Skip to main content

Reporting on what System Policies are applied via a script

Someone asked me about auditing System polices today I’m not a big user of these myself but a lot of the routines I’ve used before in scripts posted to this blog can be applied to get this information. In Exchange 2003 there are three system polices for Mailbox Stores, Public Folders and Servers. Exchange system policys can have a number of property pages which is turn affect the configuration of whatever mailbox store, public folder store or server you apply them to. All the information is stored in Active Directory so if you want to report on it via a script you can use ADSI as an entry point for accessing this information.

So what I’ve come up with is a script that first queries for all the msExchPrivateMDBPolicy objects in Active Directory. It then uses the msExchPolicyOptionList attribute which stores the property pages that this policy will apply to. This attribute in an octant array so a function is included to convert this to a hex value so it can be used in a case statement which builds a list what tabs have been selected in the policy this is then used at both the command line and logged to a file. The msExchPolicyListBL attribute holds the Distinguished names of all the store objects that this policy is applied to so each of these store objects are then opened and details on servename is extracted. The policy details themselves are stored in a scripting dictionary for use in a later report. The process is repeated with the public folder and server polices the results are displayed interactively to the command line as the script runs. After the policy specific queries are finished two other queries are run that get information about all the mailstores and public folder stores in a domain. This information is then compiled into a CSV file that reports on all the mailstores and public folder stores in the domain which have policies applied by using the scripting directory to retrieve the specific policy details it also reports on those which don’t have policies applied.

Nothing needs to be configured to run this script is will report on the domain its run in. The script itself is designed to be run at the commandline using cscript and it will echo out the result of the queries and also create a file on the root of the c: drive called exchpolices.csv

I’ve put a downloadable copy of the script here the script itself look like.


set shell = createobject("wscript.shell")
Set objDictionary = CreateObject("Scripting.Dictionary")
strValueName = "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias"
minTimeOffset = shell.regread(strValueName)
toffset = datediff("h",DateAdd("n", minTimeOffset, now()),now())
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
rangeStep = 999
lowRange = 0
highRange = lowRange + rangeStep
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
mbQuery = ";(objectCategory=msExchPrivateMDBPolicy);name,distinguishedName;subtree"
Com.ActiveConnection = Conn
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Mailbox Stores Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))
pstring = ""
if isarray(objmailstorepolicy.msExchPolicyOptionList) then
tarray = objmailstorepolicy.GetEx("msExchPolicyOptionList")
for each ent in tarray
if pstring "" then pstring = pstring & ","
select case Octenttohex(ent)
case "B202F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Limits"
case "B102F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Database"
case "B002F16F3FBAD211994500C04F79F1C9" pstring = pstring & "General"
case "B302F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Full Text Indexing"
end select
next
end if
objDictionary.Add objmailstorepolicy.distinguishedName , dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime) & "," & pstring
wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo "Policy Tabs Included : " & pstring
wscript.echo
wscript.echo "Servername,StoreName"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailstore = getobject("LDAP://" & storeobj)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailstore = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
else
Wscript.echo "Policy Not Applied to any Stores"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchPublicMDBPolicy);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Public Stores Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))
pstring = ""
if isarray(objmailstorepolicy.msExchPolicyOptionList) then
tarray = objmailstorepolicy.GetEx("msExchPolicyOptionList")
for each ent in tarray
if pstring "" then pstring = pstring & ","
select case Octenttohex(ent)
case "A402F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Limits"
case "A302F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Database"
case "A102F16F3FBAD211994500C04F79F1C9" pstring = pstring & "General"
case "A502F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Full Text Indexing"
case "A202F16F3FBAD211994500C04F79F1C9" pstring = pstring & "Replication"
end select
next
end if
objDictionary.Add objmailstorepolicy.distinguishedName , dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime) & "," & pstring
wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo "Policy Tabs Included : " & pstring
wscript.echo
wscript.echo "Servername,StoreName"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailstore = getobject("LDAP://" & storeobj)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailstore = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
wscript.echo strservername & "," & objmailstore.cn
else
Wscript.echo "Policy Not Applied to any Stores"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchExchangeServerPolicy);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
Wscript.echo "Exchange Server Policies"
Wscript.echo
While Not Rs.EOF
set objmailstorepolicy = getobject("LDAP://" & Rs.Fields("distinguishedName"))

wscript.echo "Policy Name : " & objmailstorepolicy.cn
wscript.echo "Policy Last Applied : " & dateadd("h",toffset,objmailstorepolicy.msExchPolicyLastAppliedTime)
wscript.echo
wscript.echo "Servername"
if isarray(objmailstorepolicy.msExchPolicyListBL) then
for each storeobj in objmailstorepolicy.msExchPolicyListBL
set objmailserver = getobject("LDAP://" & storeobj)
wscript.echo objmailserver.cn
next
else
if objmailstorepolicy.msExchPolicyListBL "" then
set objmailserver = getobject("LDAP://" & objmailstorepolicy.msExchPolicyListBL)
wscript.echo objmailserver.cn
else
Wscript.echo "Policy Not Applied to any Servers"
end if
end if
wscript.echo
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\exchpolices.csv",2,true)
wfile.writeline("""Servername"",""Storage Group"",""StoreName"",""Last Applied"",""Policy Tabs""")
mbQuery = ";(objectCategory=msExchPrivateMDB);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
While Not Rs.EOF
set objmailstore = getobject("LDAP://" & Rs.Fields("distinguishedName"))
sgname = mid(rs.fields("distinguishedName"),(instr(3,rs.fields("distinguishedName"),",CN=")+4),(instr(rs.fields("distinguishedName"),",CN=InformationStore,") - (instr(3,rs.fields("distinguishedName"),",CN=")+4)))
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
if isarray(objmailstore.msExchPolicyList) then
tarray = objmailstore.GetEx("msExchPolicyList")
for each ent in tarray
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(ent)

next
else
if objmailstore.msExchPolicyList "" then
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(objmailstore.msExchPolicyList)
else
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & ",,No Polices"
end if
end if
Rs.MoveNext

