Script Repository

Check whether specific user account has full access to mailbox

February 24, 2021 Views: 1581
Exchange Security

The script checks whether a specific user has full access to the mailbox on which the script is executed. If the user doesn't have the access, the mailbox is added to a certain attribute of the user account. The attribute must support the DN syntax and allow multiple values. Examples: See Also (LDAP name seeAlso), Secretary (LDAP name secretary).

To generate the list on demand, create a custom command that runs the script on a mailbox. To add the script to your command, use the Run a program or PowerShell script action. To update the list on a regular basis, create a scheduled task.

Parameters:

  • $fullAccessUserDN - Specifies the Distinguished Name (DN) of the user who should have access to the mailbox.
  • $attributeName - Specifies the LDAP name of the attribute where the mailbox must be added if the user does not have full access.
Edit Remove
PowerShell
$fullAccessUserDN = "CN=John Smith,OU=Users,DC=Domain,DC=com" # TODO: modify me
$attributeName = "seeAlso" # TODO: modify me

# Get SID of full access user
$fullAccessUser = $Context.BindToObjectByDN($fullAccessUserDN)
$fullAccessUserSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($fullAccessUser.Get("ObjectSid"), 0)

# Get mailbox parameters
$mailboxParams = $Context.TargetObject.GetMailParameters()

# Get full access trustees
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights(
    "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")

$userHasFullAccess = $False
foreach ($object in $fullAccess)
{
    $sidString = $object.ObjectSid
    if ([System.String]::IsNullOrEmpty($sidString))
    {
        continue
    }
    elseIf ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sidString))
    {
        continue
    }
    
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" $sidString
    if ($sid -ne $fullAccessUserSid)
    {
        continue
    }

    $userHasFullAccess = $True
    break
}

# Update Mailbox List
$userDNs = New-Object "System.Collections.Generic.HashSet[System.String]"

try
{
    $values = $user.GetEx($attributeName)
}
catch
{
    $values = @()
}

$values | %%{[void]$userDNs.Add($_.ToLower())}

$targetUserDN = "%distinguishedName%".ToLower()

if ($userHasFullAccess -and $userDNs.Contains($targetUserDN))
{
    [void]$userDNs.Remove($targetUserDN)
}
elseif (!($userHasFullAccess) -and !($userDNs.Contains($targetUserDN)))
{
    [void]$userDNs.Add($targetUserDN)
}

$user.Put($attributeName, @($userDNs))
$user.SetInfo()
See Also: Grant full mailbox access to user
Comments 0
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers