),",CN=")+4),(instr(rs.fields("distinguishedName"),",CN=InformationStore,") - (instr(3,rs.fields("distinguishedName"),",CN=")+4)))
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
if isarray(objmailstore.msExchPolicyList) then
tarray = objmailstore.GetEx("msExchPolicyList")
for each ent in tarray
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(ent)

next
else
if objmailstore.msExchPolicyList "" then
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(objmailstore.msExchPolicyList)
else
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & ",,No Polices"
end if
end if
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchPublicMDB);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
While Not Rs.EOF
set objmailstore = getobject("LDAP://" & Rs.Fields("distinguishedName"))
sgname = mid(rs.fields("distinguishedName"),(instr(3,rs.fields("distinguishedName"),",CN=")+4),(instr(rs.fields("distinguishedName"),",CN=InformationStore,") - (instr(3,rs.fields("distinguishedName"),",CN=")+4)))
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
if isarray(objmailstore.msExchPolicyList) then
tarray = objmailstore.GetEx("msExchPolicyList")
for each ent in tarray
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(ent)

next
else
if objmailstore.msExchPolicyList "" then
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(objmailstore.msExchPolicyList)
else
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & ",,No Polices"
end if
end if
Rs.MoveNext

Wend
Rs.Close


Set Rs = Nothing
Set Com = Nothing
Set Conn = Nothing


Function Octenttohex(OctenArry)
ReDim aOut(UBound(OctenArry))
For i = 1 to UBound(OctenArry) + 1
if len(hex(ascb(midb(OctenArry,i,1)))) = 1 then
aOut(i-1) = "0" & hex(ascb(midb(OctenArry,i,1)))
else
aOut(i-1) = hex(ascb(midb(OctenArry,i,1)))
end if
Next
Octenttohex = join(aOUt,"")
End Function

Popular posts from this blog

The MailboxConcurrency limit and using Batching in the Microsoft Graph API

If your getting an error such as Application is over its MailboxConcurrency limit while using the Microsoft Graph API this post may help you understand why. Background   The Mailbox  concurrency limit when your using the Graph API is 4 as per https://docs.microsoft.com/en-us/graph/throttling#outlook-service-limits . This is evaluated for each app ID and mailbox combination so this means you can have different apps running under the same credentials and the poor behavior of one won't cause the other to be throttled. If you compared that to EWS you could have up to 27 concurrent connections but they are shared across all apps on a first come first served basis. Batching Batching in the Graph API is a way of combining multiple requests into a single HTTP request. Batching in the Exchange Mail API's EWS and MAPI has been around for a long time and its common, for email Apps to process large numbers of smaller items for a variety of reasons.  Batching in the Gr...
Read more

EWS-FAI Module for browsing and updating Exchange Folder Associated Items from PowerShell

Folder Associated Items are hidden Items in Exchange Mailbox folders that are commonly used to hold configuration settings for various Mailbox Clients and services that use Mailboxes. Some common examples of FAI's are Categories,OWA Signatures and WorkHours there is some more detailed documentation in the https://msdn.microsoft.com/en-us/library/cc463899(v=exchg.80).aspx protocol document. In EWS these configuration items can be accessed via the UserConfiguration operation https://msdn.microsoft.com/en-us/library/office/dd899439(v=exchg.150).aspx which will give you access to either the RoamingDictionary, XMLStream or BinaryStream data properties that holds the configuration depending on what type of FAI data is being stored. I've written a number of scripts over the years that target particular FAI's (eg this one that reads the workhours  http://gsexdev.blogspot.com.au/2015/11/finding-timezone-being-used-in-mailbox.html is a good example ) but I didn't have a gene...
Read more

Sending a MimeMessage via the Microsoft Graph using the Graph SDK, MimeKit and MSAL

One of the new features added to the Microsoft Graph recently was the ability to create and send Mime Messages (you have been able to get Message as Mime for a while). This is useful in a number of different scenarios especially when trying to create a Message with inline Images which has historically been hard to do with both the Graph and EWS (if you don't use MIME). It also opens up using SMIME for encryption and a more easy migration path for sending using SMTP in some apps. MimeKit is a great open source library for parsing and creating MIME messages so it offers a really easy solution for tackling this issue. The current documentation on Send message via MIME lacks any real sample so I've put together a quick console app that use MSAL, MIME kit and the Graph SDK to send a Message via MIME. As the current Graph SDK also doesn't support sending via MIME either there is a workaround for this in the future my guess is this will be supported.
Read more
All sample scripts and source code is provided by for illustrative purposes only. All examples are untested in different environments and therefore, I cannot guarantee or imply reliability, serviceability, or function of these programs.

All code contained herein is provided to you "AS IS" without any warranties of any kind. The implied warranties of non-infringement, merchantability and fitness for a particular purpose are expressly disclaimed.