0 votes

I've got the following script so far using the SDK but running into an error:

You cannot call a method on a null-valued expression.
At line:1 char:1
+ $Context.BindToObjectByDN($object.SearchResult.AdsPath.DN)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Here's my script currently:

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Reference Custom report collumns
$column_access = "{e4626b03-8fc7-4baa-8961-2a6fe0e19699}" #Collumn ID of Access custom text collumn
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn

# Split out multiple mailboxes
$mailboxes = "%param-Mailbox%"
$mailboxes = $mailboxes.split(";")

Foreach ($mailbox in $mailboxes) {

    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, "$mailbox")

    # Bind to the mailbox
    $user = $admService.OpenObject("Adaxes://$mailbox", $NULL, $NULL, 0)

    # Get Exchange properties
    $mailboxParams = $user.GetMailParameters()

    # Full Access
    $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
    if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Full Access")
        foreach ($object in $fullAccess) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }

    # Send As
    $sendAs = $mailboxParams.SendAs
    if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Send As")
        foreach ($object in $sendAs) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }

    # Send on Behalf Of
    $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
    if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Send On Behalf Of")
        foreach ($object in $sendOnBehalfOf) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }
}
by (220 points)
0

I'm thinking something like this

screenshot

0

Hello Richard,

Do we understand correctly that the Name and Email columns should contain comma-separated names and email addresses of all the delegates independently on the permissions they have?

0

there's should be a line per 'name', per mailbox? it shows myself there twice so should be able to show a result per line right? just with the combined permission type rather than that being per line too?

0

Hello Richard,

The Name column is always present in a report. The best approach for multiple mailboxes would be as follows:

  • The report items will be grouped by the selected mailbox.
  • Each group will contain the objects that are granted permissions over the mailbox.
  • The report will have the Name column for delegates and custom columns Send on Behalf, Full Access and Send As.
  • Each custom column will have value Yes or No based on the permissions of the delegate in the mailbox. Does this approach meet your needs?
0

I think i've managed to create what I'm after now. It seems to be working well for me (added a parameter for the permission type)

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Reference Custom report collumns
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}" #Collumn ID of Mailbox custom objectID collumn

{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}

# Split out multiple mailboxes
$mailboxes = "%param-Mailbox%"
$mailboxes = $mailboxes.split(";")

Foreach ($mailbox in $mailboxes) {

    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, "$mailbox")
    $columnValues.Add($column_permission, "%param-permission%")

    # Bind to the mailbox
    $user = $admService.OpenObject("Adaxes://$mailbox", $NULL, $NULL, 0)

    # Get Exchange properties
    $mailboxParams = $user.GetMailParameters()

    If ("%param-permission%" -eq "Full Access"){
        $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
        if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
        Else {
            foreach ($object in $fullAccess) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN")
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
    ElseIf ("%param-permission%" -eq "Send As"){
        $sendAs = $mailboxParams.SendAs
        if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
        Else {
            foreach ($object in $sendAs) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN") 
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
    Else {
        $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
        if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
        Else {
            foreach ($object in $sendOnBehalfOf) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report 
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN") 
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
}

Also created one for running on an OU/Domain too (might take a while)

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")


# Search filter
$filterUsers = "(sAMAccountType=805306368)"
$Context.DirectorySearcher.AppendFilter($filterUsers)

# Reference Custom report collumns
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}" #Collumn ID of Mailbox custom objectID collumn

# Add properties necessary to generate the report
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("distinguishedname")

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        $MailboxDN = $searchResult.GetPropertyByName("distinguishedname").Values[0]

        # Bind to the mailbox
        $user = $admService.OpenObject("Adaxes://$mailboxDN", $NULL, $NULL, 0)

        # Get Exchange properties
        $mailboxParams = $user.GetMailParameters()

        $columnValues = @{
            $column_mailbox = $MailboxDN;
            $column_permission = "%param-permission%";}
        #$Context.Items.Add($searchResult, $columnValues, $NULL)

        If ("%param-permission%" -eq "Full Access"){
            $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
            if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
            Else {
                foreach ($object in $fullAccess) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN")
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
        ElseIf ("%param-permission%" -eq "Send As"){
            $sendAs = $mailboxParams.SendAs
            if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
            Else {
                foreach ($object in $sendAs) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN") 
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
        Else {
            $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
            if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
            Else {
                foreach ($object in $sendOnBehalfOf) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report 
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN") 
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

1 Answer

0 votes
by (206k points)

Hello Richard,

The scripts will not work properly as Send As and Send on Behalf permissions are retrieved as collections, not as arrays. We update the scripts accordingly.

