| Author | Messages | |
jpuccinelli
Posts:0
 | | 05/08/2007 4:44 AM |
| Howdy Ya’ll
Long time lurker first time poster…
I am having trouble finding a way to get a comprehensive list
of exactly what mailboxes a user has rights to open. I thought that this would
be a simple task…but I am sort of stuck. Can someone please point
me in the right direction?
Environment: Mixed-mode 2k/2k3 AD
Exchange 2k3
Thanks-
Jeffrey Puccinelli
System
Administrator | | | |
| hcoleman
Posts:31
| | 05/08/2007 6:30 AM |
| @font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-compose
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
I haven't messed around with it yet, but if it was me I'd
start with http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.html
Hunter
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jeffrey
PuccinelliSent: Tuesday, May 08, 2007 2:44 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT - Exch/AD How to
query what mailboxes a user has rights to
Howdy Ya’ll
Long time lurker first time poster…
I am having trouble finding a way to get a comprehensive list
of exactly what mailboxes a user has rights to open. I thought that this would
be a simple task…but I am sort of stuck. Can someone please point me in
the right direction?
Environment: Mixed-mode 2k/2k3 AD
Exchange 2k3
Thanks-
Jeffrey
Puccinelli
System
Administrator | | | |
| listmail
Posts:496
| | 05/08/2007 10:49 AM |
| @font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-compose
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Yeah... sothe Exchange team certainly didn't do
anything to make this easy or even intuitive that I have seen. Certainly you
can't do any querying, the info is (usually) stored in one of two blobs.
Depending on what info you need.
If you need to know who can send as someone, you need to
enumerate the DACLs of all mailbox enabled users and find the ones that have
SEND AS listed.
And then if you want mailbox permissions Previously I would
say you could use adfind to dump the msexchmailboxsecuritydescriptor attribute
with -sddl++ and -resolvesids and maybe use that in combination with -sddlfilter
for all mailbox enabled users and have at it but then I ran into several cases
where the msexchmailboxsecuritydescriptor was not getting updated from the
default value for users with instantiated mailboxes. I haven't had a chance to
sit down and figure out exactly what is happening and if it was just a one off
in one environment or is a new bug in a later Exchange hotfix or possibly even
fixed in a later hotfix.
So now, the only way that you can authoritatively do this
is with the painfully and quite excessively slow mailboxrights attribute from
cdoexm that you get to through ADSI scripts. Again, painfully slow, you will
want to tear out your eyeballs so I recommend syncing some other store with the
info and then watch for objects that are changed and do updates that way.
At some point, hopefully, the Exchange team will realize
that securing info is only part of it, some times people actually need to
understand what is secured and how and from whom.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Coleman,
HunterSent: Tuesday, May 08, 2007 6:31 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT - Exch/AD How
to query what mailboxes a user has rights to
I haven't messed around with it yet, but if it was me I'd
start with http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.html
Hunter
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jeffrey
PuccinelliSent: Tuesday, May 08, 2007 2:44 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT - Exch/AD How to
query what mailboxes a user has rights to
Howdy Ya’ll
Long time lurker first time poster…
I am having trouble finding a way to get a comprehensive list
of exactly what mailboxes a user has rights to open. I thought that this would
be a simple task…but I am sort of stuck. Can someone please point me in
the right direction?
Environment: Mixed-mode 2k/2k3 AD
Exchange 2k3
Thanks-
Jeffrey
Puccinelli
System
Administrator | | | |
| Tony
Posts:53
| | 05/08/2007 10:57 AM |
| Just thinking out loud here Ώ], but you should also be able to achieve the result by running PFDAVAdmin to dump all the mailbox permissions to file.
Tony
Ώ] Never a good thing to do right after lunch!
---------- Original Message ----------------------------------
From: "joe"
Reply-To: ActiveDir@mail.activedir.org
Date: Tue, 8 May 2007 22:49:34 -0400
Yeah... so the Exchange team certainly didn't do anything to make this easy
or even intuitive that I have seen. Certainly you can't do any querying, the
info is (usually) stored in one of two blobs. Depending on what info you
need.
