I'm using the script listed in http://support.microsoft.com/kb/310866
to query all users that have access to a certain mailbox. However,
this works by specifying the dn for each mailbox you wish to query. I
need help creating a sub function to query all dn's to get all users
in the domain. Thanks.
CONST ADS_ACETYPE_ACCESS_ALLOWED = 0
CONST ADS_ACETYPE_ACCESS_DENIED = 1
CONST ADS_ACETYPE_SYSTEM_AUDIT = 2
CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5
CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7
CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
Dim objUser
Dim oSecurityDescriptor
Dim dacl
Dim ace
' ********************************************************************
' Change this variable according to your environment.
'
sUserADsPath = "LDAP://ServerName/
CN=User1,CN=Users,DC=DomainName,DC=com"
sTrustee = "DomainName\UserName"
' ********************************************************************
'Get directory user object.
Set objUser = GetObject(sUserADsPath)
' Get the Mailbox security descriptor (SD).
Set oSecurityDescriptor = objUser.MailboxRights
' Extract the Discretionary Access Control List (DACL) using the
IADsSecurityDescriptor.
' Interface.
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' The following block of code demonstrates how to read all the
' ACEs on a DACL for the Exchange 2000 mailbox.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
wscript.echo "Here are the existing ACEs in the mailbox's DACL:"
' Enumerate all the Access Control Entries (ACE) in the DACL using the
IADsAccessControlList.
' Interface, therefore, displaying the current mailbox rights.
'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags,
ObjectType, InheritedObjectType"
For Each ace In dacl
' Display all the properties of the ACEs using the
IADsAccessControlEntry interface.
msgbox ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType &
", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", "
& ace.InheritedObjectType
Next
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' The following block of code demonstrates adding a new ACE to the
DACL
' for the Exchange 2003/2000 mailbox with the Trustee specified in
sTrustee,
' which permits full control over this mailbox.
' This is the same task that is performed by ADUnC when you follow
these
' steps to modify the properties of a user: on the Exchange Advanced
tab,
' under Mailbox Rights, click Add, select the Trustee, and then
select the
' Full Mailbox Access Rights check box.
' Similarly, you can also remove ACEs from this ACL by using the
IADsAccessControlEntry interfaces.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags,
gFlags, gObjectType, gInheritedObjectType)
AddAce dacl, sTrustee, ADS_RIGHT_DS_CREATE_CHILD, _
ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0
' Add the modified DACL to the security descriptor.
oSecurityDescriptor.DiscretionaryAcl = dacl
' Save new SD onto the user.
objUser.MailboxRights = oSecurityDescriptor
' Commit changes from the property cache to the information store.
objUser.SetInfo
MsgBox "Done viewing and modifying the mailboxsecurity descriptor"
'********************************************************************
'*
'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
'* gAceFlags, gFlags, gObjectType, gInheritedObjectType)
'*
'* Purpose: Adds an ACE to a DACL
'* Input: dacl Object's Discretionary Access Control List
'* TrusteeName SID or Name of the trustee user account
'* gAccessMask Access Permissions
'* gAceType ACE Types
'* gAceFlags Inherit ACEs from the owner of the ACL
'* gFlags ACE has an object type or inherited object
type
'* gObjectType Used for Extended Rights
'* gInheritedObjectType
'*
'* Output: Object - New DACL with the ACE added
'*
'********************************************************************
Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags,
gFlags, gObjectType, gInheritedObjectType)
Dim Ace1
' Create a new ACE object.
Set Ace1 = CreateObject("AccessControlEntry")
Ace1.AccessMask = gAccessMask
Ace1.AceType = gAceType
Ace1.AceFlags = gAceFlags
Ace1.Flags = gFlags
Ace1.Trustee = TrusteeName
'See whether ObjectType must be set
If CStr(gObjectType) <> "0" Then
Ace1.ObjectType = gObjectType
End If
'See whether InheritedObjectType must be set.
If CStr(gInheritedObjectType) <> "0" Then
Ace1.InheritedObjectType = gInheritedObjectType
End If
dacl.AddAce Ace1
' Destroy objects.
Set Ace1 = Nothing
End Function
James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com
Bookmarks