Audit Exchange Permissions script
- From: "Jamestechman" <jamestechman@xxxxxxxxx>
- Date: 12 Mar 2007 11:07:41 -0700
I"m using the script below in the article. However, it queries per
user by modifying the script by entering the user dn, is there a
method to query all users in domain?
CONST ADS_ACETYPE_ACCESS_ALLOWED = 0
CONST ADS_ACETYPE_ACCESS_DENIED = 1
CONST ADS_ACETYPE_SYSTEM_AUDIT = 2
CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5
CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7
CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
Dim objUser
Dim oSecurityDescriptor
Dim dacl
Dim ace
' ********************************************************************
' Change this variable according to your environment.
'
sUserADsPath = "LDAP://CN=user\, me,OU=Users,DC=test,DC=com"
sTrustee = "corp\admin"
' ********************************************************************
'Get directory user object.
Set objUser = GetObject(sUserADsPath)
' Get the Mailbox security descriptor (SD).
Set oSecurityDescriptor = objUser.MailboxRights
' Extract the Discretionary Access Control List (DACL) using the
IADsSecurityDescriptor.
' Interface.
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' The following block of code demonstrates how to read all the
' ACEs on a DACL for the Exchange 2000 mailbox.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
wscript.echo "Here are the existing ACEs in the mailbox's DACL:"
' Enumerate all the Access Control Entries (ACE) in the DACL using the
IADsAccessControlList.
' Interface, therefore, displaying the current mailbox rights.
'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags,
ObjectType, InheritedObjectType"
For Each ace In dacl
' Display all the properties of the ACEs using the
IADsAccessControlEntry interface.
wscript.echo ace.Trustee & ", " & ace.AccessMask & ", " &
ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " &
ace.ObjectType & ", " & ace.InheritedObjectType
Next
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' The following block of code demonstrates adding a new ACE to the
DACL
' for the Exchange 2003/2000 mailbox with the Trustee specified in
sTrustee,
' which permits full control over this mailbox.
' This is the same task that is performed by ADUnC when you follow
these
' steps to modify the properties of a user: on the Exchange Advanced
tab,
' under Mailbox Rights, click Add, select the Trustee, and then
select the
' Full Mailbox Access Rights check box.
' Similarly, you can also remove ACEs from this ACL by using the
IADsAccessControlEntry interfaces.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags,
gFlags, gObjectType, gInheritedObjectType)
AddAce dacl, sTrustee, ADS_RIGHT_DS_CREATE_CHILD, _
ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0
' Add the modified DACL to the security descriptor.
oSecurityDescriptor.DiscretionaryAcl = dacl
' Save new SD onto the user.
objUser.MailboxRights = oSecurityDescriptor
' Commit changes from the property cache to the information store.
objUser.SetInfo
wscript.echo "Done viewing and modifying the mailboxsecurity
descriptor"
'********************************************************************
'*
'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
'* gAceFlags, gFlags, gObjectType, gInheritedObjectType)
'*
'* Purpose: Adds an ACE to a DACL
'* Input: dacl Object's Discretionary Access Control List
'* TrusteeName SID or Name of the trustee user account
'* gAccessMask Access Permissions
'* gAceType ACE Types
'* gAceFlags Inherit ACEs from the owner of the ACL
'* gFlags ACE has an object type or inherited object
type
'* gObjectType Used for Extended Rights
'* gInheritedObjectType
'*
'* Output: Object - New DACL with the ACE added
'*
'********************************************************************
Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags,
gFlags, gObjectType, gInheritedObjectType)
Dim Ace1
' Create a new ACE object.
Set Ace1 = CreateObject("AccessControlEntry")
Ace1.AccessMask = gAccessMask
Ace1.AceType = gAceType
Ace1.AceFlags = gAceFlags
Ace1.Flags = gFlags
Ace1.Trustee = TrusteeName
'See whether ObjectType must be set
If CStr(gObjectType) <> "0" Then
Ace1.ObjectType = gObjectType
End If
'See whether InheritedObjectType must be set.
If CStr(gInheritedObjectType) <> "0" Then
Ace1.InheritedObjectType = gInheritedObjectType
End If
dacl.AddAce Ace1
' Destroy objects.
Set Ace1 = Nothing
End Function
http://support.microsoft.com/kb/310866
.
- Prev by Date: Re: wsh API Toolkit actX object, resurrected...
- Next by Date: Change the LCID of a file
- Previous by thread: Printer Script Help
- Next by thread: Change the LCID of a file
- Index(es):
Relevant Pages
|