If you need to know who can send as someone, you need to enumerate the DACLs
of all mailbox enabled users and find the ones that have SEND AS listed.
And then if you want mailbox permissions Previously I would say you could
use adfind to dump the msexchmailboxsecuritydescriptor attribute with
-sddl++ and -resolvesids and maybe use that in combination with -sddlfilter
for all mailbox enabled users and have at it but then I ran into several
cases where the msexchmailboxsecuritydescriptor was not getting updated from
the default value for users with instantiated mailboxes. I haven't had a
chance to sit down and figure out exactly what is happening and if it was
just a one off in one environment or is a new bug in a later Exchange hotfix
or possibly even fixed in a later hotfix.
So now, the only way that you can authoritatively do this is with the
painfully and quite excessively slow mailboxrights attribute from cdoexm
that you get to through ADSI scripts. Again, painfully slow, you will want
to tear out your eyeballs so I recommend syncing some other store with the
info and then watch for objects that are changed and do updates that way.
At some point, hopefully, the Exchange team will realize that securing info
is only part of it, some times people actually need to understand what is
secured and how and from whom.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Coleman, Hunter
Sent: Tuesday, May 08, 2007 6:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
I haven't messed around with it yet, but if it was me I'd start with
http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.h
tml
Hunter
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jeffrey Puccinelli
Sent: Tuesday, May 08, 2007 2:44 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
Howdy Ya'll
Long time lurker first time poster.
I am having trouble finding a way to get a comprehensive list of exactly
what mailboxes a user has rights to open. I thought that this would be a
simple task.but I am sort of stuck. Can someone please point me in the
right direction?
Environment: Mixed-mode 2k/2k3 AD
Exchange 2k3
Thanks-
Jeffrey Puccinelli
System Administrator
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:496
| | 05/08/2007 11:03 AM |
| If you can be assured that msexchmailboxsecuritydescriptor is being updated
properly AdFind will whoop PFDAVAdmin hands down in speed. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Tuesday, May 08, 2007 10:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
Just thinking out loud here Ώ], but you should also be able to achieve the
result by running PFDAVAdmin to dump all the mailbox permissions to file.
Tony
Ώ] Never a good thing to do right after lunch!
---------- Original Message ----------------------------------
From: "joe"
Reply-To: ActiveDir@mail.activedir.org
Date: Tue, 8 May 2007 22:49:34 -0400
Yeah... so the Exchange team certainly didn't do anything to make this easy
or even intuitive that I have seen. Certainly you can't do any querying, the
info is (usually) stored in one of two blobs. Depending on what info you
need.
If you need to know who can send as someone, you need to enumerate the DACLs
of all mailbox enabled users and find the ones that have SEND AS listed.
And then if you want mailbox permissions Previously I would say you could
use adfind to dump the msexchmailboxsecuritydescriptor attribute with
-sddl++ and -resolvesids and maybe use that in combination with -sddlfilter
for all mailbox enabled users and have at it but then I ran into several
cases where the msexchmailboxsecuritydescriptor was not getting updated from
the default value for users with instantiated mailboxes. I haven't had a
chance to sit down and figure out exactly what is happening and if it was
just a one off in one environment or is a new bug in a later Exchange hotfix
or possibly even fixed in a later hotfix.
So now, the only way that you can authoritatively do this is with the
painfully and quite excessively slow mailboxrights attribute from cdoexm
that you get to through ADSI scripts. Again, painfully slow, you will want
to tear out your eyeballs so I recommend syncing some other store with the
info and then watch for objects that are changed and do updates that way.
At some point, hopefully, the Exchange team will realize that securing info
is only part of it, some times people actually need to understand what is
secured and how and from whom.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Coleman, Hunter
Sent: Tuesday, May 08, 2007 6:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
I haven't messed around with it yet, but if it was me I'd start with
http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.h
tml
Hunter
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jeffrey Puccinelli
Sent: Tuesday, May 08, 2007 2:44 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
Howdy Ya'll
Long time lurker first time poster.
I am having trouble finding a way to get a comprehensive list of exactly
what mailboxes a user has rights to open. I thought that this would be a
simple task.but I am sort of stuck. Can someone please point me in the
right direction?
Environment: Mixed-mode 2k/2k3 AD
Exchange 2k3
Thanks-
Jeffrey Puccinelli
System Administrator
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| Tony
Posts:53
| | 05/08/2007 11:34 AM |
| I've read major works of Russian literature while waiting for PFDAVAdmin to complete.
---------- Original Message ----------------------------------
From: "joe"
Reply-To: ActiveDir@mail.activedir.org
Date: Tue, 8 May 2007 23:03:15 -0400
If you can be assured that msexchmailboxsecuritydescriptor is being updated
properly AdFind will whoop PFDAVAdmin hands down in speed. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Tuesday, May 08, 2007 10:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
Just thinking out loud here Ώ], but you should also be able to achieve the
result by running PFDAVAdmin to dump all the mailbox permissions to file.
Tony
Ώ] Never a good thing to do right after lunch!
---------- Original Message ----------------------------------
From: "joe"
Reply-To: ActiveDir@mail.activedir.org
Date: Tue, 8 May 2007 22:49:34 -0400
Yeah... so the Exchange team certainly didn't do anything to make this easy
or even intuitive that I have seen. Certainly you can't do any querying, the
info is (usually) stored in one of two blobs. Depending on what info you
need.
If you need to know who can send as someone, you need to enumerate the DACLs
of all mailbox enabled users and find the ones that have SEND AS listed.
And then if you want mailbox permissions Previously I would say you could
use adfind to dump the msexchmailboxsecuritydescriptor attribute with
-sddl++ and -resolvesids and maybe use that in combination with -sddlfilter
for all mailbox enabled users and have at it but then I ran into several
cases where the msexchmailboxsecuritydescriptor was not getting updated from
the default value for users with instantiated mailboxes. I haven't had a
chance to sit down and figure out exactly what is happening and if it was
just a one off in one environment or is a new bug in a later Exchange hotfix
or possibly even fixed in a later hotfix.
So now, the only way that you can authoritatively do this is with the
painfully and quite excessively slow mailboxrights attribute from cdoexm
that you get to through ADSI scripts. Again, painfully slow, you will want
to tear out your eyeballs so I recommend syncing some other store with the
info and then watch for objects that are changed and do updates that way.
At some point, hopefully, the Exchange team will realize that securing info
is only part of it, some times people actually need to understand what is
secured and how and from whom.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Coleman, Hunter
Sent: Tuesday, May 08, 2007 6:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
I haven't messed around with it yet, but if it was me I'd start with
http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.h
tml
Hunter
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jeffrey Puccinelli
Sent: Tuesday, May 08, 2007 2:44 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
Howdy Ya'll
Long time lurker first time poster.
I am having trouble finding a way to get a comprehensive list of exactly
what mailboxes a user has rights to open. I thought that this would be a
simple task.but I am sort of stuck. Can someone please point me in the
right direction?
Environment: Mixed-mode 2k/2k3 AD
Exchange 2k3
Thanks-
Jeffrey Puccinelli
System Administrator
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:496
| | 05/08/2007 11:50 AM |
| Yes, very low bar...
The Exchange folks feel that they have a captive audience so can make them
put up with anything... If someone would just come up with an Exchange
killer I would be so in love with them.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Tuesday, May 08, 2007 11:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
I've read major works of Russian literature while waiting for PFDAVAdmin to
complete.
---------- Original Message ----------------------------------
From: "joe"
Reply-To: ActiveDir@mail.activedir.org
Date: Tue, 8 May 2007 23:03:15 -0400
If you can be assured that msexchmailboxsecuritydescriptor is being updated
properly AdFind will whoop PFDAVAdmin hands down in speed. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Tuesday, May 08, 2007 10:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
Just thinking out loud here Ώ], but you should also be able to achieve the
result by running PFDAVAdmin to dump all the mailbox permissions to file.
