Trying to create a report to show the delegate access on selected mailbox

I've got the following script so far using the SDK but running into an error:

You cannot call a method on a null-valued expression.
At line:1 char:1
+ $Context.BindToObjectByDN($object.SearchResult.AdsPath.DN)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Here's my script currently:

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Reference Custom report collumns
$column_access = "{e4626b03-8fc7-4baa-8961-2a6fe0e19699}" #Collumn ID of Access custom text collumn
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn

# Split out multiple mailboxes
$mailboxes = "%param-Mailbox%"
$mailboxes = $mailboxes.split(";")

Foreach ($mailbox in $mailboxes) {

    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, "$mailbox")

    # Bind to the mailbox
    $user = $admService.OpenObject("Adaxes://$mailbox", $NULL, $NULL, 0)

    # Get Exchange properties
    $mailboxParams = $user.GetMailParameters()

    # Full Access
    $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
    if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Full Access")
        foreach ($object in $fullAccess) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }

    # Send As
    $sendAs = $mailboxParams.SendAs
    if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Send As")
        foreach ($object in $sendAs) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }

    # Send on Behalf Of
    $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
    if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Send On Behalf Of")
        foreach ($object in $sendOnBehalfOf) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }
}
by (260 points)
Show 6 previous comments
by (260 points)
0

I'm thinking something like this

screenshot

by (305k points)
0

Hello Richard,

Do we understand correctly that the Name and Email columns should contain comma-separated names and email addresses of all the delegates independently on the permissions they have?

by (260 points)
0

there's should be a line per 'name', per mailbox? it shows myself there twice so should be able to show a result per line right? just with the combined permission type rather than that being per line too?

by (305k points)
0

Hello Richard,

The Name column is always present in a report. The best approach for multiple mailboxes would be as follows:

  • The report items will be grouped by the selected mailbox.
  • Each group will contain the objects that are granted permissions over the mailbox.
  • The report will have the Name column for delegates and custom columns Send on Behalf, Full Access and Send As.
  • Each custom column will have value Yes or No based on the permissions of the delegate in the mailbox. Does this approach meet your needs?
by (260 points)
0

I think i've managed to create what I'm after now. It seems to be working well for me (added a parameter for the permission type)

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Reference Custom report collumns
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}" #Collumn ID of Mailbox custom objectID collumn

{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}

# Split out multiple mailboxes
$mailboxes = "%param-Mailbox%"
$mailboxes = $mailboxes.split(";")

Foreach ($mailbox in $mailboxes) {

    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, "$mailbox")
    $columnValues.Add($column_permission, "%param-permission%")

    # Bind to the mailbox
    $user = $admService.OpenObject("Adaxes://$mailbox", $NULL, $NULL, 0)

    # Get Exchange properties
    $mailboxParams = $user.GetMailParameters()

    If ("%param-permission%" -eq "Full Access"){
        $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
        if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
        Else {
            foreach ($object in $fullAccess) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN")
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
    ElseIf ("%param-permission%" -eq "Send As"){
        $sendAs = $mailboxParams.SendAs
        if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
        Else {
            foreach ($object in $sendAs) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN") 
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
    Else {
        $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
        if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
        Else {
            foreach ($object in $sendOnBehalfOf) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report 
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN") 
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
}

Also created one for running on an OU/Domain too (might take a while)

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")


# Search filter
$filterUsers = "(sAMAccountType=805306368)"
$Context.DirectorySearcher.AppendFilter($filterUsers)

# Reference Custom report collumns
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}" #Collumn ID of Mailbox custom objectID collumn

# Add properties necessary to generate the report
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("distinguishedname")

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        $MailboxDN = $searchResult.GetPropertyByName("distinguishedname").Values[0]

        # Bind to the mailbox
        $user = $admService.OpenObject("Adaxes://$mailboxDN", $NULL, $NULL, 0)

        # Get Exchange properties
        $mailboxParams = $user.GetMailParameters()

        $columnValues = @{
            $column_mailbox = $MailboxDN;
            $column_permission = "%param-permission%";}
        #$Context.Items.Add($searchResult, $columnValues, $NULL)

        If ("%param-permission%" -eq "Full Access"){
            $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
            if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
            Else {
                foreach ($object in $fullAccess) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN")
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
        ElseIf ("%param-permission%" -eq "Send As"){
            $sendAs = $mailboxParams.SendAs
            if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
            Else {
                foreach ($object in $sendAs) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN") 
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
        Else {
            $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
            if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
            Else {
                foreach ($object in $sendOnBehalfOf) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report 
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN") 
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

1 Answer

by (305k points)
0 votes

Hello Richard,

The scripts will not work properly as Send As and Send on Behalf permissions are retrieved as collections, not as arrays. We update the scripts accordingly.

