0 votes

Hello,

We are experiencing the following issue:

1. Use Adaxes to Create a new user and mail enable the user.
2. try to use Adaxes to assign Send As rights to another user.

Result:

The ACL for the object "CN=username,OU=Users,DC=domain,DC=com" is not in canonical order (Deny/Allow/Inherited) and will be ignored.

We are using Exchange 2007 Sp3 UR10 and Adaxes version 3.5.9329.0.

This behavior does NOT occur if we create the account using the Exchange console, however the error DOES occur if we try to assign the Send As permssion using the Exchange console if the account was created in Adaxes.

Please help.

by (710 points)
0

Hello,

To help us troubleshoot the issue, can you do the following:

  1. On the computer where your Exchange Server is installed, open Exchange Management Shell.

  2. Execute the following PowerShell line in the Shell:
    Get-ADPermission user_dn | Format-List > path_to_file,
    where:

    • user_dn - DN (distinguished Name) of a user that you are experiencing issues with,
    • path_to_file - path to an output file that will be created after executing the command.

    Example:
    Get-ADPermission "CN=John Doe,OU=Users,DC=domain,DC=com" | Format-List > C:\JohnDoe_permissions.txt

  3. Execute the same line, but with a user account created in Exchange console (an account that you are not experiencing issues with) and save the output to another file.

  4. Send both the files to our support email (support[at]adaxes.com) so that we can study them.

0

Email sent.

Pleae help asap... this is a critical issue.

1 Answer

0 votes
by (215k points)

We managed to identify the cause of the issue. The thing is that when the User cannot change password Account Option is set for a user, the user's ACL is built incorrectly. This is a bug in Adaxes that will be fixed in the next release, thank you for the bugreport!

To fix the issue until a fix is available, you can use the following script that will regenerate the ACL:

$ADS_RIGHT_DS_CONTROL_ACCESS = 0x100
$UserChangePasswordRightGuid = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"

function MoveDenyAce($dacl, $trusteeType)
{
    for ($i = 0; $i -lt $dacl.Count; $i++)
    {
        $ace = $dacl[$i];
        if (($ace.AceFlags -band [System.Security.AccessControl.AceFlags]::Inherited) -ne 0)
        {
            continue
        }
        if (($ace.AccessMask -ne $ADS_RIGHT_DS_CONTROL_ACCESS) -or 
            ($ace.ObjectAceType -ne $UserChangePasswordRightGuid))
        {
            continue
        }
        if ($ace.AceQualifier -ne 'AccessDenied')
        {
            continue
        }
        if (-not $ace.SecurityIdentifier.IsWellKnown($trusteeType))
        {
            continue;
        }
        $dacl.RemoveAce($i);
        $dacl.InsertAce(0, $ace)
    }

}

$Context.TargetObject.GetInfoEx(@("ntSecurityDescriptor"), 0)
$securityDescriptorPropertyEntry = $Context.TargetObject.GetPropertyItem("ntSecurityDescriptor", "ADSTYPE_OCTET_STRING")
$securityDescriptorBinary = $securityDescriptorPropertyEntry.Values[0].OctetString
$rawSecurityDescriptor = New-Object "System.Security.AccessControl.RawSecurityDescriptor" @($securityDescriptorBinary, 0)

$dacl = $rawSecurityDescriptor.DiscretionaryAcl
MoveDenyAce $dacl 'SelfSid'
MoveDenyAce $dacl 'WorldSid'
$rawSecurityDescriptor.DiscretionaryAcl = $dacl

$securityDescriptorBinary = new-object byte[] $rawSecurityDescriptor.BinaryLength
$rawSecurityDescriptor.GetBinaryForm($securityDescriptorBinary, 0)
$Context.TargetObject.Put("ntSecurityDescriptor", $securityDescriptorBinary)
$Context.TargetObject.SetInfoEx(@("ntSecurityDescriptor"))

You can use Adaxes Business Rules and the Run a program or PowerShell script action to execute the script automatically once the User cannot change password Option is set. For example, if you set the User cannot change password in a Business Rule, you can insert the Run a program or PowerShell script action that will execute the above script after setting the User cannot change password Account Option. To do this:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, navigate to and select the Business Rule that sets the User cannot change password Account Option.
  3. Select the set of actions and conditions that sets the User cannot change password Account Option and click the Add Action button.
  4. Select the Run a program or PowerShell script action and paste the above script.
  5. Click OK.
  6. Use the arrow buttons at the bottom of the actions and conditions of the Business Rule to place the newly create action right after the User cannot change password Account Option is set.
  7. When done, save the Business Rule.

Alternatively, if the Account Option is set creating a new user, you can create a Business Rule that will launch the above script right after creating a new user in AD. to do this:

  1. Create a new Business Rule.
  2. On the 2nd step of the Create Business Rule wizard, select User and After Creating a User.
  3. on the 3rd step, add the Run a program or PowerShell script action and paste the above script.
  4. Click OK.
  5. Click the Add Condition button.
  6. Select the If certain Account Options are enabled/disabled condition type.
  7. Check the two checkboxes opposite the User cannot change password option.
  8. Finish creation of the Business Rule.
0

Thank you for your quick and detailed reply.

I have implemented and tested the workaround and it seems to work good.

do you have an ETA when the fix will be released?

Thanks.

0

Hello,

The fix will be included in Adaxes 2013.2 that is expected to be released in late September.

0

Hello,

Adaxes 2013.2 is finally available. Now, Adaxes builds correct ACLs when the User cannot change password Account Option is set for a user. With the new version, you can get rid of the workaround provided in Exchange Send As - ACL not in canonical order. You can download Adaxes 2013.2 here.

Upgrade Instructions.

For a complete list of new features and improvements, see What's New.

Related questions

0 votes
1 answer

how can i create a report which gives me the details from an exchange mailbox as described in the subject? I would like to have a Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights thank you

asked Feb 22, 2021 by m_st (200 points)
0 votes
1 answer

Hello I'm trying to run a custom PowerShell script to request a Workspace ONE Access Sync when I change something in our users or groups. Here is the script: $ClientId = "api ... of having to create 6 independent rules with each of them a copy of the script)?

asked Sep 25, 2021 by ygini (160 points)
0 votes
1 answer

Hi, It seems that we're having a problem with renaming users. When our administrators rename a user our AD reflects the changes as expected, but the name in the ... 2012.1 Active Directory in 2003 mode, forest mode 2000 Exchange 2007 SP3 Regards, Troels

asked Mar 4, 2013 by THylsberg (70 points)
0 votes
1 answer

Thank you it works, The Question i got is, What Value Separtor i have to use for Selecting multiple user for the AD object picker . For the this https://www.adaxes.com/ ... mailbox-access-to-user-s502.htm how do I add send as permission access in the Script.

asked Nov 8, 2021 by Sandberg94 (250 points)
0 votes
1 answer

Using the built in 'Deprovision' Custom Command, I would like the person that is trying to Deprovision a user (Help Desk member) be asked who (from a list of existing active ... to leave the question 'blank', which means that no one gets access to the mailbox.

asked Apr 22, 2020 by RayBilyk (180 points)
2,738 questions
2,473 answers
6,471 comments
1,359,435 users