We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Grant permissions over a mailbox to members of a group

November 13, 2023 Views: 746

The script grants Full Access and Send As permissions to members of the target group over a specific mailbox. The script can be executed in a business rule, custom command or scheduled task configured for the Group object type.

Parameters:

  • $mailboxDN - Specifies the distinguished name (DN) of the mailbox to grant permissions over. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject/.
  • $onlyDirectMembers - Specifies whether to grant permissions only to direct members of the target group. If set to $False, the permissions will also be granted to all members of all nested groups.
Edit Remove
PowerShell
$mailboxDN = "CN=Mailbox,OU=Mailboxes,DC=Example,DC=com" # TODO: modify me
$onlyDirectMembers = $True # TODO: modify me

function ModifySendAsPermission($objectReference, $operation, $sendAs)
{
    switch($operation)
    {
        "Add"
        {
            $sendAs.Add("ADS_PROPERTY_APPEND", $objectReference)
        }
        "Remove"
        {
            $sendAs.Remove($objectReference)
        }
    }
}

function ModifyFullAccessPermission($objectReference, $operation, $mailboxRights)
{
    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objectReference
    
    $permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Permission = $permission
    switch($operation)
    {
        "Add"
        {
            $permissionModification.Operation = "ADS_PROPERTY_APPEND"
        }
        "Remove"
        {
            $permissionModification.Operation = "ADS_PROPERTY_DELETE"
        }
    }
    
    $mailboxRights.AddModification($permissionModification)
}

# Get mailbox parameters
$mailbox = $Context.BindToObjectByDNEx($mailboxDN, $True)
$mailboxParams = $mailbox.GetMailParameters()

# Get Send As trustees
$sendAs = $mailboxParams.SendAs
$sendAsTrustees = @{}
for ($i = $sendAs.Count - 1; $i -ge 0; $i--)
{
    $objectReference = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
    if ([System.String]::IsNullOrEmpty($objectReference.ObjectSid))
    {
         ModifySendAsPermission $objectReference "Remove" $sendAs
         continue
    }
    
    if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($objectReference.ObjectSid)))
    {
        continue
    }
    
    $sendAsTrustees.Add($objectReference.ObjectSid, $objectReference)
}

# Get Full Access trustees
$mailboxRights = $mailboxParams.MailboxRights
$objectReferences = $mailboxRights.GetTrusteesGrantedRights(
    "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
$fullAccessTrustees = @{}
foreach ($objectReference in $objectReferences)
{
    if ([System.String]::IsNullOrEmpty($objectReference.ObjectSid))
    {
        ModifyFullAccessPermission $objectReference "Remove" $mailboxRights
        continue
    }
    if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($objectReference.ObjectSid))
    {
        continue
    }
    
    $fullAccessTrustees.Add($objectReference.ObjectSid, $objectReference)
}

if ($onlyDirectMembers)
{
    $membersProperty = "adm-DirectMembersGuid"
}
else
{
    $membersProperty = "adm-MembersGuid"
}

# Get members
try
{
    $memberGuidsBytes = $Context.TargetObject.GetEx($membersProperty)
}
catch
{
    $memberGuidsBytes = @()
}

# Get user SIDs
$membersToAdd = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($memberGuidBytes in $memberGuidsBytes)
{
    $guid = [Guid]$memberGuidBytes
    $member = $Context.BindToObject("Adaxes://<GUID=$guid>")
    if ($member.Class -ne "user")
    {
        continue
    }
    
    $sidBytes = $member.Get("objectSid")
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
    $sidString = $sid.Value
    
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectSid = $sidString
    
    if (-not($sendAsTrustees.ContainsKey($sidString)))
    {
        # Add Send As permission
        ModifySendAsPermission $objReference "Add" $sendAs
    }
    else
    {
        $sendAsTrustees.Remove($sidString)
    }
    
    if (-not($fullAccessTrustees.ContainsKey($sidString)))
    {
        # Add Full Access permission
        ModifyFullAccessPermission $objReference "Add" $mailboxRights
    }
    else
    {
        $fullAccessTrustees.Remove($sidString)
    }
}

foreach ($sid in $sendAsTrustees.Keys)
{
    # Apply modifications
    ModifySendAsPermission $sendAsTrustees[$sid] "Remove" $sendAs
}


foreach ($sid in $fullAccessTrustees.Keys)
{
    # Apply modifications
    ModifyFullAccessPermission $fullAccessTrustees[$sid] "Remove" $mailboxRights
}

$mailboxParams.SendAs = $sendAs
$mailboxParams.MailboxRights = $mailboxRights

try
{
    # Save the changes
    $mailbox.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}
catch
{
    $Context.LogMessage($_.Exception.Message, "Warning")
}

The below version of the script explicitly enables auto-mapping for all delegates gaining the permissions.

