Script Repository


Check whether users are granting themselves full mailbox access

April 09, 2019
1175

The script returns True when users attempt to grant themselves full mailbox access. To run the script , create a Business Rule triggering Before modifying Exchange properties of a user that runs the script using the If PowerShell script returns True condition.

Edit Remove
PowerShell
$Context.ConditionIsMet = $False

# Check whether mailbox rights are modified
$modifiedMailboxParams = $Context.Action.MailParameters

if (-not($modifiedMailboxParams.MailboxRightsModificationEnabled))
{
    return # Mailbox rights are not modified
}

# Check whether operation initiator already has full access rights
# Get trustees that have full mailbox access
$mailboxParams = $Context.TargetObject.GetMailParameters()
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")

# Get operation initiator's SID
$initiatorSid = New-Object "Softerra.Adaxes.Adsi.Sid" "%adm-InitiatorSid%"

foreach ($trustee in $fullAccess)
{
    if ([System.String]::IsNullOrEmpty($trustee.ObjectSid))
    {
        continue
    }

    if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
    {
        continue
    }
    
    $objectSid = New-Object "Softerra.Adaxes.Adsi.Sid" $trustee.ObjectSid
    if ($objectSid -ieq $initiatorSid)
    {
        return
    }
}

# Get modifications in full access rights
$modifiedFullAccess = $modifiedMailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")

foreach ($trustee in $modifiedFullAccess)
{
    if ([System.String]::IsNullOrEmpty($trustee.ObjectSid))
    {
        continue
    }
    if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
    {
        continue
    }
    
    $objectSid = New-Object "Softerra.Adaxes.Adsi.Sid" $trustee.ObjectSid
    if ($objectSid -eq $initiatorSid)
    {
        $Context.ConditionIsMet = $True # The initiator is trying to add himself
        return
    }
}


Comments ( 0 )
No results found.
Leave a comment