We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Check if Full Access permissions are modified

June 22, 2023 Views: 1024

The script checks whether Full Access permissions are modified for a mailbox. To run the script, use the If PowerShell script returns true condition in a business rule triggering Before/After modifying a user/modifying Exchange properties of a user.

Edit Remove
$Context.ConditionIsMet = $False

# Check whether mailbox rights are modified
$modifiedMailboxParams = $Context.Action.MailParameters

if (-not($modifiedMailboxParams.MailboxRightsModificationEnabled))
    return # Mailbox rights are not modified

# Check modifications
$modifiedMailboxRights = $modifiedMailboxParams.MailboxRights
$modifications = $modifiedMailboxRights.GetModifications()
if ($modifications.Length -ne 0)
    foreach ($modification in $modifications)
        $permissions = $modification.Permission
        if ($permissions.AllowedRights -band $fullAccessFlag -or 
            $permissions.InheritedAllowedRights -band $fullAccessFlag -or
            $permissions.DeniedRights -band $fullAccessFlag -or
            $permissions.InheritedDeniedRights -band $fullAccessFlag)
            $Context.ConditionIsMet = $True

# Compare current permissions with modified
$mailboxParams = $Context.TargetObject.GetMailParameters()
$fullAccess = New-Object "System.Collections.Generic.HashSet[System.Object]"
$modifiedFullAccess = New-Object "System.Collections.Generic.HashSet[System.Object]"
$mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS") | %%{[void]$fullAccess.Add($_)}
$modifiedMailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS") | %%{[void]$modifiedFullAccess.Add($_)}

$Context.ConditionIsMet = -not($fullAccess.SetEquals($modifiedFullAccess))

Comments 0
Leave a comment

Got questions?

Support Questions & Answers