Script 1

$permissionParameterValue = "%param-permission%"

# Reference Custom report collumns
$column_mailbox = "{b12566fb-25a3-41d1-96fe-db944a2f6c7d}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{577c8156-b6ef-4e07-a931-ceddea75bf2c}" #Collumn ID of Mailbox custom objectID collumn

# Split out multiple mailboxes
$mailboxDNs = "%param-Mailbox%".Split(";")

foreach ($mailboxDN in $mailboxDNs) 
{
    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, $mailboxDN)
    $columnValues.Add($column_permission, $permissionParameterValue)

    # Get Exchange properties
    $user = $Context.BindToObjectByDNEx($mailboxDN, $True)
    $mailboxParams = $user.GetMailParameters()

    $objectFound = 0
    if ($permissionParameterValue -eq "Full Access")
    {
        $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
        foreach ($object in $fullAccess) 
        {
            if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            # Add item to report
            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }
    elseif ($permissionParameterValue -eq "Send As")
    {
        $sendAs = $mailboxParams.SendAs
        for ($i = 0; $i -lt $sendAs.Count; $i++)
        {
            $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }
    else
    {
        $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
        for ($i = 0; $i -lt $sendOnBehalfOf.Count; $i++)
        {
            $object = $sendOnBehalfOf.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }

    if ($objectFound -eq 0) 
    {
        $Context.Items.Add(-1, "No '$permissionParameterValue' rights on mailbox", "Information", $columnValues)
        continue
    }
}

Script 2

$permissionParameterValue = "%param-permission%"

# Reference Custom report collumns
$column_mailbox = "{b12566fb-25a3-41d1-96fe-db944a2f6c7d}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{577c8156-b6ef-4e07-a931-ceddea75bf2c}" #Collumn ID of Mailbox custom objectID collumn

$Context.DirectorySearcher.AppendFilter("(&(sAMAccountType=805306368)(msExchRecipientTypeDetails=1))")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("distinguishedname")
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $mailboxDN = $searchResult.GetPropertyByName("distinguishedname").Values[0]

        # Create hash table and specify column value
        $columnValues = @{ }
        $columnValues.Add($column_mailbox, $mailboxDN)
        $columnValues.Add($column_permission, $permissionParameterValue)

        # Get Exchange properties
        $user = $Context.BindToObjectBySearchResultEx($searchResult, $True)
        $mailboxParams = $user.GetMailParameters()

        $objectFound = 0
        if ($permissionParameterValue -eq "Full Access")
        {
            $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
            foreach ($object in $fullAccess) 
            {
                if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                    [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
                {
                    continue
                }

                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                # Add item to report
                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }
        elseif ($permissionParameterValue -eq "Send As")
        {
            $sendAs = $mailboxParams.SendAs
            for ($i = 0; $i -lt $sendAs.Count; $i++)
            {
                $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
                if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                    [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
                {
                    continue
                }

                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }
        else
        {
            $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
            for ($i = 0; $i -lt $sendOnBehalfOf.Count; $i++)
            {
                $object = $sendOnBehalfOf.GetItem($i, [ref]"ADS_PROPERTY_NONE")
                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }

        if ($objectFound -eq 0) 
        {
            $Context.Items.Add(-1, "No '$permissionParameterValue' rights on mailbox", "Information", $columnValues)
            continue
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

Related questions

User Provisioning: is there a way to show only the job titles based on the selected department?

During the creation of a new user I want to be able to select the job title from a drop-down list which populates different values based on which Department is selected. Is there a way to achieve this? Thanks. Dario.

asked Oct 2, 2020 by winstonsmith (40 points)
0 votes
1 answer
Is there a report to show who has access in Adaxes?

Is there a report that would show the Adaxes websites and who has access to them?

asked Feb 16, 2024 by lavonnabalo (40 points)
0 votes
1 answer
Create a report about a user and the number of mailboxes with Full Access permission.

Hallo Everyone I've seen the Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights: https://www.adaxes.com/questions/ ... . Example: User: Peter.Steinmann Identity: Which Mailboxes AccessRights: FullAccess Kind regards,

asked Jul 6, 2022 by Sandberg94 (340 points)
0 votes
1 answer
Trying to figure out why the report fails with an error after returning a few results

I created a custom report based on the script supplied and it seems to be working because it returns a few results before throwing the attached error. Everything looks correct in the ... it to error out on some groups or why it would be returning a null-value?

asked Mar 28 by jrey98229 (20 points)
0 votes
1 answer
Add users to full access to a shared mailbox based on their state

I would like to grab all users in a US state and add them with full access rights to a shared mailbox. Is there a script already in the repository for this? I checked but ... each user. I don't think there is any way to do this with the interface. Thanks!

asked Mar 4 by msheppard (840 points)
0 votes
1 answer