Edit Remove
PowerShell
$mailboxDN = "CN=Mailbox,OU=Mailboxes,DC=Example,DC=com" # TODO: modify me
$onlyDirectMembers = $True # TODO: modify me
$autoMappingEnabled = $False # TODO: modify me

function ModifySendAsPermission($objectReference, $operation, $sendAs)
{
    switch($operation)
    {
        "Add"
        {
            $sendAs.Add("ADS_PROPERTY_APPEND", $objectReference)
        }
        "Remove"
        {
            $sendAs.Remove($objectReference)
        }
    }
}

function ModifyFullAccessPermission($objectReference, $operation, $mailboxRights, $autoMappingEnabled)
{
    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objectReference
    
    $permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Permission = $permission
    switch($operation)
    {
        "Add"
        {
            $permissionModification.Operation = "ADS_PROPERTY_APPEND"
            $mailboxRights.SetAutoMappingFor($objReference, $autoMappingEnabled)
        }
        "Remove"
        {
            $permissionModification.Operation = "ADS_PROPERTY_DELETE"
        }
    }
    
    $mailboxRights.AddModification($permissionModification)
}

$autoMapping = @{
    $True = "ADM_EXCHANGE_AUTOMAPINGSTATE_ENABLED";
    $False = "ADM_EXCHANGE_AUTOMAPINGSTATE_DISABLED";
}

# Get mailbox parameters
$mailbox = $Context.BindToObjectByDNEx($mailboxDN, $True)

try
{
    $mailboxParams = $mailbox.GetMailParameters("ADM_GET_EXCHANGE_PARAMS_FLAGS_NONE")
}
catch
{
    $Context.LogMessage("Mailbox does not exist", "Warning")
    return
}

# Get Send As trustees
$sendAs = $mailboxParams.SendAs
$sendAsTrustees = @{}
for ($i = $sendAs.Count - 1; $i -ge 0; $i--)
{
    $objectReference = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
    if ([System.String]::IsNullOrEmpty($objectReference.ObjectSid))
    {
         ModifySendAsPermission $objectReference "Remove" $sendAs
         continue
    }
    
    if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($objectReference.ObjectSid)))
    {
        continue
    }
    
    $sendAsTrustees.Add($objectReference.ObjectSid, $objectReference)
}

# Get Full Access trustees
$mailboxRights = $mailboxParams.MailboxRights
$objectReferences = $mailboxRights.GetTrusteesGrantedRights(
    "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
$fullAccessTrustees = @{}
foreach ($objectReference in $objectReferences)
{
    if ([System.String]::IsNullOrEmpty($objectReference.ObjectSid))
    {
        ModifyFullAccessPermission $objectReference "Remove" $mailboxRights $NULL
        continue
    }
    if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($objectReference.ObjectSid))
    {
        continue
    }
    
    $fullAccessTrustees.Add($objectReference.ObjectSid, $objectReference)
}

if ($onlyDirectMembers)
{
    $membersProperty = "adm-DirectMembersGuid"
}
else
{
    $membersProperty = "adm-MembersGuid"
}

# Get members
try
{
    $memberGuidsBytes = $Context.TargetObject.GetEx($membersProperty)
}
catch
{
    $memberGuidsBytes = @()
}

# Get user SIDs
$membersToAdd = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($memberGuidBytes in $memberGuidsBytes)
{
    $guid = [Guid]$memberGuidBytes
    $member = $Context.BindToObject("Adaxes://<GUID=$guid>")
    if ($member.Class -ne "user")
    {
        continue
    }
    
    $sidBytes = $member.Get("objectSid")
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
    $sidString = $sid.Value
    
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectSid = $sidString
    
    if (-not($sendAsTrustees.ContainsKey($sidString)))
    {
        # Add Send As permission
        ModifySendAsPermission $objReference "Add" $sendAs
    }
    else
    {
        $sendAsTrustees.Remove($sidString)
    }
    
    $objReferenceAutoMapping = $mailboxRights.GetAutoMappingFor($objReference)
    if (-not($fullAccessTrustees.ContainsKey($sidString)))
    {
        # Add Full Access permission
        ModifyFullAccessPermission $objReference "Add" $mailboxRights $autoMappingEnabled
    }
    else
    {
        $fullAccessTrustees.Remove($sidString)
        if ($objReferenceAutoMapping -ne $autoMapping[$autoMappingEnabled])
        {
            $mailboxRights.SetAutoMappingFor($objReference, $autoMappingEnabled)
        }
    }
}

foreach ($sid in $sendAsTrustees.Keys)
{
    # Apply modifications
    ModifySendAsPermission $sendAsTrustees[$sid] "Remove" $sendAs
}


foreach ($sid in $fullAccessTrustees.Keys)
{
    # Apply modifications
    ModifyFullAccessPermission $fullAccessTrustees[$sid] "Remove" $mailboxRights $NULL
}

$mailboxParams.SendAs = $sendAs
$mailboxParams.MailboxRights = $mailboxRights

try
{
    # Save the changes
    $mailbox.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}
catch
{
    $Context.LogMessage($_.Exception.Message, "Warning")
}
Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers