Script Repository


Grant temporary full mailbox access to user

February 24, 2021
1234

To grant full mailbox access to a user for a limited time period, you need to use Adaxes business rules and scheduled tasks. You need to do the following:

  1. Create a business rule that will trigger After Updating a User and execute Script 1. The script grants full mailbox access to the user and adds a record specifying when to revoke the permission.
  2. Create a scheduled task that runs Script 2 on a periodical basis. It will revoke the full mailbox access from the user.

Script 1: Grant full mailbox access

This script can be used in a business rule that will grant full mailbox access to the user

Parameters

  • $userListProperty - Specifies the LDAP name of the property that stores a list of users with temporary full mailbox access and the times when to revoke the permission.
  • $mailboxDNProperty - Specifies the LDAP name of the property that stores the distinguished name of the mailbox.
  • $durationInHoursProperty - Specifies the LDAP name of the property that stores duration for full mailbox access (in hours).
Edit Remove
PowerShell
$userListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
$mailboxDNProperty = "assistant" # TODO: modify me
$durationInHoursProperty = "adm-CustomAttributeInt1" # TODO: modify me

function ClearProperties($propertyName)
{
    $Context.TargetObject.Put($propertyName, $NULL)
    $Context.TargetObject.SetInfoEx(@($propertyName))
}

# Get duration
try
{
    $durationInHours = $Context.TargetObject.Get($durationInHoursProperty)
}
catch
{
    $Context.LogMessage("Duration not specified", "Warning")
    return
}
ClearProperties $durationInHoursProperty

# Get mailbox DN
try
{
    $mailboxDN = $Context.TargetObject.Get($mailboxDNProperty)
}
catch
{
    $Context.LogMessage("Mailbox not specified", "Warning")
    return
}
ClearProperties $mailboxDNProperty

# Get user sid
$sidBytes = $Context.TargetObject.Get("objectSID")
$userSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
$userSidValue = $userSid.Value

# Build user record
$endDate = [System.Datetime]::Now.AddHours($durationInHours)
$userRecord = $endDate.ToString("MM/dd/yyyy hh mm tt") + " SID=$userSidValue"

# Get mailbox records
$mailbox = $Context.BindToObjectByDN($mailboxDN)
try
{
    $records = $mailbox.GetEx($userListProperty)
}
catch
{
    $records = @()
}

# Check if the user already has access to the mailbox
$addNewRecord = $True
for ($i = 0; $i -lt $records.Length; $i++)
{
    $sid = ($records[$i] | Select-String -Pattern "(?<=SID=).+").Matches[0].Value
    if ($sid -ne $userSidValue)
    {
        continue
    }
    # The user already has access to this mailbox, update date
    $records[$i] = $userRecord
    $addNewRecord = $False
    break
}

if ($addNewRecord)
{
    # Add a information on when to remove access to the mailbox
    $records += $userRecord
    
    # Add Full Mailbox Access permission for the user
    $mailboxParams = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxParameters"
    
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectDN = "%distinguishedName%"

    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference

    $permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Operation = "ADS_PROPERTY_APPEND"
    $permissionModification.Permission = $permission

    $mailboxRights = $mailboxParams.MailboxRights
    
    $mailboxRights.AddModification($permissionModification)
    $mailboxParams.MailboxRights = $mailboxRights
    
    # Save the changes
    $mailbox.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}

# Update mailbox records
$mailbox.PutEx("ADS_PROPERTY_UPDATE", $userListProperty, $records)
$mailbox.SetInfo()

Script 2: Revoke full mailbox access

This script can be used in a scheduled task that revokes full mailbox access from users when their temporary permissions expire.

Parameters

  • $userListProperty - Specifies the LDAP name of the property that stores a list of users with temporary full mailbox acsess and the times when to revoke the permission. It must be the same as $userListProperty in Script 1.
Edit Remove
PowerShell
$userListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me

# Get mailbox records
try
{
    $records = $Context.TargetObject.GetEx($userListProperty)
}
catch
{
    return # No records
}

$currentDate = [DateTime]::Now
$sidsToRemove = New-Object "System.Collections.Generic.HashSet[System.String]"
for ($i = 0; $i -lt $records.Length; $i++)
{
    # Get user's ADS sid and date when to remove Full Mailbox Access permission
    $sid = ($records[$i] | Select-String -Pattern "(?<=SID=).+").Matches[0].Value
    $date = ($records[$i] | Select-String -Pattern "\d{2}\/\d{2}\/\d{4}\s\d{2}\s\d{2}\s.{2}" -AllMatches).Matches | %%{[DateTime]::ParseExact($_.Value, "MM/dd/yyyy hh mm tt", $NULL)}
    
    if ($date -le $currentDate)
    {
        [void]$sidsToRemove.Add($sid)
        $records[$i] = $NULL
    }
}

if ($sidsToRemove.Count -ne 0)
{
    # Get Exchange properties
    $mailboxParams = $Context.TargetObject.GetMailParameters()
    
    # Remove permissions
    $mailboxRights = $mailboxParams.MailboxRights
    foreach ($sid in $sidsToRemove)
    {
        $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
        $objReference.ObjectSid = $sid
       
        $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
        $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
        $permission.Trustee = $objReference
        
        $mailboxRights.RemovePermission($permission)
    }
    $mailboxParams.MailboxRights = $mailboxRights
    $Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
    
    # Update list of users with temporary full access
    [System.String[]]$records = $records | ?{$_}
    $Context.TargetObject.PutEx("ADS_PROPERTY_UPDATE", $userListProperty, $records)
    $Context.TargetObject.SetInfo()
}


Comments ( 0 )
No results found.
Leave a comment