Friday, August 04, 2006

Reporting on what System Policies are applied via a script

Someone asked me about auditing System polices today I’m not a big user of these myself but a lot of the routines I’ve used before in scripts posted to this blog can be applied to get this information. In Exchange 2003 there are three system polices for Mailbox Stores, Public Folders and Servers. Exchange system policys can have a number of property pages which is turn affect the configuration of whatever mailbox store, public folder store or server you apply them to. All the information is stored in Active Directory so if you want to report on it via a script you can use ADSI as an entry point for accessing this information.

So what I’ve come up with is a script that first queries for all the msExchPrivateMDBPolicy objects in Active Directory. It then uses the msExchPolicyOptionList attribute which stores the property pages that this policy will apply to. This attribute in an octant array so a function is included to convert this to a hex value so it can be used in a case statement which builds a list what tabs have been selected in the policy this is then used at both the command line and logged to a file. The msExchPolicyListBL attribute holds the Distinguished names of all the store objects that this policy is applied to so each of these store objects are then opened and details on servename is extracted. The policy details themselves are stored in a scripting dictionary for use in a later report. The process is repeated with the public folder and server polices the results are displayed interactively to the command line as the script runs. After the policy specific queries are finished two other queries are run that get information about all the mailstores and public folder stores in a domain. This information is then compiled into a CSV file that reports on all the mailstores and public folder stores in the domain which have policies applied by using the scripting directory to retrieve the specific policy details it also reports on those which don’t have policies applied.

Nothing needs to be configured to run this script is will report on the domain its run in. The script itself is designed to be run at the commandline using cscript and it will echo out the result of the queries and also create a file on the root of the c: drive called exchpolices.csv

I’ve put a downloadable copy of the script here the script itself look like.


set shell = createobject("wscript.shell")
Set objDictionary = CreateObject("Scripting.Dictionary")
strValueName = "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias"
minTimeOffset = shell.regread(strValueName)
toffset = datediff("h",DateAdd("n", minTimeOffset, now()),now())
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
rangeStep = 999
lowRange = 0
highRange = lowRange + rangeStep
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
mbQuery = ";(objectCategory=msExchPrivateMDBPolicy);name,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Mailbox Stores Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))
pstring = ""
if isarray(objmailstorepolicy.msExchPolicyOptionList) then
tarray = objmailstorepolicy.GetEx("msExchPolicyOptionList")
for each ent in tarray
if pstring "" then pstring = pstring & ","
select case Octenttohex(ent)
case "B202F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Limits"
case "B102F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Database"
case "B002F16F3FBAD211994500C04F79F1C9" pstring = pstring & "General"
case "B302F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Full Text Indexing"
end select
next
end if
objDictionary.Add objmailstorepolicy.distinguishedName , dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime) & "," & pstring
wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo "Policy Tabs Included : " & pstring
wscript.echo
wscript.echo "Servername,StoreName"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailstore = getobject("LDAP://" & storeobj)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailstore = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
else
Wscript.echo "Policy Not Applied to any Stores"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchPublicMDBPolicy);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Public Stores Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))
pstring = ""
if isarray(objmailstorepolicy.msExchPolicyOptionList) then
tarray = objmailstorepolicy.GetEx("msExchPolicyOptionList")
for each ent in tarray
if pstring "" then pstring = pstring & ","
select case Octenttohex(ent)
case "A402F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Limits"
case "A302F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Database"
case "A102F16F3FBAD211994500C04F79F1C9" pstring = pstring & "General"
case "A502F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Full Text Indexing"
case "A202F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Replication"
end select
next
end if
objDictionary.Add objmailstorepolicy.distinguishedName , dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime) & "," & pstring
wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo "Policy Tabs Included : " & pstring
wscript.echo
wscript.echo "Servername,StoreName"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailstore = getobject("LDAP://" & storeobj)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailstore = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
else
Wscript.echo "Policy Not Applied to any Stores"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchExchangeServerPolicy);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Exchange Server Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))

wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo
wscript.echo "Servername"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailserver = getobject("LDAP://" & storeobj)
wscript.echo objmailserver.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailserver = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
wscript.echo objmailserver.cn
else
Wscript.echo "Policy Not Applied to any Servers"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\exchpolices.csv",2,true)
wfile.writeline("""Servername"",""Storage Group"",""StoreName"",""Last Applied"",""Policy Tabs""")
mbQuery = ";(objectCategory=msExchPrivateMDB);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
While Not Rs.EOF
set objmailstore = getobject("LDAP://" & Rs.Fields("distinguishedName"))
sgname = mid(rs.fields("distinguishedName"),(instr(3,rs.fields("distinguishedName"),",CN=")+4),(instr(rs.fields("distinguishedName"),",CN=InformationStore,") - (instr(3,rs.fields("distinguishedName"),",CN=")+4)))
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
if isarray(objmailstore.msExchPolicyList) then
tarray = objmailstore.GetEx("msExchPolicyList")
for each ent in tarray
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(ent)

next
else
if objmailstore.msExchPolicyList "" then
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(objmailstore.msExchPolicyList)
else
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & ",,No Polices"
end if
end if
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchPublicMDB);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
While Not Rs.EOF
set objmailstore = getobject("LDAP://" & Rs.Fields("distinguishedName"))
sgname = mid(rs.fields("distinguishedName"),(instr(3,rs.fields("distinguishedName"),",CN=")+4),(instr(rs.fields("distinguishedName"),",CN=InformationStore,") - (instr(3,rs.fields("distinguishedName"),",CN=")+4)))
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
if isarray(objmailstore.msExchPolicyList) then
tarray = objmailstore.GetEx("msExchPolicyList")
for each ent in tarray
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(ent)

next
else
if objmailstore.msExchPolicyList "" then
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(objmailstore.msExchPolicyList)
else
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & ",,No Polices"
end if
end if
Rs.MoveNext

Wend
Rs.Close


Set Rs = Nothing
Set Com = Nothing
Set Conn = Nothing


Function Octenttohex(OctenArry)
ReDim aOut(UBound(OctenArry))
For i = 1 to UBound(OctenArry) + 1
if len(hex(ascb(midb(OctenArry,i,1)))) = 1 then
aOut(i-1) = "0" & hex(ascb(midb(OctenArry,i,1)))
else
aOut(i-1) = hex(ascb(midb(OctenArry,i,1)))
end if
Next
Octenttohex = join(aOUt,"")
End Function

7 comments:

Anonymous said...

What no output in HTML format???You're losing your touch buddy .

Great Script As Usual!

Anonymous said...

send as email attachemnet

Anonymous said...

glen..when i try to send this report via mail..it reports the cvs. is being used...how can i fix this...what must i close.

Glen said...

Sorry looks like i didn't close of the text file. What you need to do is inlcude a line before your mailing code such as

wfile.close

You could also put in

set wfile = nothing
set fso = nothing

hope that helps
Cheers
Glen

Anonymous said...

How do I run the script, I'm getting this error:

C:\lexchpols.vbs(150, 3) Microsoft VBScript runtime error: Invalid procedur
e call or argument: 'mid'

Thanks.

Glen said...

Thats a parse error you may want to try adding a

on error resume next

at the begining of the script otherwise you will need to try and debug the error. Make sure you running it from machine that is a member of the domain.

Cheers
Glen

Anonymous said...

Thanks for the reply.
I found the problem. We're testing Exchange 2010 and the path on ADSIEdit changed (there's no "Information Store", etc..).

It's working fine now.

thanks.