Script Repository


Manage shared mailbox members

February 22, 2021
4395

The script modifies the list of members of a shared mailbox, i.e. people who can monitor the mailbox and send mail from it. The mailbox members are specified via a multivalued attribute of the mailbox that supports the DN syntax, for example, See Also (LDAP name seeAlso) or Secretary (LDAP name secreatary).

To use the script with Adaxes, you need to create a business rule triggered after creating a user and/or after updating the attribute that will be used to specify the mailbox members.

See also: Get members of Exchnage Online shared mailbox.

Parameter:

  • $membersAttribute - Specifies the LDAP display name of the attribute that will be used to specify new mailbox members.
Edit Remove
PowerShell
$membersAttribute = "seeAlso" # TODO: modify me

function ModifySendAsPermission($sid, $operation)
{
    # Create Send As permission for the trustee
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectSid = $sid
    
    switch($operation)
    {
        "Add"
        {
            $sendAs.Add("ADS_PROPERTY_APPEND", $objReference)
        }
        "Remove"
        {
            $sendAs.SetOperation($objReference, "ADS_PROPERTY_DELETE")
        }
    }
}

function ModifyFullAccessPermission($sid, $operation)
{
    # Create Full Access permission for the trustee
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectSid = $sid
    
    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference
    
    $permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Permission = $permission
    switch($operation)
    {
        "Add"
        {
            $permissionModification.Operation = "ADS_PROPERTY_APPEND"
        }
        "Remove"
        {
            $permissionModification.Operation = "ADS_PROPERTY_DELETE"
        }
    }
    
    $mailboxRights.AddModification($permissionModification)
}

# Get user DNs
try
{
    $userDNs = $Context.TargetObject.GetEx($membersAttribute)
}
catch
{
    $userDNs = @()
}

# Get user SIDs
$membersToAdd = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($dn in $userDNs)
{
    $user = $Context.BindToObjectByDN($dn)
    $sidBytes = $user.Get("objectSID")
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
    
    [void]$membersToAdd.Add($sid)
}

# Get mailbox parameters
$mailboxParams = $Context.TargetObject.GetMailParameters()

# Get Send As trustees
$sendAs = $mailboxParams.SendAs
$sendAsTrustees = New-Object "System.Collections.Generic.HashSet[System.String]"
for ($i = 0; $i -lt $sendAs.Count; $i++)
{
    $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
    if ([System.String]::IsNullOrEmpty($object.ObjectSid))
    {
        continue
    }
    
    if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid)))
    {
        continue
    }
    
    [void]$sendAsTrustees.Add($object.ObjectSid)
}

# Get Full Access trustees
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights(
    "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
$fullAccessTrustees = New-Object "System.Collections.Generic.HashSet[System.String]"
$memberToRemove = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($object in $fullAccess)
{
    if ([System.String]::IsNullOrEmpty($object.ObjectSid))
    {
        continue
    }
    if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
    {
        continue
    }
    
    $objectSid = $object.ObjectSid
    [void]$fullAccessTrustees.Add($objectSid)
    if ($sendAsTrustees.Contains($objectSid))
    {
        [void]$memberToRemove.Add($objectSid)
    }
}

# Enable modification of mailbox permissions
$sendAs = $mailboxParams.SendAs
$mailboxRights = $mailboxParams.MailboxRights

foreach ($sid in $membersToAdd)
{
    if ($memberToRemove.Remove($sid))
    {
        continue
    }
    
    if (-not($sendAsTrustees.Contains($sid)))
    {
        # Add Send As permission
        ModifySendAsPermission $sid "Add"
    }
    
    if (-not($fullAccessTrustees.Contains($sid)))
    {
        # Add Full Access permission
        ModifyFullAccessPermission $sid "Add"
    }
}

foreach ($sid in $memberToRemove)
{
    # Apply modifications
    ModifySendAsPermission $sid "Remove"
    ModifyFullAccessPermission $sid "Remove"
}

$mailboxParams.SendAs = $sendAs
$mailboxParams.MailboxRights = $mailboxRights

try
{
    # Save the changes
    $Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}
catch
{
    $Context.LogMessage($_.Exception.Message, "Warning")
}

Comments ( 2 )
avatar
Felipe
Oct 18, 2021
How exactly do we use this script? Let's say I create a user and they are part of the "ABC Department". If I wanted that user to get access to 4 different Shared Mailboxes (Mailbox 1,2,3, and4) with Full Access and Send As Permissions. I am confused as to what the $membersAttribute SeeAlso is referencing. Do I need to save the members of the "ABC Department" in some sort of LDAP variable? Also is there a way to have this script also apply auto-mapping of shared mailbox? Just kind of confused on how I use this. Automated Exchange Mailbox Configuration during user creation or modification can only do the user's own mailbox. I am trying to think on how to use this script to make user's gain access to multiple other shared mailboxes. Right now we do this via Security Group but that doesn't have AutoMap capabilities.
avatar
Support
Oct 19, 2021
Hello Felipe,

The script must be executed on a shared mailbox. In the mailbox property whose name is specified in the $membersAttribute variable, you need to specify the list of accounts that must be granted Full Access permissions and added to the Send As section of the mailbox.
For us to help you with the desired behavior, please, describe it in all the possible details. A live example would be much appreciated.
Leave a comment

Related Scripts