Sunday, April 06, 2008

Showing Mailbox Rights and Send-as/Receive As rights in Powershell Exchange 2000/3/7

I’ve been working on some permissions scripts in the past couple of weeks and thought I’d post a powershell port of some VBS code from this http://msdn2.microsoft.com/en-us/library/ms992469(EXCHG.65).aspx msdn article. I’ve use this code before in a variety of scripts to read permissions from the Exchange Mailbox DACL via the msexchmailboxsecuritydescriptor AD property. Of course one should never try to set mailbox rights using this property as per http://support.microsoft.com/kb/310866/ so make sure you always treat it as read only. So what I’ve done is put together a quick sample that uses the new ActiveDirectorySecurity class in .NET 2.0 to basically load the DACL from the bytearray representation of the DACL that’s stored in this property. Also I’ve included some code to retrieve the Send-AS and Receive-AS rights from the AD object's DACL.

The code only looks at the Implicitly set ACE's and not the Inherited ACE’s (this could be easily changed) it queries ever mailbox in the domain it is executed in and outputs any explicitly set Mailbox ACE’s and Send-as/Receive-as ACE's out to the cmdline. On Exchange 2007 you could do the same thing in the Exchange Management Shell a lot easier using the get-mailboxpermission and get-adpermission.

I’ve put a download of the code here the script itself looks like.

[warning this script could cause global warming if drive when you should walk somewhere]

$root = [ADSI]'LDAP://RootDSE'
$dfDefaultRootPath = "LDAP://" + $root.DefaultNamingContext.tostring()
$dfRoot = [ADSI]$dfDefaultRootPath
$gfGALQueryFilter = "(&(&(&(mailnickname=*)(objectCategory=person)(objectClass=user))))"
$dfsearcher = new-object System.DirectoryServices.DirectorySearcher($dfRoot)
$dfsearcher.Filter = $gfGALQueryFilter
$dfsearcher.PropertiesToLoad.Add("msExchMailboxSecurityDescriptor")
$srSearchResult = $dfsearcher.FindAll()
foreach ($emResult in $srSearchResult) {
$uoUserobject = New-Object System.DirectoryServices.directoryentry
$uoUserobject = $emResult.GetDirectoryEntry()
$emProps = $emResult.Properties
[byte[]]$DaclByte = $emProps["msexchmailboxsecuritydescriptor"][0]
$adDACL = new-object System.DirectoryServices.ActiveDirectorySecurity
$adDACL.SetSecurityDescriptorBinaryForm($DaclByte)
$mbRightsacls =$adDACL.GetAccessRules($true, $false, [System.Security.Principal.SecurityIdentifier])
"Mailbox - " + $uoUserobject.DisplayName
foreach ($ace in $mbRightsacls){
if($ace.IdentityReference.Value -ne "S-1-5-10" -band $ace.IdentityReference.Value
-ne "S-1-5-18" -band $ace.IsInherited -ne $true){

$sidbind = "LDAP://<SID=" + $ace.IdentityReference.Value + ">"
$AceName = $ace.IdentityReference.Value
$aceuser = [ADSI]$sidbind
if ($aceuser.name -ne $null){
$AceName = $aceuser.samaccountname
}
" ACE UserName : " + $AceName
""
If ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::CreateChild){

" Full Mailbox Access"}
If ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::WriteOwner
-ne 0){
" Take Ownership"}
If ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::WriteDacl){

" Modify User Attributes"}
If ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ListChildren){

" Is mailbox primary owner of this object"}
If ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::Delete){

" Delete mailbox storage"}
If ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ReadControl){

" Read permissions"}

}
}
$Sendasacls = $uoUserobject.psbase.get_objectSecurity().getAccessRules($true,
$false, [System.Security.Principal.SecurityIdentifier])|? {$_.ObjectType -eq
'ab721a54-1e2f-11d0-9819-00aa0040529b'}
$Recieveasacls = $uoUserobject.psbase.get_objectSecurity().getAccessRules($true,
$false, [System.Security.Principal.SecurityIdentifier])|? {$_.ObjectType -eq
'ab721a56-1e2f-11d0-9819-00aa0040529b'}
if ($Sendasacls -ne $null){
foreach ($ace in $Sendasacls)
{
if($ace.IdentityReference.Value -ne "S-1-5-10" -band $ace.IdentityReference.Value
-ne "S-1-5-18" -band $ace.IsInherited -ne $true){
$sidbind = "LDAP://<SID=" + $ace.IdentityReference.Value + ">"
$AceName = $ace.IdentityReference.Value
$aceuser = [ADSI]$sidbind
if ($aceuser.name -ne $null){
$AceName = $aceuser.samaccountname
}
""
" ACE UserName : " + $AceName
" Send As Rights"
}

}
}
if ($Recieveasacls -ne $null){
foreach ($ace in $Recieveasacls)
{
if($ace.IdentityReference.Value -ne "S-1-5-10" -band
$ace.IdentityReference.Value -ne "S-1-5-18" -band $ace.IsInherited -ne $true){
$sidbind = "LDAP://<SID=" + $ace.IdentityReference.Value + ">"
$AceName = $ace.IdentityReference.Value
$aceuser = [ADSI]$sidbind
if ($aceuser.name -ne $null){
$AceName = $aceuser.samaccountname
}
""
" ACE UserName : " + $AceName
" Recieve As Rights"
}
}
}
}