The script checks whether a specific user has full access to the Exchange mailbox the script is executed on. If the user doesn't have the access, the script adds it.
To grant full access on demand, create a custom command that runs the script on a mailbox. To add the script to your command, use the Run a program or PowerShell script action. To update the permission on a regular basis, create a scheduled task.
PARAMETER:
- $fullAccessUserDN - Specifies the Distinguished Name (DN) of the user who should have access to the mailbox.
PowerShell
$fullAccessUserDN = "CN=John Smith,OU=Users,DC=Domain,DC=com" # TODO: modify me
# Get SID of full access user
$fullAccessUser = $Context.BindToObjectByDN($fullAccessUserDN)
$fullAccessUserSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($fullAccessUser.Get("ObjectSid"), 0)
# Get mailbox parameters
$mailboxParams = $Context.TargetObject.GetMailParameters()
# Get full access trustees
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights(
"ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
foreach ($object in $fullAccess)
{
$sidString = $object.ObjectSid
if ([System.String]::IsNullOrEmpty($sidString))
{
continue
}
elseIf ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sidString))
{
continue
}
$sid = New-Object "Softerra.Adaxes.Adsi.Sid" $sidString
if ($sid -eq $fullAccessUserSid)
{
return # The user already has full access
}
}
# Grant full access
# Specify trustee
$objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
$objReference.ObjectDN = $fullAccessUserDN
# Specify permission
$permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
$permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
$permission.Trustee = $objReference
# Append to existing permissions
$permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
$permissionModification.Operation = "ADS_PROPERTY_APPEND"
$permissionModification.Permission = $permission
# Update mailbox settings
$mailboxRights = $mailboxParams.MailboxRights
$mailboxRights.AddModification($permissionModification)
$mailboxParams.MailboxRights = $mailboxRights
# Save the changes
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
See Also: Check whether specific user account has full access to mailbox