The script returns True when users attempt to grant themselves full mailbox access. To run the script , create a business rule triggering Before modifying Exchange properties of a user that runs the script using the If PowerShell script returns True condition.
PowerShell
$Context.ConditionIsMet = $False
# Check whether mailbox rights are modified
$modifiedMailboxParams = $Context.Action.MailParameters
if (-not($modifiedMailboxParams.MailboxRightsModificationEnabled))
{
return # Mailbox rights are not modified
}
# Check whether operation initiator already has full access rights
# Get trustees that have full mailbox access
$mailboxParams = $Context.TargetObject.GetMailParameters()
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
# Get operation initiator's SID
$initiatorSid = New-Object "Softerra.Adaxes.Adsi.Sid" "%adm-InitiatorSid%"
foreach ($trustee in $fullAccess)
{
if ([System.String]::IsNullOrEmpty($trustee.ObjectSid))
{
continue
}
if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
{
continue
}
$objectSid = New-Object "Softerra.Adaxes.Adsi.Sid" $trustee.ObjectSid
if ($objectSid -ieq $initiatorSid)
{
return
}
}
# Get modifications in full access rights
$modifiedFullAccess = $modifiedMailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
foreach ($trustee in $modifiedFullAccess)
{
if ([System.String]::IsNullOrEmpty($trustee.ObjectSid))
{
continue
}
if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
{
continue
}
$objectSid = New-Object "Softerra.Adaxes.Adsi.Sid" $trustee.ObjectSid
if ($objectSid -eq $initiatorSid)
{
$Context.ConditionIsMet = $True # The initiator is trying to add himself
return
}
}