Tony
Ώ] Never a good thing to do right after lunch!
---------- Original Message ----------------------------------
From: "joe"
Reply-To: ActiveDir@mail.activedir.org
Date: Tue, 8 May 2007 22:49:34 -0400
Yeah... so the Exchange team certainly didn't do anything to make this easy
or even intuitive that I have seen. Certainly you can't do any querying, the
info is (usually) stored in one of two blobs. Depending on what info you
need.
If you need to know who can send as someone, you need to enumerate the DACLs
of all mailbox enabled users and find the ones that have SEND AS listed.
And then if you want mailbox permissions Previously I would say you could
use adfind to dump the msexchmailboxsecuritydescriptor attribute with
-sddl++ and -resolvesids and maybe use that in combination with -sddlfilter
for all mailbox enabled users and have at it but then I ran into several
cases where the msexchmailboxsecuritydescriptor was not getting updated from
the default value for users with instantiated mailboxes. I haven't had a
chance to sit down and figure out exactly what is happening and if it was
just a one off in one environment or is a new bug in a later Exchange hotfix
or possibly even fixed in a later hotfix.
So now, the only way that you can authoritatively do this is with the
painfully and quite excessively slow mailboxrights attribute from cdoexm
that you get to through ADSI scripts. Again, painfully slow, you will want
to tear out your eyeballs so I recommend syncing some other store with the
info and then watch for objects that are changed and do updates that way.
At some point, hopefully, the Exchange team will realize that securing info
is only part of it, some times people actually need to understand what is
secured and how and from whom.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Coleman, Hunter
Sent: Tuesday, May 08, 2007 6:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
I haven't messed around with it yet, but if it was me I'd start with
http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.h
tml
Hunter
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jeffrey Puccinelli
Sent: Tuesday, May 08, 2007 2:44 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
Howdy Ya'll
Long time lurker first time poster.
I am having trouble finding a way to get a comprehensive list of exactly
what mailboxes a user has rights to open. I thought that this would be a
simple task.but I am sort of stuck. Can someone please point me in the
right direction?
Environment: Mixed-mode 2k/2k3 AD
Exchange 2k3
Thanks-
Jeffrey Puccinelli
System Administrator
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| michael2
Posts:0
| | 05/09/2007 7:42 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
The behavior with
msexchmailboxSD is documented in a KB somewhere. KB 310866 and KB 304935. I
went and looked them up.
I bugged it a couple of years
ago. “Works as intended”. Bah.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joe
Sent: Tuesday, May 08, 2007 10:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Exch/AD How to query what mailboxes a user
has rights to
Yeah... sothe Exchange team certainly didn't do anything to
make this easy or even intuitive that I have seen. Certainly you can't do any
querying, the info is (usually) stored in one of two blobs. Depending on what
info you need.
If you need to know who can send as someone, you need to enumerate
the DACLs of all mailbox enabled users and find the ones that have SEND AS
listed.
And then if you want mailbox permissions Previously I would say you
could use adfind to dump the msexchmailboxsecuritydescriptor attribute with
-sddl++ and -resolvesids and maybe use that in combination with -sddlfilter for
all mailbox enabled users and have at it but then I ran into several cases
where the msexchmailboxsecuritydescriptor was not getting updated from the
default value for users with instantiated mailboxes. I haven't had a chance to
sit down and figure out exactly what is happening and if it was just a one off
in one environment or is a new bug in a later Exchange hotfix or possibly even
fixed in a later hotfix.
So now, the only way that you can authoritatively do this is with
the painfully and quite excessively slow mailboxrights attribute from cdoexm
that you get to through ADSI scripts. Again, painfully slow, you will want to
tear out your eyeballs so I recommend syncing some other store with the info
and then watch for objects that are changed and do updates that way.
At some point, hopefully, the Exchange team will realize that
securing info is only part of it, some times people actually need to understand
what is secured and how and from whom.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Coleman, Hunter
Sent: Tuesday, May 08, 2007 6:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Exch/AD How to query what mailboxes a user
has rights to
I haven't messed around with it yet, but if it was me I'd start
with http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.html
Hunter
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jeffrey
Puccinelli
Sent: Tuesday, May 08, 2007 2:44 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT - Exch/AD How to query what mailboxes a user has
rights to
Howdy Ya’ll
Long time lurker first time poster…
I am having trouble finding a way to get a comprehensive
list of exactly what mailboxes a user has rights to open. I thought that this
would be a simple task…but I am sort of stuck. Can someone please
point me in the right direction?
Environment: Mixed-mode 2k/2k3 AD
Exchange 2k3
Thanks-
Jeffrey Puccinelli
System
Administrator | | | |
| listmail
Posts:496
| | 05/09/2007 8:09 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle18 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
If that is the case, it didn't work as intended for most of
the lifetime of Exchange because it used to be able to be used without concern,
it is only recently that I ran into an issue with it. And it took away the one
mechanism that could, if you really stretched the definition, be considered a
performant solution for getting ACL info for mailboxes.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B.
SmithSent: Wednesday, May 09, 2007 7:42 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT - Exch/AD How
to query what mailboxes a user has rights to
The behavior with
msexchmailboxSD is documented in a KB somewhere. KB 310866 and KB 304935. I went
and looked them up.
I bugged it a couple of years
ago. “Works as intended”. Bah.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Tuesday, May 08, 2007 10:50
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
OT - Exch/AD How to query what mailboxes a user has rights
to
Yeah...
sothe Exchange team certainly didn't do anything to make this easy or even
intuitive that I have seen. Certainly you can't do any querying, the info is
(usually) stored in one of two blobs. Depending on what info you need.
If you
need to know who can send as someone, you need to enumerate the DACLs of all
mailbox enabled users and find the ones that have SEND AS listed.
And then
if you want mailbox permissions Previously I would say you could use adfind to
dump the msexchmailboxsecuritydescriptor attribute with -sddl++ and -resolvesids
and maybe use that in combination with -sddlfilter for all mailbox enabled users
and have at it but then I ran into several cases where the
msexchmailboxsecuritydescriptor was not getting updated from the default value
for users with instantiated mailboxes. I haven't had a chance to sit down and
figure out exactly what is happening and if it was just a one off in one
environment or is a new bug in a later Exchange hotfix or possibly even fixed in
a later hotfix.
So now,
the only way that you can authoritatively do this is with the painfully and
quite excessively slow mailboxrights attribute from cdoexm that you get to
through ADSI scripts. Again, painfully slow, you will want to tear out your
eyeballs so I recommend syncing some other store with the info and then watch
for objects that are changed and do updates that way.
At some
point, hopefully, the Exchange team will realize that securing info is only part
of it, some times people actually need to understand what is secured and how and
from whom.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Coleman, HunterSent: Tuesday, May 08, 2007 6:31
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
OT - Exch/AD How to query what mailboxes a user has rights to
I
haven't messed around with it yet, but if it was me I'd start with http://gsexdev.blogspot.com/2007/04/tracking-permission-changes-to-mailbox.html
Hunter
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Jeffrey PuccinelliSent: Tuesday, May 08, 2007
2:44 PMTo: ActiveDir@mail.activedir.orgSubject:
[ActiveDir] OT - Exch/AD How to query what mailboxes a user has rights
to
Howdy Ya’ll
Long time lurker first time poster…
I am having trouble finding a way to get a comprehensive list
of exactly what mailboxes a user has rights to open. I thought that this would
be a simple task…but I am sort of stuck. Can someone please point me in
the right direction?
Environment: Mixed-mode 2k/2k3 AD
Exchange 2k3
Thanks-
Jeffrey
Puccinelli
System
Administrator | | | |
|
|