Audit Exchange Mailbox Permissions IMailboxStore

[Jamestechman]

I'm using the script listed in http://support.microsoft.com/kb/310866
to query all users that have access to a certain mailbox. However,
this works by specifying the dn for each mailbox you wish to query. I
need help creating a sub function to query all dn's to get all users
in the domain. Thanks.



CONST ADS_ACETYPE_ACCESS_ALLOWED = 0
CONST ADS_ACETYPE_ACCESS_DENIED = 1
CONST ADS_ACETYPE_SYSTEM_AUDIT = 2
CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5
CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7
CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
Dim objUser
Dim oSecurityDescriptor
Dim dacl
Dim ace

' ********************************************************************
' Change this variable according to your environment.
'
sUserADsPath = "LDAP://ServerName/
CN=User1,CN=Users,DC=DomainName,DC=com"
sTrustee = "DomainName\UserName"
' ********************************************************************

'Get directory user object.
Set objUser = GetObject(sUserADsPath)

' Get the Mailbox security descriptor (SD).
Set oSecurityDescriptor = objUser.MailboxRights

' Extract the Discretionary Access Control List (DACL) using the
IADsSecurityDescriptor.
' Interface.
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' The following block of code demonstrates how to read all the
' ACEs on a DACL for the Exchange 2000 mailbox.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
wscript.echo "Here are the existing ACEs in the mailbox's DACL:"

' Enumerate all the Access Control Entries (ACE) in the DACL using the
IADsAccessControlList.
' Interface, therefore, displaying the current mailbox rights.
'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags,
ObjectType, InheritedObjectType"

For Each ace In dacl
' Display all the properties of the ACEs using the
IADsAccessControlEntry interface.
msgbox ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType &
", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", "
& ace.InheritedObjectType
Next

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' The following block of code demonstrates adding a new ACE to the
DACL
' for the Exchange 2003/2000 mailbox with the Trustee specified in
sTrustee,
' which permits full control over this mailbox.
' This is the same task that is performed by ADUnC when you follow
these
' steps to modify the properties of a user: on the Exchange Advanced
tab,
' under Mailbox Rights, click Add, select the Trustee, and then
select the
' Full Mailbox Access Rights check box.
' Similarly, you can also remove ACEs from this ACL by using the
IADsAccessControlEntry interfaces.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags,
gFlags, gObjectType, gInheritedObjectType)
AddAce dacl, sTrustee, ADS_RIGHT_DS_CREATE_CHILD, _
ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0

' Add the modified DACL to the security descriptor.
oSecurityDescriptor.DiscretionaryAcl = dacl

' Save new SD onto the user.
objUser.MailboxRights = oSecurityDescriptor

' Commit changes from the property cache to the information store.
objUser.SetInfo

MsgBox "Done viewing and modifying the mailboxsecurity descriptor"
'********************************************************************
'*
'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
'* gAceFlags, gFlags, gObjectType, gInheritedObjectType)
'*
'* Purpose: Adds an ACE to a DACL
'* Input: dacl Object's Discretionary Access Control List
'* TrusteeName SID or Name of the trustee user account
'* gAccessMask Access Permissions
'* gAceType ACE Types
'* gAceFlags Inherit ACEs from the owner of the ACL
'* gFlags ACE has an object type or inherited object
type
'* gObjectType Used for Extended Rights
'* gInheritedObjectType
'*
'* Output: Object - New DACL with the ACE added
'*
'********************************************************************

Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags,
gFlags, gObjectType, gInheritedObjectType)
Dim Ace1
' Create a new ACE object.
Set Ace1 = CreateObject("AccessControlEntry")
Ace1.AccessMask = gAccessMask
Ace1.AceType = gAceType
Ace1.AceFlags = gAceFlags
Ace1.Flags = gFlags
Ace1.Trustee = TrusteeName
'See whether ObjectType must be set
If CStr(gObjectType) <> "0" Then
Ace1.ObjectType = gObjectType
End If

'See whether InheritedObjectType must be set.
If CStr(gInheritedObjectType) <> "0" Then
Ace1.InheritedObjectType = gInheritedObjectType
End If
dacl.AddAce Ace1

' Destroy objects.
Set Ace1 = Nothing
End Function




James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

[Guido]

James,

Any news about this script? i´m needing to implement a auditing
reporting too. Using a script to generate the report is great!

[irmo]

I have quickly hacked this together from different sources, because I needed it too. It should not be an example of clean code by any means, but it should get you started.

Code:

'On Error Resume Next
strTargetOU	= "OU=Users,DC=domain,DC=local"

Dim objContainer

'Open LDAP connection
Set objContainer = GetObject("LDAP://" & strTargetOU)
if err.number <> 0 then
	strError = "Error [" & err.number & "]: " & err.description
	Wscript.echo strError
	WScript.Quit(0)
End If

'Enumerate through selected OU
EnumerateUsers objContainer

'Clean Up
Set objContainer = Nothing
WScript.Quit(0)

Sub EnumerateUsers(objCont)
	Dim objUser
	For Each objUser In objCont
		Select Case LCase(objUser.Class)
			Case "user", "group"
				'check if user has a mailbox
				If not objUser.HomeMDB = "" Then GetAccRights(objUser)
			Case "organizationalunit" , "container"
				if bDebug then writelog("Entering Sub OU: " & objUser.Name)  
				EnumerateUsers objUser
		End Select
	Next
End Sub

Sub GetAccRights(objUser)
	Dim oSecurityDescriptor 
	Dim dacl 
	Dim ace 

	' Get the Mailbox security descriptor (SD).
	Set oSecurityDescriptor = objUser.MailboxRights
	
	' Extract the Discretionary Access Control List (DACL) using the IADsSecurityDescriptor.
	' Interface.
	Set dacl = oSecurityDescriptor.DiscretionaryAcl
	Set ace = CreateObject("AccessControlEntry")

	''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
	'  The following block of code demonstrates how to read all the 
	'  ACEs on a DACL for the Exchange 2000 mailbox.
	''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

	' Enumerate all the Access Control Entries (ACE) in the DACL using the IADsAccessControlList.
	' Interface, therefore, displaying the current mailbox rights.
	'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
	
	For Each ace In dacl
	' Display all the properties of the ACEs using the IADsAccessControlEntry interface.
		wscript.echo objUser.name & ", " & ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType
	Next
End Sub