|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Audit Exchange Mailbox Permissions IMailboxStore
to query all users that have access to a certain mailbox. However, this works by specifying the dn for each mailbox you wish to query. I need help creating a sub function to query all dn's to get all users in the domain. Thanks. CONST ADS_ACETYPE_ACCESS_ALLOWED = 0 CONST ADS_ACETYPE_ACCESS_DENIED = 1 CONST ADS_ACETYPE_SYSTEM_AUDIT = 2 CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5 CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6 CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7 CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8 Dim objUser Dim oSecurityDescriptor Dim dacl Dim ace ' ******************************************************************** ' Change this variable according to your environment. ' sUserADsPath = "LDAP://ServerName/ CN=User1,CN=Users,DC=DomainName,DC=com" sTrustee = "DomainName\UserName" ' ******************************************************************** 'Get directory user object. Set objUser = GetObject(sUserADsPath) ' Get the Mailbox security descriptor (SD). Set oSecurityDescriptor = objUser.MailboxRights ' Extract the Discretionary Access Control List (DACL) using the IADsSecurityDescriptor. ' Interface. Set dacl = oSecurityDescriptor.DiscretionaryAcl Set ace = CreateObject("AccessControlEntry") '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' The following block of code demonstrates how to read all the ' ACEs on a DACL for the Exchange 2000 mailbox. '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' wscript.echo "Here are the existing ACEs in the mailbox's DACL:" ' Enumerate all the Access Control Entries (ACE) in the DACL using the IADsAccessControlList. ' Interface, therefore, displaying the current mailbox rights. 'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType" For Each ace In dacl ' Display all the properties of the ACEs using the IADsAccessControlEntry interface. msgbox ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType Next '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' The following block of code demonstrates adding a new ACE to the DACL ' for the Exchange 2003/2000 mailbox with the Trustee specified in sTrustee, ' which permits full control over this mailbox. ' This is the same task that is performed by ADUnC when you follow these ' steps to modify the properties of a user: on the Exchange Advanced tab, ' under Mailbox Rights, click Add, select the Trustee, and then select the ' Full Mailbox Access Rights check box. ' Similarly, you can also remove ACEs from this ACL by using the IADsAccessControlEntry interfaces. '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType) AddAce dacl, sTrustee, ADS_RIGHT_DS_CREATE_CHILD, _ ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0 ' Add the modified DACL to the security descriptor. oSecurityDescriptor.DiscretionaryAcl = dacl ' Save new SD onto the user. objUser.MailboxRights = oSecurityDescriptor ' Commit changes from the property cache to the information store. objUser.SetInfo MsgBox "Done viewing and modifying the mailboxsecurity descriptor" '******************************************************************** '* '* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, '* gAceFlags, gFlags, gObjectType, gInheritedObjectType) '* '* Purpose: Adds an ACE to a DACL '* Input: dacl Object's Discretionary Access Control List '* TrusteeName SID or Name of the trustee user account '* gAccessMask Access Permissions '* gAceType ACE Types '* gAceFlags Inherit ACEs from the owner of the ACL '* gFlags ACE has an object type or inherited object type '* gObjectType Used for Extended Rights '* gInheritedObjectType '* '* Output: Object - New DACL with the ACE added '* '******************************************************************** Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType) Dim Ace1 ' Create a new ACE object. Set Ace1 = CreateObject("AccessControlEntry") Ace1.AccessMask = gAccessMask Ace1.AceType = gAceType Ace1.AceFlags = gAceFlags Ace1.Flags = gFlags Ace1.Trustee = TrusteeName 'See whether ObjectType must be set If CStr(gObjectType) <> "0" Then Ace1.ObjectType = gObjectType End If 'See whether InheritedObjectType must be set. If CStr(gInheritedObjectType) <> "0" Then Ace1.InheritedObjectType = gInheritedObjectType End If dacl.AddAce Ace1 ' Destroy objects. Set Ace1 = Nothing End Function James Chong (MVP) MCSE | M+, S+, MCTS, Security+ msexchangetips.blogspot.com James,
Any news about this script? i´m needing to implement a auditing reporting too. Using a script to generate the report is great! Show quote On Mar 13, 12:46 pm, "Jamestechman" <jamestech***@gmail.com> wrote: > I'm using the script listed inhttp://support.microsoft.com/kb/310866 > to query all users that have access to a certainmailbox. However, > this works by specifying the dn for eachmailboxyou wish to query. I > need help creating a sub function to query all dn's to get all users > in the domain. Thanks. > > CONST ADS_ACETYPE_ACCESS_ALLOWED = 0 > CONST ADS_ACETYPE_ACCESS_DENIED = 1 > CONST ADS_ACETYPE_SYSTEM_AUDIT = 2 > CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5 > CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6 > CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7 > CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8 > Dim objUser > Dim oSecurityDescriptor > Dim dacl > Dim ace > > ' ******************************************************************** > 'Changethis variable according to your environment. > ' > sUserADsPath = "LDAP://ServerName/ > CN=User1,CN=Users,DC=DomainName,DC=com" > sTrustee = "DomainName\UserName" > ' ******************************************************************** > > 'Get directory user object. > Set objUser = GetObject(sUserADsPath) > > ' Get theMailboxsecurity descriptor (SD). > Set oSecurityDescriptor = objUser.MailboxRights > > ' Extract the Discretionary Access Control List (DACL) using the > IADsSecurityDescriptor. > ' Interface. > Set dacl = oSecurityDescriptor.DiscretionaryAcl > Set ace = CreateObject("AccessControlEntry") > > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' > ' The following block of code demonstrates how to read all the > ' ACEs on a DACL for the Exchange 2000mailbox. > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' > wscript.echo "Here are the existing ACEs in themailbox'sDACL:" > > ' Enumerate all the Access Control Entries (ACE) in the DACL using the > IADsAccessControlList. > ' Interface, therefore, displaying the currentmailboxrights. > 'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, > ObjectType, InheritedObjectType" > > For Each ace In dacl > ' Display all the properties of the ACEs using the > IADsAccessControlEntry interface. > msgbox ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & > ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " > & ace.InheritedObjectType > Next > > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' > ' The following block of code demonstrates adding a new ACE to the > DACL > ' for the Exchange 2003/2000mailboxwith the Trustee specified in > sTrustee, > ' which permits full control over thismailbox. > ' This is the same task that is performed by ADUnC when you follow > these > ' steps to modify the properties of a user: on the Exchange Advanced > tab, > ' underMailboxRights, click Add, select the Trustee, and then > select the > ' FullMailboxAccessRightscheck box. > ' Similarly, you can also remove ACEs from this ACL by using the > IADsAccessControlEntry interfaces. > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' > > ' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, > gFlags, gObjectType, gInheritedObjectType) > AddAce dacl, sTrustee, ADS_RIGHT_DS_CREATE_CHILD, _ > ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0 > > ' Add the modified DACL to the security descriptor. > oSecurityDescriptor.DiscretionaryAcl = dacl > > ' Save new SD onto the user. > objUser.MailboxRights = oSecurityDescriptor > > ' Commit changes from the property cache to the information store. > objUser.SetInfo > > MsgBox "Done viewing and modifying the mailboxsecurity descriptor" > '******************************************************************** > '* > '* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, > '* gAceFlags, gFlags, gObjectType, gInheritedObjectType) > '* > '* Purpose: Adds an ACE to a DACL > '* Input: dacl Object's Discretionary Access Control List > '* TrusteeName SID or Name of the trustee user account > '* gAccessMask AccessPermissions > '* gAceType ACE Types > '* gAceFlags Inherit ACEs from the owner of the ACL > '* gFlags ACE has an object type or inherited object > type > '* gObjectType Used for ExtendedRights > '* gInheritedObjectType > '* > '* Output: Object - New DACL with the ACE added > '* > '******************************************************************** > > Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, > gFlags, gObjectType, gInheritedObjectType) > Dim Ace1 > ' Create a new ACE object. > Set Ace1 = CreateObject("AccessControlEntry") > Ace1.AccessMask = gAccessMask > Ace1.AceType = gAceType > Ace1.AceFlags = gAceFlags > Ace1.Flags = gFlags > Ace1.Trustee = TrusteeName > 'See whether ObjectType must be set > If CStr(gObjectType) <> "0" Then > Ace1.ObjectType = gObjectType > End If > > 'See whether InheritedObjectType must be set. > If CStr(gInheritedObjectType) <> "0" Then > Ace1.InheritedObjectType = gInheritedObjectType > End If > dacl.AddAce Ace1 > > ' Destroy objects. > Set Ace1 = Nothing > End Function > > James Chong (MVP) > MCSE | M+, S+, MCTS, Security+ > msexchangetips.blogspot.com I have quickly hacked this together from different sources, because I
needed it too. It should not be an example of clean code by any means,
but it should get you started.
Code: -------------------- 'On Error Resume Next strTargetOU = "OU=Users,DC=domain,DC=local" Dim objContainer 'Open LDAP connection Set objContainer = GetObject("LDAP://" & strTargetOU) if err.number <> 0 then strError = "Error [" & err.number & "]: " & err.description Wscript.echo strError WScript.Quit(0) End If 'Enumerate through selected OU EnumerateUsers objContainer 'Clean Up Set objContainer = Nothing WScript.Quit(0) Sub EnumerateUsers(objCont) Dim objUser For Each objUser In objCont Select Case LCase(objUser.Class) Case "user", "group" 'check if user has a mailbox If not objUser.HomeMDB = "" Then GetAccRights(objUser) Case "organizationalunit" , "container" if bDebug then writelog("Entering Sub OU: " & objUser.Name) EnumerateUsers objUser End Select Next End Sub Sub GetAccRights(objUser) Dim oSecurityDescriptor Dim dacl Dim ace ' Get the Mailbox security descriptor (SD). Set oSecurityDescriptor = objUser.MailboxRights ' Extract the Discretionary Access Control List (DACL) using the IADsSecurityDescriptor. ' Interface. Set dacl = oSecurityDescriptor.DiscretionaryAcl Set ace = CreateObject("AccessControlEntry") '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' The following block of code demonstrates how to read all the ' ACEs on a DACL for the Exchange 2000 mailbox. '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' Enumerate all the Access Control Entries (ACE) in the DACL using the IADsAccessControlList. ' Interface, therefore, displaying the current mailbox rights. 'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType" For Each ace In dacl ' Display all the properties of the ACEs using the IADsAccessControlEntry interface. wscript.echo objUser.name & ", " & ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType Next End Sub -------------------- -- irmo ------------------------------------------------------------------------ irmo's Profile: http://forums.techarena.in/member.php?userid=33487 View this thread: http://forums.techarena.in/showthread.php?t=704459http://forums.techarena.in  |
|||||||||||||||||||||||
Other interesting topics