I'm using the following to audit mailbox rights. However, this is per user, I need to specify the dn for each account that I wish to export the rights from. Does anybody know a method to get this to do all accounts in my domain? Thanks James Chong (MVP) MCSE | M+, S+, MCTS, Security+ msexchangetips.blogspot.com Const RIGHT_DS_DELETE = &H10000 Const RIGHT_DS_READ = &H20000 Const RIGHT_DS_CHANGE = &H40000 Const RIGHT_DS_TAKE_OWNERSHIP = &H80000 Const RIGHT_DS_MAILBOX_OWNER = &H1 Const RIGHT_DS_SEND_AS = &H2 Const RIGHT_DS_PRIMARY_OWNER = &H4 set objuser = getobject("LDAP://your-user-DN") Set oSecurityDescriptor = objuser.Get("msExchMailboxSecurityDescriptor") Set dacl = oSecurityDescriptor.DiscretionaryAcl Set ace = CreateObject("AccessControlEntry") For Each ace In dacl mystring = ace.Trustee ' ----ACE TYPE----- If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then wscript.echo mystring & " is allowed:" ElseIf (ace.AceType = ADS_ACETYPE_ACCESS_DENIED) Then wscript.echo mystring & " is denied:" End If ' ----ACE MASK---- If (ace.AccessMask And RIGHT_DS_SEND_AS) Then wscript.echo mystring & " -send mail as" End If If (ace.AccessMask And RIGHT_DS_CHANGE) Then wscript.echo mystring & " -modify user attributes" End If If (ace.AccessMask And RIGHT_DS_DELETE) Then wscript.echo mystring & " -delete mailbox store" End If If (ace.AccessMask And RIGHT_DS_READ) Then wscript.echo mystring & " -read permissions" End If If (ace.AccessMask And RIGHT_DS_TAKE_OWNERSHIP) Then wscript.echo mystring & " -take ownership of this object" End If If (ace.AccessMask And RIGHT_DS_MAILBOX_OWNER) Then wscript.echo mystring & " -is mailbox owner of this object" End If If (ace.AccessMask And RIGHT_DS_PRIMARY_OWNER) Then wscript.echo mystring & " -is mailbox Primary owner of this object" End If Next
Hi have a look at this http://msdn2.microsoft.com/en-us/library/aa746471.aspx Henry "jamestechman" wrote: > I'm using the following to audit mailbox rights. However, this is per > user, I need to specify the dn for each account that I wish to export > the rights from. Does anybody know a method to get this to do all > accounts in my domain? Thanks > > > James Chong (MVP) > MCSE | M+, S+, MCTS, Security+ > msexchangetips.blogspot.com > > > > Const RIGHT_DS_DELETE = &H10000 > Const RIGHT_DS_READ = &H20000 > Const RIGHT_DS_CHANGE = &H40000 > Const RIGHT_DS_TAKE_OWNERSHIP = &H80000 > Const RIGHT_DS_MAILBOX_OWNER = &H1 > Const RIGHT_DS_SEND_AS = &H2 > Const RIGHT_DS_PRIMARY_OWNER = &H4 > > > set objuser = getobject("LDAP://your-user-DN") > Set oSecurityDescriptor = > objuser.Get("msExchMailboxSecurityDescriptor") > Set dacl = oSecurityDescriptor.DiscretionaryAcl > Set ace = CreateObject("AccessControlEntry") > For Each ace In dacl > mystring = ace.Trustee > > > ' ----ACE TYPE----- > If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then > wscript.echo mystring & " is allowed:" > ElseIf (ace.AceType = ADS_ACETYPE_ACCESS_DENIED) Then > wscript.echo mystring & " is denied:" > End If > > > ' ----ACE MASK---- > If (ace.AccessMask And RIGHT_DS_SEND_AS) Then > wscript.echo mystring & " -send mail as" > End If > > > If (ace.AccessMask And RIGHT_DS_CHANGE) Then > wscript.echo mystring & " -modify user attributes" > End If > > > If (ace.AccessMask And RIGHT_DS_DELETE) Then > wscript.echo mystring & " -delete mailbox store" > End If > > > If (ace.AccessMask And RIGHT_DS_READ) Then > wscript.echo mystring & " -read permissions" > End If > If (ace.AccessMask And RIGHT_DS_TAKE_OWNERSHIP) Then > wscript.echo mystring & " -take ownership of this object" > End If > If (ace.AccessMask And RIGHT_DS_MAILBOX_OWNER) Then > wscript.echo mystring & " -is mailbox owner of this object" > End If > If (ace.AccessMask And RIGHT_DS_PRIMARY_OWNER) Then > wscript.echo mystring & " -is mailbox Primary owner of this object" > End If > > > Next > >
