Script Repository


Manage shared mailbox members

April 01, 2016
2015

The script modifies the list of members of a shared mailbox, i.e. people who can monitor the mailbox and send mail from it. The mailbox members are specified via a multivalued attribute of the mailbox that supports the DN syntax, for example, See Also (LDAP name seeAlso) or Secretary (LDAP name secreatary).

To use the script with Adaxes, you need to create a Business Rule triggered after creating a user and/or after updating the attribute that will be used to specify the mailbox members.

See also: Get members of Exchnage Online shared mailbox.

Parameter:

  • $membersAttribute - specifies the LDAP display name of the attribute that will be used to specify new mailbox members.
Edit Remove
PowerShell
$membersAttribute = "seeAlso" # TODO: modify me

function ModifySendAsPermission($sid, $operation)
{
    # Create Send As permission for the trustee
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectSid = $sid
    
    switch($operation)
    {
        "Add"
        {
            $sendAs.Add("ADS_PROPERTY_APPEND", $objReference)
        }
        "Remove"
        {
            $sendAs.SetOperation($objReference, "ADS_PROPERTY_DELETE")
        }
    }
}

function ModifyFullAccessPermission($sid, $operation)
{
    # Create Full Access permission for the trustee
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectSid = $sid
    
    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference
    
    $permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Permission = $permission
    switch($operation)
    {
        "Add"
        {
            $permissionModification.Operation = "ADS_PROPERTY_APPEND"
        }
        "Remove"
        {
            $permissionModification.Operation = "ADS_PROPERTY_DELETE"
        }
    }
    
    $mailboxRights.AddModification($permissionModification)
}

# Get user DNs
try
{
    $userDNs = $Context.TargetObject.GetEx($membersAttribute)
}
catch
{
    $userDNs = @()
}

# Get user SIDs
$membersToAdd = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($dn in $userDNs)
{
    $user = $Context.BindToObjectByDN($dn)
    $sidBytes = $user.Get("objectSID")
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
    
    [void]$membersToAdd.Add($sid)
}

# Get mailbox parameters
$mailboxParams = $Context.TargetObject.GetMailParameters()

# Get Send As trustees
$sendAs = $mailboxParams.SendAs
$sendAsTrustees = New-Object "System.Collections.Generic.HashSet[System.String]"
for ($i = 0; $i -lt $sendAs.Count; $i++)
{
    $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
    if ([System.String]::IsNullOrEmpty($object.ObjectSid))
    {
        continue
    }
    
    if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid)))
    {
        continue
    }
    
    [void]$sendAsTrustees.Add($object.ObjectSid)
}

# Get Full Access trustees
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights(
    "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
$fullAccessTrustees = New-Object "System.Collections.Generic.HashSet[System.String]"
$memberToRemove = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($object in $fullAccess)
{
    if ([System.String]::IsNullOrEmpty($object.ObjectSid))
    {
        continue
    }
    if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
    {
        continue
    }
    
    $objectSid = $object.ObjectSid
    [void]$fullAccessTrustees.Add($objectSid)
    if ($sendAsTrustees.Contains($objectSid))
    {
        [void]$memberToRemove.Add($objectSid)
    }
}

# Enable modification of mailbox permissions
$sendAs = $mailboxParams.SendAs
$mailboxRights = $mailboxParams.MailboxRights

foreach ($sid in $membersToAdd)
{
    if ($memberToRemove.Remove($sid))
    {
        continue
    }
    
    if (-not($sendAsTrustees.Contains($sid)))
    {
        # Add Send As permission
        ModifySendAsPermission $sid "Add"
    }
    
    if (-not($fullAccessTrustees.Contains($sid)))
    {
        # Add Full Access permission
        ModifyFullAccessPermission $sid "Add"
    }
}

foreach ($sid in $memberToRemove)
{
    # Apply modifications
    ModifySendAsPermission $sid "Remove"
    ModifyFullAccessPermission $sid "Remove"
}

$mailboxParams.SendAs = $sendAs
$mailboxParams.MailboxRights = $mailboxRights

try
{
    # Save the changes
    $Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}
catch
{
    $Context.LogMessage($_.Exception.Message, "Warning")
}

Comments ( 0 )
No results found.
Leave a comment