Script Repository

Check whether specific user account has full access to mailbox

February 24, 2021

The script checks whether a specific user has full access to the mailbox on which the script is executed. If the user doesn't have the access, the mailbox is added to a certain attribute of the user account. The attribute must support the DN syntax and allow multiple values. Examples: See Also (LDAP name seeAlso), Secretary (LDAP name secretary).

To generate the list on demand, create a custom command that runs the script on a mailbox. To add the script to your command, use the Run a program or PowerShell script action. To update the list on a regular basis, create a scheduled task.


  • $fullAccessUserDN - Specifies the Distinguished Name (DN) of the user who should have access to the mailbox.
  • $attributeName - Specifies the LDAP name of the attribute where the mailbox must be added if the user does not have full access.
Edit Remove
$fullAccessUserDN = "CN=John Smith,OU=Users,DC=Domain,DC=com" # TODO: modify me
$attributeName = "seeAlso" # TODO: modify me

# Get SID of full access user
$fullAccessUser = $Context.BindToObjectByDN($fullAccessUserDN)
$fullAccessUserSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($fullAccessUser.Get("ObjectSid"), 0)

# Get mailbox parameters
$mailboxParams = $Context.TargetObject.GetMailParameters()

# Get full access trustees
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights(

$userHasFullAccess = $False
foreach ($object in $fullAccess)
    $sidString = $object.ObjectSid
    if ([System.String]::IsNullOrEmpty($sidString))
    elseIf ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sidString))
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" $sidString
    if ($sid -ne $fullAccessUserSid)

    $userHasFullAccess = $True

# Update Mailbox List
$userDNs = New-Object "System.Collections.Generic.HashSet[System.String]"

    $values = $user.GetEx($attributeName)
    $values = @()

$values | %%{[void]$userDNs.Add($_.ToLower())}

$targetUserDN = "%distinguishedName%".ToLower()

if ($userHasFullAccess -and $userDNs.Contains($targetUserDN))
elseif (!($userHasFullAccess) -and !($userDNs.Contains($targetUserDN)))

$user.Put($attributeName, @($userDNs))
See Also: Grant full mailbox access to user

Comments ( 0 )
No results found.
Leave a comment