We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Grant temporary full mailbox access to user

February 24, 2021 Views: 1888

To grant full mailbox access to a user for a limited time period, you need to use Adaxes business rules and scheduled tasks. You need to do the following:

  1. Create a business rule that will trigger After Updating a User and execute Script 1. The script grants full mailbox access to the user and adds a record specifying when to revoke the permission.
  2. Create a scheduled task that runs Script 2 on a periodical basis. It will revoke the full mailbox access from the user.

Script 1: Grant full mailbox access

This script can be used in a business rule that will grant full mailbox access to the user

Parameters

  • $userListProperty - Specifies the LDAP name of the property that stores a list of users with temporary full mailbox access and the times when to revoke the permission.
  • $mailboxDNProperty - Specifies the LDAP name of the property that stores the distinguished name of the mailbox.
  • $durationInHoursProperty - Specifies the LDAP name of the property that stores duration for full mailbox access (in hours).
Edit Remove
PowerShell
$userListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
$mailboxDNProperty = "assistant" # TODO: modify me
$durationInHoursProperty = "adm-CustomAttributeInt1" # TODO: modify me

function ClearProperties($propertyName)
{
    $Context.TargetObject.Put($propertyName, $NULL)
    $Context.TargetObject.SetInfoEx(@($propertyName))
}

# Get duration
try
{
    $durationInHours = $Context.TargetObject.Get($durationInHoursProperty)
}
catch
{
    $Context.LogMessage("Duration not specified", "Warning")
    return
}
ClearProperties $durationInHoursProperty

# Get mailbox DN
try
{
    $mailboxDN = $Context.TargetObject.Get($mailboxDNProperty)
}
catch
{
    $Context.LogMessage("Mailbox not specified", "Warning")
    return
}
ClearProperties $mailboxDNProperty

# Get user sid
$sidBytes = $Context.TargetObject.Get("objectSID")
$userSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
$userSidValue = $userSid.Value

# Build user record
$endDate = [System.Datetime]::Now.AddHours($durationInHours)
$userRecord = $endDate.ToString("MM/dd/yyyy hh mm tt") + " SID=$userSidValue"

# Get mailbox records
$mailbox = $Context.BindToObjectByDN($mailboxDN)
try
{
    $records = $mailbox.GetEx($userListProperty)
}
catch
{
    $records = @()
}

# Check if the user already has access to the mailbox
$addNewRecord = $True
for ($i = 0; $i -lt $records.Length; $i++)
{
    $sid = ($records[$i] | Select-String -Pattern "(?<=SID=).+").Matches[0].Value
    if ($sid -ne $userSidValue)
    {
        continue
    }
    # The user already has access to this mailbox, update date
    $records[$i] = $userRecord
    $addNewRecord = $False
    break
}

if ($addNewRecord)
{
    # Add a information on when to remove access to the mailbox
    $records += $userRecord
    
    # Add Full Mailbox Access permission for the user
    $mailboxParams = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxParameters"
    
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectDN = "%distinguishedName%"

    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference

    $permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Operation = "ADS_PROPERTY_APPEND"
    $permissionModification.Permission = $permission

    $mailboxRights = $mailboxParams.MailboxRights
    
    $mailboxRights.AddModification($permissionModification)
    $mailboxParams.MailboxRights = $mailboxRights
    
    # Save the changes
    $mailbox.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}

# Update mailbox records
$mailbox.PutEx("ADS_PROPERTY_UPDATE", $userListProperty, $records)
$mailbox.SetInfo()

Script 2: Revoke full mailbox access

This script can be used in a scheduled task that revokes full mailbox access from users when their temporary permissions expire.

Parameters

  • $userListProperty - Specifies the LDAP name of the property that stores a list of users with temporary full mailbox acsess and the times when to revoke the permission. It must be the same as $userListProperty in Script 1.
Edit Remove
PowerShell
$userListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me

# Get mailbox records
try
{
    $records = $Context.TargetObject.GetEx($userListProperty)
}
catch
{
    return # No records
}

$currentDate = [DateTime]::Now
$sidsToRemove = New-Object "System.Collections.Generic.HashSet[System.String]"
for ($i = 0; $i -lt $records.Length; $i++)
{
    # Get user's ADS sid and date when to remove Full Mailbox Access permission
    $sid = ($records[$i] | Select-String -Pattern "(?<=SID=).+").Matches[0].Value
    $date = ($records[$i] | Select-String -Pattern "\d{2}\/\d{2}\/\d{4}\s\d{2}\s\d{2}\s.{2}" -AllMatches).Matches | %%{[DateTime]::ParseExact($_.Value, "MM/dd/yyyy hh mm tt", $NULL)}
    
    if ($date -le $currentDate)
    {
        [void]$sidsToRemove.Add($sid)
        $records[$i] = $NULL
    }
}

if ($sidsToRemove.Count -ne 0)
{
    # Get Exchange properties
    $mailboxParams = $Context.TargetObject.GetMailParameters()
    
    # Remove permissions
    $mailboxRights = $mailboxParams.MailboxRights
    foreach ($sid in $sidsToRemove)
    {
        $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
        $objReference.ObjectSid = $sid
       
        $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
        $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
        $permission.Trustee = $objReference
        
        $mailboxRights.RemovePermission($permission)
    }
    $mailboxParams.MailboxRights = $mailboxRights
    $Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
    
    # Update list of users with temporary full access
    [System.String[]]$records = $records | ?{$_}
    $Context.TargetObject.PutEx("ADS_PROPERTY_UPDATE", $userListProperty, $records)
    $Context.TargetObject.SetInfo()
}

Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers