The script modifies the list of members of a shared mailbox, i.e. people who can monitor the mailbox and send mail from it. The mailbox members are specified via a multivalued attribute of the mailbox that supports the DN syntax, for example, See Also (LDAP name seeAlso) or Secretary (LDAP name secreatary).
To use the script with Adaxes, you need to create a business rule triggered after creating a user and/or after updating the attribute that will be used to specify the mailbox members.
See also: Get members of Exchnage Online shared mailbox.
Parameter:
- $membersAttribute - Specifies the LDAP display name of the attribute that will be used to specify new mailbox members.
PowerShell
$membersAttribute = "seeAlso" # TODO: modify me
function ModifySendAsPermission($sid, $operation)
{
# Create Send As permission for the trustee
$objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
$objReference.ObjectSid = $sid
switch($operation)
{
"Add"
{
$sendAs.Add("ADS_PROPERTY_APPEND", $objReference)
}
"Remove"
{
$sendAs.SetOperation($objReference, "ADS_PROPERTY_DELETE")
}
}
}
function ModifyFullAccessPermission($sid, $operation)
{
# Create Full Access permission for the trustee
$objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
$objReference.ObjectSid = $sid
$permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
$permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
$permission.Trustee = $objReference
$permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
$permissionModification.Permission = $permission
switch($operation)
{
"Add"
{
$permissionModification.Operation = "ADS_PROPERTY_APPEND"
}
"Remove"
{
$permissionModification.Operation = "ADS_PROPERTY_DELETE"
}
}
$mailboxRights.AddModification($permissionModification)
}
# Get user DNs
try
{
$userDNs = $Context.TargetObject.GetEx($membersAttribute)
}
catch
{
$userDNs = @()
}
# Get user SIDs
$membersToAdd = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($dn in $userDNs)
{
$user = $Context.BindToObjectByDN($dn)
$sidBytes = $user.Get("objectSID")
$sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
[void]$membersToAdd.Add($sid)
}
# Get mailbox parameters
$mailboxParams = $Context.TargetObject.GetMailParameters()
# Get Send As trustees
$sendAs = $mailboxParams.SendAs
$sendAsTrustees = New-Object "System.Collections.Generic.HashSet[System.String]"
for ($i = 0; $i -lt $sendAs.Count; $i++)
{
$object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
if ([System.String]::IsNullOrEmpty($object.ObjectSid))
{
continue
}
if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid)))
{
continue
}
[void]$sendAsTrustees.Add($object.ObjectSid)
}
# Get Full Access trustees
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights(
"ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
$fullAccessTrustees = New-Object "System.Collections.Generic.HashSet[System.String]"
$memberToRemove = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($object in $fullAccess)
{
if ([System.String]::IsNullOrEmpty($object.ObjectSid))
{
continue
}
if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
{
continue
}
$objectSid = $object.ObjectSid
[void]$fullAccessTrustees.Add($objectSid)
if ($sendAsTrustees.Contains($objectSid))
{
[void]$memberToRemove.Add($objectSid)
}
}
# Enable modification of mailbox permissions
$sendAs = $mailboxParams.SendAs
$mailboxRights = $mailboxParams.MailboxRights
foreach ($sid in $membersToAdd)
{
if ($memberToRemove.Remove($sid))
{
continue
}
if (-not($sendAsTrustees.Contains($sid)))
{
# Add Send As permission
ModifySendAsPermission $sid "Add"
}
if (-not($fullAccessTrustees.Contains($sid)))
{
# Add Full Access permission
ModifyFullAccessPermission $sid "Add"
}
}
foreach ($sid in $memberToRemove)
{
# Apply modifications
ModifySendAsPermission $sid "Remove"
ModifyFullAccessPermission $sid "Remove"
}
$mailboxParams.SendAs = $sendAs
$mailboxParams.MailboxRights = $mailboxRights
try
{
# Save the changes
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}
catch
{
$Context.LogMessage($_.Exception.Message, "Warning")
}
The script must be executed on a shared mailbox. In the mailbox property whose name is specified in the $membersAttribute variable, you need to specify the list of accounts that must be granted Full Access permissions and added to the Send As section of the mailbox.
For us to help you with the desired behavior, please, describe it in all the possible details. A live example would be much appreciated.