Wend
Rs.Close
set Rs = nothing
mbQuery = ";(objectCategory=msExchPublicMDB);name,distinguishedName;subtree"
Com.CommandText = mbQuery
Set Rs = Com.Execute
While Not Rs.EOF
set objmailstore = getobject("LDAP://" & Rs.Fields("distinguishedName"))
sgname = mid(rs.fields("distinguishedName"),(instr(3,rs.fields("distinguishedName"),",CN=")+4),(instr(rs.fields("distinguishedName"),",CN=InformationStore,") - (instr(3,rs.fields("distinguishedName"),",CN=")+4)))
strservername = mid(objmailstore.msExchOwningServer,4,instr(objmailstore.msExchOwningServer,",")-4)
if isarray(objmailstore.msExchPolicyList) then
tarray = objmailstore.GetEx("msExchPolicyList")
for each ent in tarray
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(ent)

next
else
if objmailstore.msExchPolicyList "" then
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & "," & objDictionary.Item(objmailstore.msExchPolicyList)
else
wfile.writeline strservername & "," & sgname & "," & objmailstore.cn & ",,No Polices"
end if
end if
Rs.MoveNext

Wend
Rs.Close


Set Rs = Nothing
Set Com = Nothing
Set Conn = Nothing


Function Octenttohex(OctenArry)
ReDim aOut(UBound(OctenArry))
For i = 1 to UBound(OctenArry) + 1
if len(hex(ascb(midb(OctenArry,i,1)))) = 1 then
aOut(i-1) = "0" & hex(ascb(midb(OctenArry,i,1)))
else
aOut(i-1) = hex(ascb(midb(OctenArry,i,1)))
end if
Next
Octenttohex = join(aOUt,"")
End Function

Popular posts from this blog

Testing and Sending email via SMTP using Opportunistic TLS and oAuth in Office365 with PowerShell

As well as EWS and Remote PowerShell (RPS) other mail protocols POP3, IMAP and SMTP have had OAuth authentication enabled in Exchange Online (Official announcement here ). A while ago I created  this script that used Opportunistic TLS to perform a Telnet style test against a SMTP server using SMTP AUTH. Now that oAuth authentication has been enabled in office365 I've updated this script to be able to use oAuth instead of SMTP Auth to test against Office365. I've also included a function to actually send a Message. Token Acquisition  To Send a Mail using oAuth you first need to get an Access token from Azure AD there are plenty of ways of doing this in PowerShell. You could use a library like MSAL or ADAL (just google your favoured method) or use a library less approach which I've included with this script . Whatever way you do this you need to make sure that your application registration  https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-

How to test SMTP using Opportunistic TLS with Powershell and grab the public certificate a SMTP server is using

Most email services these day employ Opportunistic TLS when trying to send Messages which means that wherever possible the Messages will be encrypted rather then the plain text legacy of SMTP.  This method was defined in RFC 3207 "SMTP Service Extension for Secure SMTP over Transport Layer Security" and  there's a quite a good explanation of Opportunistic TLS on Wikipedia  https://en.wikipedia.org/wiki/Opportunistic_TLS .  This is used for both Server to Server (eg MTA to MTA) and Client to server (Eg a Message client like Outlook which acts as a MSA) the later being generally Authenticated. Basically it allows you to have a normal plain text SMTP conversation that is then upgraded to TLS using the STARTTLS verb. Not all servers will support this verb so if its not supported then a message is just sent as Plain text. TLS relies on PKI certificates and the administrative issue s that come around certificate management like expired certificates which is why I wrote th

The MailboxConcurrency limit and using Batching in the Microsoft Graph API

If your getting an error such as Application is over its MailboxConcurrency limit while using the Microsoft Graph API this post may help you understand why. Background   The Mailbox  concurrency limit when your using the Graph API is 4 as per https://docs.microsoft.com/en-us/graph/throttling#outlook-service-limits . This is evaluated for each app ID and mailbox combination so this means you can have different apps running under the same credentials and the poor behavior of one won't cause the other to be throttled. If you compared that to EWS you could have up to 27 concurrent connections but they are shared across all apps on a first come first served basis. Batching Batching in the Graph API is a way of combining multiple requests into a single HTTP request. Batching in the Exchange Mail API's EWS and MAPI has been around for a long time and its common, for email Apps to process large numbers of smaller items for a variety of reasons.  Batching in the Graph is limited to a m
All sample scripts and source code is provided by for illustrative purposes only. All examples are untested in different environments and therefore, I cannot guarantee or imply reliability, serviceability, or function of these programs.

All code contained herein is provided to you "AS IS" without any warranties of any kind. The implied warranties of non-infringement, merchantability and fitness for a particular purpose are expressly disclaimed.