We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Check if Full Access permissions are modified

June 22, 2023 Views: 1024

The script checks whether Full Access permissions are modified for a mailbox. To run the script, use the If PowerShell script returns true condition in a business rule triggering Before/After modifying a user/modifying Exchange properties of a user.

Edit Remove
PowerShell
$Context.ConditionIsMet = $False

# Check whether mailbox rights are modified
$modifiedMailboxParams = $Context.Action.MailParameters

if (-not($modifiedMailboxParams.MailboxRightsModificationEnabled))
{
    return # Mailbox rights are not modified
}

# Check modifications
$modifiedMailboxRights = $modifiedMailboxParams.MailboxRights
$modifications = $modifiedMailboxRights.GetModifications()
if ($modifications.Length -ne 0)
{
    $fullAccessFlag = [Softerra.Adaxes.Interop.Adsi.Exchange.ADM_EXCHANGE_MAILBOX_RIGHTS_ENUM]::ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS
    foreach ($modification in $modifications)
    {
        $permissions = $modification.Permission
        if ($permissions.AllowedRights -band $fullAccessFlag -or 
            $permissions.InheritedAllowedRights -band $fullAccessFlag -or
            $permissions.DeniedRights -band $fullAccessFlag -or
            $permissions.InheritedDeniedRights -band $fullAccessFlag)
        {
            $Context.ConditionIsMet = $True
            return
        }
    }
    return
}

# Compare current permissions with modified
$mailboxParams = $Context.TargetObject.GetMailParameters()
$fullAccess = New-Object "System.Collections.Generic.HashSet[System.Object]"
$modifiedFullAccess = New-Object "System.Collections.Generic.HashSet[System.Object]"
$mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS") | %%{[void]$fullAccess.Add($_)}
$modifiedMailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS") | %%{[void]$modifiedFullAccess.Add($_)}

$Context.ConditionIsMet = -not($fullAccess.SetEquals($modifiedFullAccess))

Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers