How enumerate mailbox permission using ADSI VBScript?

We can use ADSI VBScript sample given below to enumerate mailbox permission from the exchange server.

NOTE: Following programming examples is for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability and/or fitness for a particular purpose. This sample code assumes that you are familiar with the programming language being demonstrated and the tools used to create and debug procedures. This sample code is provided for the purpose of illustration only and is not intended to be used in a production environment.

 OPTION EXPLICIT
  
 Const ADS_ACETYPE_ACCESS_ALLOWED = &H00
 Const ADS_ACETYPE_ACCESS_DENIED = &H01
 Const ADS_ACETYPE_SYSTEM_AUDIT = &H02
 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H05
 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H06
 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H07
 Const ADS_ACETYPE_SYSTEM_ALARM_OBJECT = &H08
 Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK = &H09
 Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK = &H0A
 Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK_OBJECT = &H0B
 Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK_OBJECT = &H0C
 Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK = &H0D
 Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK = &H0E
 Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK_OBJECT = &H0F
 Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK_OBJECT = &H10
  
 Const ADS_ACEFLAG_INHERIT_ACE = &H02
 Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H04
 Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H08
 Const ADS_ACEFLAG_INHERITED_ACE = &H10
 Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1f
 Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
 Const ADS_ACEFLAG_FAILED_ACCESS = &H80
  
 Const ADS_RIGHT_DELETE = &H00010000
 Const ADS_RIGHT_READ_CONTROL = &H00020000
 Const ADS_RIGHT_WRITE_DAC = &H00040000
 Const ADS_RIGHT_WRITE_OWNER = &H00080000
 Const ADS_RIGHT_SYNCHRONIZE = &H00100000
 Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H01000000
 Const ADS_RIGHT_GENERIC_READ = &H80000000
 Const ADS_RIGHT_GENERIC_WRITE = &H40000000
 Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
 Const ADS_RIGHT_GENERIC_ALL = &H10000000
 Const ADS_RIGHT_DS_CREATE_CHILD = &H00000001
 Const ADS_RIGHT_DS_DELETE_CHILD = &H00000002
 Const ADS_RIGHT_ACTRL_DS_LIST = &H00000004
 Const ADS_RIGHT_DS_SELF = &H00000008
 Const ADS_RIGHT_DS_READ_PROP = &H00000010
 Const ADS_RIGHT_DS_WRITE_PROP = &H00000020
 Const ADS_RIGHT_DS_DELETE_TREE = &H00000040
 Const ADS_RIGHT_DS_LIST_OBJECT = &H00000080
 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H00000100
  
 Const FULLCONTROL = 983551
  
 Const ReceiveAs = "{AB721A56-1E2F-11D0-9819-00AA0040529B}"
 Const SendAs = "{AB721A54-1E2F-11D0-9819-00AA0040529B}"
  
 Dim objUser
 Dim oSecurityDescriptor 
 Dim dacl 
 Dim ace 
 Dim strOutput
 Dim strPath
 Dim strOutputPath
 Dim fso
 Dim fOutput
 Dim strAccount 
 Dim strAccess
 Dim Conn
 Dim Comm
 Dim RSAll
 Dim iAdRootDSE
 Dim strNameingContext
 Dim Query
  
  
 strOutput = InputBox("File Output", "", "ExportData.csv")
  
 strPath = WScript.ScriptFullName
 stroutputPath = Left(strPath, InStrRev(strPath, "\"))
  
 set fso = CreateObject("Scripting.FileSystemObject")
 set fOutput = fso.CreateTextFile(strOutputPath & strOutput, 8)
  
  
 Set iAdRootDSE = GetObject("LDAP://RootDSE")
 strNameingContext = iAdRootDSE.Get("defaultNamingContext")
 Query = "<LDAP://" & strNameingContext & ">;(&(mailnickname=*)(objectCategory=person)(objectClass=user));samaccountname,displayname,distinguishedName;subtree"
  
  
 set conn = createobject("ADODB.Connection")
  
 Conn.Provider = "ADsDSOObject"
 Conn.Open "ADs Provider"
  
 set comm = createobject("ADODB.Command")
 Comm.ActiveConnection = conn
 Comm.CommandText = Query
 Comm.Properties("Page Size") = 1000
  
 Set RsAll = Comm.Execute
  
 Dim dn
 While Not RSAll.EOF
     dn = "LDAP://" & replace(RSAll.Fields("distinguishedName").Value,"/","\/")
     GetPermissions(dn)
     RSAll.movenext
 Wend
  
 WScript.Echo "Done viewing the security descriptor"
 WScript.Quit
     
  
 '====================================================================
 ' Get the msExchMailboxSecurityDescriptor attribute and break it down
 '====================================================================
 sub GetPermissions(DN)
  
 'Get directory user object.
 Set objUser = GetObject(DN)
 'Here we can use Display name as well to print.
 strAccount = objUser.Get("samAccountName")
 'strAccount = objUser.Get("displayName")
 fWriteLine("*Permission Info for :" & strAccount & vbcrlf) 
 Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")
  
 Set dacl = oSecurityDescriptor.DiscretionaryAcl
 Set ace = CreateObject("AccessControlEntry")
  
 For Each ace In dacl
 ' Display all the properties of the ACEs using the IADsAccessControlEntry interface.
  
 strAccess = "Access Mask: " & vbcrlf
  
 if (ace.AccessMask AND ADS_RIGHT_DELETE ) then strAccess = strAccess & " Delete Permission" & vbcrlf
 if (ace.AccessMask AND ADS_RIGHT_READ_CONTROL ) then strAccess = strAccess & " Read Permission " & vbcrlf
 if (ace.AccessMask AND ADS_RIGHT_WRITE_DAC ) then strAccess = strAccess & " Change Permission" & vbcrlf
 if (ace.AccessMask AND ADS_RIGHT_WRITE_OWNER ) then strAccess = strAccess & " Take Ownership " & vbcrlf
 if (ace.AccessMask AND ADS_RIGHT_ACTRL_DS_LIST ) then strAccess = strAccess & " Associated External Account" & vbcrlf
 if (ace.AccessMask AND ADS_RIGHT_DS_CREATE_CHILD ) then strAccess = strAccess & " Full Rights " & vbcrlf
  
 fWriteLine("*==========================================================================*")
 'fWriteLine("* RAW Info:" & vbcrlf & "TRUSTEE :" & vbcrlf & " " & ace.Trustee & vbcrlf & _
 '"AccessMask:" & vbcrlf & " " & ace.AccessMask & vbcrlf & _
 '"AceType :" & vbcrlf & " " & ace.AceType & vbcrlf & _
 '"AceFlags :" & vbcrlf & " " & ace.AceFlags & vbcrlf & _
 '"Flags :" & vbcrlf & " " & ace.Flags & vbcrlf & _
 '"ObjectType:" & vbcrlf & " " & ace.ObjectType & vbcrlf & _
 '"Inherited :" & vbcrlf & " " & ace.InheritedObjectType)
  
 'fWriteLine("*--------------------------------------------------------------------------*")
 fWriteLine("* Access Info:" & vbcrlf & "TRUSTEE :" & vbcrlf & " " & ace.Trustee & vbcrlf & strAccess)
 Next
  
  
 End Sub
  
  
 '====================================================================
 ' Write the data to a file
 '====================================================================
 sub fWriteLine(data)
 fOutput.WriteLine data
 end sub

For a version of the above script which uses CDOEXM checkout my colleague's post @ https://blogs.msdn.com/vikas/archive/2008/11/01/howto-programmatically-enumerate-permissions-on-exchange-2003-mailbox-store.aspx

Comments

  • Anonymous
    March 27, 2009
    PingBack from http://www.anith.com/?p=23822
  • Anonymous
    July 20, 2014
    For all those who wonder what kind of information is found by this script: It shows information contained in the SecurityDescriptor msExchMailboxSecurityDescriptor of an LDAP object, which does not necessarily match the "real" mailbox settings as the LDAP information is not updated if the real mailbox settings are changed.