| Author | Messages | |
listmail
Posts:428
 | | 08/22/2005 12:50 PM |
| You may have an issue. Microsoft does not support modifying
the msExchMailboxSecurityDescriptor attribute directly for a mailbox that is
already instantiated. According to the documentation, the only time that
attribute is authoritative AND can be set such that it affects the mailbox is
when the mailbox is not instantiated. Once the mailbox is instantiated you must
use the MailBoxRights property from CDOEXM to manipulate the permissions which
supposedly goes to the store directly and makes the changes via MAPI.
Outside of that, I have seen odd cases where even setting
the mailbox ACL prior to instantiation it STILL doesn't get used. Exchange
permissions are a pain in the butt at their best.
Now another problem, I could be wrong as I haven't played
with it, but I do not believe you can directly write the SDDL format to the
security descriptor attribute, you will need to convert it to a binary SD which
I am thinking will be a serious pain from UNIX. I know when ADFIND reads a SD,
it gets it in as a BLOB (binary octet string) and has to send it through an API
call to get it translated to a SDDL format.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Mayuresh
KshirsagarSent: Friday, August 12, 2005 2:32 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] MailBox
permissioning
Hi
All,
Found a perl function
in laman.pm. which converts sid to string:
sub
SidToString
{
return undef
unless unpack("C", substr($_Ύ], 0, 1)) == 1;
return undef
unless length($_Ύ]) == 8 + 4 * unpack("C", substr($_Ύ], 1,
1));
my $sid_str = "S-1-";
$sid_str .= (unpack("C", substr($_Ύ], 7, 1)) + (unpack("C", substr($_Ύ], 6,
1))
(unpack("C", substr($_Ύ], 5, 1))
for $loop (0 .. unpack("C", substr($_Ύ], 1, 1)) -
1)
{
$sid_str .= "-" . unpack("I", substr($_Ύ], 4 * $loop + 8,
4));
}
return $sid_str;
}
Hope this will do the
job.
What all will be
required to do the job, setting mailboxsecurity description and masteraccoundsid
is enough? Or do I also need something else.
Thanks,
Mayuresh.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Mayuresh
KshirsagarSent: Thursday,
August 11, 2005 7:55 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] MailBox
permissioning
Thanks for the pointer.
Also does anyone know
any perl module which converts the binary sid to test sid? The win32 module wont
work because the script will be inoked from HP-UX.
Regards,
Mayuresh.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Rick
KingslanSent: Thursday, August
11, 2005 3:39 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] MailBox
permissioning
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);
In the example above,
you have a classic output that contains SDDL (Security Descriptor Definition
Language)
O:sid is the SID of the
owner
G:sid is the SID of the
group
D: is a
DACL
I™ll let you look over
the rest and determine what you have in your
strings¦..
http://msdn.microsoft.com/library/default.asp?url="">
Rick
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Mayuresh
KshirsagarSent: Thursday,
August 11, 2005 11:10 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] MailBox
permissioning
Using a newer version
of ldp I could gather the following things:
The mailbox users have
the following attribute set.
usert -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);
ZZZFFF -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372);
ZZZGGG -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368);
ZZZJJJ -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369);
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)
“ This part was common for all entries.
S-1-5-21-3308934242-2785796821-2776977491-xxxx
is the objectSID for the object in the other domain to whom I want to give
permissions. Also the attribute msExchMasterAccountSid is set to the value of
object sid.
But this part ***
(A;CI;CCLCRC;;; *** before the objectsid, differs in some entries. What are all
these fields? How can I find out these values programmatically and make a single
attribute value which I can then give to the meta directory for
setting?
Regards,
Mayuresh
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Mayuresh
KshirsagarSent: Thursday,
August 11, 2005 3:33 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] MailBox
permissioning
Yes. But I want to do
it using scripting + Meta directory
server.
The steps I understand
until now is that:
give appropriate permissions in
the security tab to the user in different domain.
give appropriate permissions in
the Mailbox right.
Since my Meta directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there be other ways? I understand that I would have to
set the msexchmailboxsecuritydescriptor attribute. How can I generate a binary
value for this using a perl script, so that I can give this value to the meta
dir to process and set in the exchange entry.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Bryon
BarkleySent: Thursday, August
11, 2005 2:16 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] MailBox
permissioning
Mayuresh,
You should be able to
just give Full Permissions to the user on the mailbox rights tab located under
the Exchange Advanced Tab of the user's properties.
BB
-----Original
Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Mayuresh
KshirsagarSent: Thursday,
August 11, 2005 4:00 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] MailBox
permissioning
Hi
Gurus,
I have a scenario where I have
users and mail boxes created on exchange server on one domain. Now I have
another set of users in a different domain, who should be able to use these
mail boxes, and should have permissions over it.
Eg. User A is in retail domain.
Correspondingly user A is created in exchange domain with a mailbox. I want to
now have the permissions set so as to make the user A in the retail domain use
this mailbox. What attributes should I set on the user side or the mailbox
side to do this?
I™ll be doing this permissioning
using a meta directory server.
Thanks,
Mayuresh. | | | |
|
|