Disable Outlook Auto-Mapping after granting full mailbox access

The scripts disable Outlook Auto-Mapping after granting full access for an Exchange mailbox. The scripts require you to create 2 business rules:

Triggered before updating Exchange properties of a user.
Purpose: saves a list of the trustees who have full access to a mailbox before permissions are updated.
Triggered after updating Exchange properties of a user.
Purpose: compares trustees with full mailbox access after the operation to the list saved by the 1st script. If there are any new trustees who gained full access, the script revokes and then re-adds them full mailbox permissions with Outlook Auto-Mapping disabled.

Script 1

Parameter:

$trusteesAttribute - Specifies the LDAP name of the attribute that holds a list of full access trustees before permission update. The attribute must be of String type and allow multiple values. You can use one of Adaxes multi-valued custom attributes for this purpose.

Edit Remove

PowerShell

$trusteesAttribute = "adm-CustomAttributeTextMultiValue1" # TODO: modify me

# Get Exchange parameters
$mailboxParams = $Context.TargetObject.GetMailParameters()

# Get trustees who have full access to the mailbox
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights(
    "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")

$fullAccessIdentities = @()
foreach ($object in $fullAccess)
{
    # Get SIDs of the trustees, skip well-known SIDs
    if ([System.String]::IsNullOrEmpty($object.ObjectSid))
    {
        continue
    }
    elseIf ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
    {
        continue
    }
    elseIf ($object.ObjectSid -ieq "%objectSid%")
    {
        continue
    }

    $fullAccessIdentities += $object.ObjectSid
}

# Save trustees to the multi-valued property
if ($fullAccessIdentities.Length -eq 0)
{
    $Context.TargetObject.PutEx("ADS_PROPERTY_CLEAR", $trusteesAttribute, $NULL)
}
else
{
    $Context.TargetObject.PutEx("ADS_PROPERTY_UPDATE", $trusteesAttribute, $fullAccessIdentities)
}

$Context.TargetObject.SetInfo()

Script 2

Parameters:

$exchangeServer - Specifies the fully qualified domain name (FQDN) of your Exchange Server.
$trusteesAttribute - Specifies the LDAP name of the attribute that holds a list of full access trustees before permission update. Must be the same as in Script 1.

Edit Remove

PowerShell

$exchangeServer = "exchangeserver.domain.com" # TODO: modify me
$trusteesAttribute = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
 
function ClearCustomAttribute()
{
    $Context.TargetObject.PutEx("ADS_PROPERTY_CLEAR", $trusteesAttribute, $NULL)
    $Context.TargetObject.SetInfo()
}
 
# Get trustees who currently have full access to the mailbox
$mailboxParams = $Context.TargetObject.GetMailParameters()
$mailboxRights = $mailboxParams.MailboxRights
$fullAccess = $mailboxRights.GetTrusteesGrantedRights(
    "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")

$fullAccessIdentities = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($object in $fullAccess)
{
    # Get SIDs of the trustees, skip well-known SIDs
    if ([System.String]::IsNullOrEmpty($object.ObjectSid))
    {
        $Context.LogMessage("Unable to get Security Identifier of object " + $object.Identifier , "Warning")
        continue
    }
    elseIf ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
    {
        continue
    }
    elseIf ($object.ObjectSid -ieq "%objectSid%")
    {
        continue
    }
 
    $fullAccessIdentities.Add($object.ObjectSid)
}
 
# Get trustee identities saved in the multi-valued property
try
{
    $savedFullAccessTrustees = $Context.TargetObject.GetEx($trusteesAttribute)
}
catch
{
    ClearCustomAttribute
    return # No need to check
}
 
# Exclude saved identities from full access trustees
foreach ($objectSid in $savedFullAccessTrustees)
{
    $fullAccessIdentities.Remove($objectSid) | Out-Null
}
 
if ($fullAccessIdentities.Count -eq 0)
{
    ClearCustomAttribute
    return # No new trustees with full access permissions
}
 
# Revoke full access permissions from new trustees
$mailboxRights = $mailboxParams.MailboxRights
foreach ($objectSid in $fullAccessIdentities)
{
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectSid = $objectSid
   
    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference
   
    $mailboxRights.RemovePermission($permission)
}
$mailboxParams.MailboxRights = $mailboxRights
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")

try
{
    # Create a remote PowerShell session to the Exchange Server
    $session = New-PSSession -configurationname Microsoft.Exchange -connectionURI http://$exchangeServer/PowerShell
    Import-PSSession $session -DisableNameChecking -AllowClobber
 
    foreach ($objectSid in $fullAccessIdentities)
    {
        # Re-add full access permissions to the new trustees with auto-mapping disabled
        Add-MailboxPermission -Identity "%distinguishedName%" -User $objectSid -AccessRight FullAccess -InheritanceType All -Automapping $false
    }
}
finally
{
    # Close the remote session and release resources
    Remove-PSSession $session
}
ClearCustomAttribute

Script Repository

Script 1

Parameter:

Script 2

Parameters:

Got questions?