다음을 통해 공유

How enumerate mailbox permission using ADSI VBScript?

  • 아티클

We can use ADSI VBScript sample given below to enumerate mailbox permission from the exchange server.

NOTE: Following programming examples is for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability and/or fitness for a particular purpose. This sample code assumes that you are familiar with the programming language being demonstrated and the tools used to create and debug procedures. This sample code is provided for the purpose of illustration only and is not intended to be used in a production environment.

 OPTION EXPLICIT

  

 Const ADS_ACETYPE_ACCESS_ALLOWED = &H00

 Const ADS_ACETYPE_ACCESS_DENIED = &H01

 Const ADS_ACETYPE_SYSTEM_AUDIT = &H02

 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H05

 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H06

 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H07

 Const ADS_ACETYPE_SYSTEM_ALARM_OBJECT = &H08

 Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK = &H09

 Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK = &H0A

 Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK_OBJECT = &H0B

 Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK_OBJECT = &H0C

 Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK = &H0D

 Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK = &H0E

 Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK_OBJECT = &H0F

 Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK_OBJECT = &H10

  

 Const ADS_ACEFLAG_INHERIT_ACE = &H02

 Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H04

 Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H08

 Const ADS_ACEFLAG_INHERITED_ACE = &H10

 Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1f

 Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40

 Const ADS_ACEFLAG_FAILED_ACCESS = &H80

  

 Const ADS_RIGHT_DELETE = &H00010000

 Const ADS_RIGHT_READ_CONTROL = &H00020000

 Const ADS_RIGHT_WRITE_DAC = &H00040000

 Const ADS_RIGHT_WRITE_OWNER = &H00080000

 Const ADS_RIGHT_SYNCHRONIZE = &H00100000

 Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H01000000

 Const ADS_RIGHT_GENERIC_READ = &H80000000

 Const ADS_RIGHT_GENERIC_WRITE = &H40000000

 Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000

 Const ADS_RIGHT_GENERIC_ALL = &H10000000

 Const ADS_RIGHT_DS_CREATE_CHILD = &H00000001

 Const ADS_RIGHT_DS_DELETE_CHILD = &H00000002

 Const ADS_RIGHT_ACTRL_DS_LIST = &H00000004

 Const ADS_RIGHT_DS_SELF = &H00000008

 Const ADS_RIGHT_DS_READ_PROP = &H00000010

 Const ADS_RIGHT_DS_WRITE_PROP = &H00000020

 Const ADS_RIGHT_DS_DELETE_TREE = &H00000040

 Const ADS_RIGHT_DS_LIST_OBJECT = &H00000080

 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H00000100

  

 Const FULLCONTROL = 983551

  

 Const ReceiveAs = "{AB721A56-1E2F-11D0-9819-00AA0040529B}"

 Const SendAs = "{AB721A54-1E2F-11D0-9819-00AA0040529B}"

  

 Dim objUser

 Dim oSecurityDescriptor 

 Dim dacl 

 Dim ace 

 Dim strOutput

 Dim strPath

 Dim strOutputPath

 Dim fso

 Dim fOutput

 Dim strAccount 

 Dim strAccess

 Dim Conn

 Dim Comm

 Dim RSAll

 Dim iAdRootDSE

 Dim strNameingContext

 Dim Query

  

  

 strOutput = InputBox("File Output", "", "ExportData.csv")

  

 strPath = WScript.ScriptFullName

 stroutputPath = Left(strPath, InStrRev(strPath, "\"))

  

 set fso = CreateObject("Scripting.FileSystemObject")

 set fOutput = fso.CreateTextFile(strOutputPath & strOutput, 8)

  

  

 Set iAdRootDSE = GetObject("LDAP://RootDSE")

 strNameingContext = iAdRootDSE.Get("defaultNamingContext")

 Query = "<LDAP://" & strNameingContext & ">;(&(mailnickname=*)(objectCategory=person)(objectClass=user));samaccountname,displayname,distinguishedName;subtree"

  

  

 set conn = createobject("ADODB.Connection")

  

 Conn.Provider = "ADsDSOObject"

 Conn.Open "ADs Provider"

  

 set comm = createobject("ADODB.Command")

 Comm.ActiveConnection = conn

 Comm.CommandText = Query

 Comm.Properties("Page Size") = 1000

  

 Set RsAll = Comm.Execute

  

 Dim dn

 While Not RSAll.EOF

     dn = "LDAP://" & replace(RSAll.Fields("distinguishedName").Value,"/","\/")

     GetPermissions(dn)

     RSAll.movenext

 Wend

  

 WScript.Echo "Done viewing the security descriptor"

 WScript.Quit

     

  

 '====================================================================

 ' Get the msExchMailboxSecurityDescriptor attribute and break it down

 '====================================================================

 sub GetPermissions(DN)

  

 'Get directory user object.

 Set objUser = GetObject(DN)

 'Here we can use Display name as well to print.

 strAccount = objUser.Get("samAccountName")

 'strAccount = objUser.Get("displayName")

 fWriteLine("*Permission Info for :" & strAccount & vbcrlf) 

 Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")

  

 Set dacl = oSecurityDescriptor.DiscretionaryAcl

 Set ace = CreateObject("AccessControlEntry")

  

 For Each ace In dacl

 ' Display all the properties of the ACEs using the IADsAccessControlEntry interface.

  

 strAccess = "Access Mask: " & vbcrlf

  

 if (ace.AccessMask AND ADS_RIGHT_DELETE ) then strAccess = strAccess & " Delete Permission" & vbcrlf

 if (ace.AccessMask AND ADS_RIGHT_READ_CONTROL ) then strAccess = strAccess & " Read Permission " & vbcrlf

 if (ace.AccessMask AND ADS_RIGHT_WRITE_DAC ) then strAccess = strAccess & " Change Permission" & vbcrlf

 if (ace.AccessMask AND ADS_RIGHT_WRITE_OWNER ) then strAccess = strAccess & " Take Ownership " & vbcrlf

 if (ace.AccessMask AND ADS_RIGHT_ACTRL_DS_LIST ) then strAccess = strAccess & " Associated External Account" & vbcrlf

 if (ace.AccessMask AND ADS_RIGHT_DS_CREATE_CHILD ) then strAccess = strAccess & " Full Rights " & vbcrlf

  

 fWriteLine("*==========================================================================*")

 'fWriteLine("* RAW Info:" & vbcrlf & "TRUSTEE :" & vbcrlf & " " & ace.Trustee & vbcrlf & _

 '"AccessMask:" & vbcrlf & " " & ace.AccessMask & vbcrlf & _

 '"AceType :" & vbcrlf & " " & ace.AceType & vbcrlf & _

 '"AceFlags :" & vbcrlf & " " & ace.AceFlags & vbcrlf & _

 '"Flags :" & vbcrlf & " " & ace.Flags & vbcrlf & _

 '"ObjectType:" & vbcrlf & " " & ace.ObjectType & vbcrlf & _

 '"Inherited :" & vbcrlf & " " & ace.InheritedObjectType)

  

 'fWriteLine("*--------------------------------------------------------------------------*")

 fWriteLine("* Access Info:" & vbcrlf & "TRUSTEE :" & vbcrlf & " " & ace.Trustee & vbcrlf & strAccess)

 Next

  

  

 End Sub

  

  

 '====================================================================

 ' Write the data to a file

 '====================================================================

 sub fWriteLine(data)

 fOutput.WriteLine data

 end sub

For a version of the above script which uses CDOEXM checkout my colleague's post @ https://blogs.msdn.com/vikas/archive/2008/11/01/howto-programmatically-enumerate-permissions-on-exchange-2003-mailbox-store.aspx

Comments

  • Anonymous
    March 27, 2009
    PingBack from http://www.anith.com/?p=23822
  • Anonymous
    July 20, 2014
    For all those who wonder what kind of information is found by this script: It shows information contained in the SecurityDescriptor msExchMailboxSecurityDescriptor of an LDAP object, which does not necessarily match the "real" mailbox settings as the LDAP information is not updated if the real mailbox settings are changed.