We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Check whether specific user account has full access to mailbox

February 24, 2021 Views: 1581

The script checks whether a specific user has full access to the mailbox on which the script is executed. If the user doesn't have the access, the mailbox is added to a certain attribute of the user account. The attribute must support the DN syntax and allow multiple values. Examples: See Also (LDAP name seeAlso), Secretary (LDAP name secretary).

To generate the list on demand, create a custom command that runs the script on a mailbox. To add the script to your command, use the Run a program or PowerShell script action. To update the list on a regular basis, create a scheduled task.


  • $fullAccessUserDN - Specifies the Distinguished Name (DN) of the user who should have access to the mailbox.
  • $attributeName - Specifies the LDAP name of the attribute where the mailbox must be added if the user does not have full access.
Edit Remove
$fullAccessUserDN = "CN=John Smith,OU=Users,DC=Domain,DC=com" # TODO: modify me
$attributeName = "seeAlso" # TODO: modify me

# Get SID of full access user
$fullAccessUser = $Context.BindToObjectByDN($fullAccessUserDN)
$fullAccessUserSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($fullAccessUser.Get("ObjectSid"), 0)

# Get mailbox parameters
$mailboxParams = $Context.TargetObject.GetMailParameters()

# Get full access trustees
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights(

$userHasFullAccess = $False
foreach ($object in $fullAccess)
    $sidString = $object.ObjectSid
    if ([System.String]::IsNullOrEmpty($sidString))
    elseIf ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sidString))
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" $sidString
    if ($sid -ne $fullAccessUserSid)

    $userHasFullAccess = $True

# Update Mailbox List
$userDNs = New-Object "System.Collections.Generic.HashSet[System.String]"

    $values = $user.GetEx($attributeName)
    $values = @()

$values | %%{[void]$userDNs.Add($_.ToLower())}

$targetUserDN = "%distinguishedName%".ToLower()

if ($userHasFullAccess -and $userDNs.Contains($targetUserDN))
elseif (!($userHasFullAccess) -and !($userDNs.Contains($targetUserDN)))

$user.Put($attributeName, @($userDNs))
See Also: Grant full mailbox access to user
Comments 0
Leave a comment

Got questions?

Support Questions & Answers