Script 1

$permissionParameterValue = "%param-permission%"

# Reference Custom report collumns
$column_mailbox = "{b12566fb-25a3-41d1-96fe-db944a2f6c7d}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{577c8156-b6ef-4e07-a931-ceddea75bf2c}" #Collumn ID of Mailbox custom objectID collumn

# Split out multiple mailboxes
$mailboxDNs = "%param-Mailbox%".Split(";")

foreach ($mailboxDN in $mailboxDNs) 
{
    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, $mailboxDN)
    $columnValues.Add($column_permission, $permissionParameterValue)

    # Get Exchange properties
    $user = $Context.BindToObjectByDNEx($mailboxDN, $True)
    $mailboxParams = $user.GetMailParameters()

    $objectFound = 0
    if ($permissionParameterValue -eq "Full Access")
    {
        $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
        foreach ($object in $fullAccess) 
        {
            if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            # Add item to report
            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }
    elseif ($permissionParameterValue -eq "Send As")
    {
        $sendAs = $mailboxParams.SendAs
        for ($i = 0; $i -lt $sendAs.Count; $i++)
        {
            $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }
    else
    {
        $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
        for ($i = 0; $i -lt $sendOnBehalfOf.Count; $i++)
        {
            $object = $sendOnBehalfOf.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }

    if ($objectFound -eq 0) 
    {
        $Context.Items.Add(-1, "No '$permissionParameterValue' rights on mailbox", "Information", $columnValues)
        continue
    }
}

Script 2

$permissionParameterValue = "%param-permission%"

# Reference Custom report collumns
$column_mailbox = "{b12566fb-25a3-41d1-96fe-db944a2f6c7d}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{577c8156-b6ef-4e07-a931-ceddea75bf2c}" #Collumn ID of Mailbox custom objectID collumn

$Context.DirectorySearcher.AppendFilter("(&(sAMAccountType=805306368)(msExchRecipientTypeDetails=1))")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("distinguishedname")
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $mailboxDN = $searchResult.GetPropertyByName("distinguishedname").Values[0]

        # Create hash table and specify column value
        $columnValues = @{ }
        $columnValues.Add($column_mailbox, $mailboxDN)
        $columnValues.Add($column_permission, $permissionParameterValue)

        # Get Exchange properties
        $user = $Context.BindToObjectBySearchResultEx($searchResult, $True)
        $mailboxParams = $user.GetMailParameters()

        $objectFound = 0
        if ($permissionParameterValue -eq "Full Access")
        {
            $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
            foreach ($object in $fullAccess) 
            {
                if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                    [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
                {
                    continue
                }

                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                # Add item to report
                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }
        elseif ($permissionParameterValue -eq "Send As")
        {
            $sendAs = $mailboxParams.SendAs
            for ($i = 0; $i -lt $sendAs.Count; $i++)
            {
                $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
                if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                    [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
                {
                    continue
                }

                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }
        else
        {
            $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
            for ($i = 0; $i -lt $sendOnBehalfOf.Count; $i++)
            {
                $object = $sendOnBehalfOf.GetItem($i, [ref]"ADS_PROPERTY_NONE")
                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }

        if ($objectFound -eq 0) 
        {
            $Context.Items.Add(-1, "No '$permissionParameterValue' rights on mailbox", "Information", $columnValues)
            continue
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

Related questions

0 votes
1 answer

During the creation of a new user I want to be able to select the job title from a drop-down list which populates different values based on which Department is selected. Is there a way to achieve this? Thanks. Dario.

asked Oct 2, 2020 by winstonsmith (40 points)
0 votes
1 answer

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3 by RayBilyk (180 points)
0 votes
1 answer

I'm trying to schedule a report to look in a few specific OUs. Currently "Look in" location only allows for single instance or multiple drop downs. How do I schedule multiple OU locations without creating multiple reports?

asked Jul 2, 2020 by Al (20 points)
0 votes
1 answer

I'd like to be able to either send an email report or export a CSV of all of the business rules carried out when a user is disabled. This would be ... Management Activity section but this includes things that weren't part of the disable operation. Thanks

asked Feb 19, 2020 by bavery (150 points)
0 votes
1 answer

Using the built in 'Deprovision' Custom Command, I would like the person that is trying to Deprovision a user (Help Desk member) be asked who (from a list of existing active ... to leave the question 'blank', which means that no one gets access to the mailbox.

asked Apr 22, 2020 by RayBilyk (180 points)
2,554 questions
2,297 answers
6,126 comments
662,021 users