Re: msExchMailboxSecurityDescriptor by Victor
Victor
Thu Aug 04 07:46:30 CDT 2005
Hi Joe,
Thanks for your reply!
Victor
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:uSobKFImFHA.2080@TK2MSFTNGP10.phx.gbl...
> When working with mailbox permissions you shouldn't use
> msExchMailboxSecurityDescriptor directly as it will almost certainly get
> slammed when Exchange rereplicates what is in the store back to the
> attribute. According to all MS Docs the attribute is only authoritative
> for the mailbox when the mailbox is not instantiated in the store.
>
> You want to use mailboxrights property from the CDOEXM DLL.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Victor Pereira wrote:
>> Here is my script:
>>
>> Dim DN
>> const ADS_RIGHT_GENERIC_ALL = &h10000000
>> 'Set Constants.
>> Const ADS_ACETYPE_ACCESS_DENIED = &H1
>> Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
>> Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
>> Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
>> Const ADS_ACEFLAG_INHERITED_ACE = &H10
>>
>> Const ForReading = 1
>>
>> Set objArgs = Wscript.Arguments
>>
>> if(objArgs.Count = 1) then
>> if(Objargs(0) = "lookup") then
>> lookup = 1
>> end if
>> end if
>>
>> Set oFSO = CreateObject("scripting.filesystemobject")
>> Set oTF = oFSO.OpenTextFile("C:\log\producao\test.csv",ForReading,True)
>>
>> Do While Not otf.AtEndOfStream
>>
>>
>> DN = otf.ReadLine
>> Set myUser = GetObject("LDAP://foobar-srv/" & DN)
>> sTrustee = myUser.sAMAccountName
>>
>> myuser.GetInfoEx Array("msExchMailboxSecurityDescriptor"),0
>> Set oSecurityDescriptor = myuser.Get("msExchMailboxSecurityDescriptor")
>> Set dacl = oSecurityDescriptor.DiscretionaryAcl
>>
>>
>> if(lookup = 1) then
>> 'Faz um dumpzinho baaasico
>> For Each ace In dacl
>> wscript.Echo ace.Trustee & ", " & ace.AccessMask & ", " & _
>> ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & _
>> ace.ObjectType & ", " & ace.InheritedObjectType
>> Next
>> else
>> 'Vamos deletar as acls de nosso camaGada
>> 'DELETA ACL
>> DelAce dacl, sTrustee
>> oSecurityDescriptor.DiscretionaryAcl = dacl
>> myUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor
>> myUser.SetInfo
>>
>> 'ADICIONA ACL
>> myuser.GetInfoEx Array("msExchMailboxSecurityDescriptor"),0
>> Set oSecurityDescriptor = myuser.Get("msExchMailboxSecurityDescriptor")
>> Set dacl = oSecurityDescriptor.DiscretionaryAcl
>> AddAce dacl, sTrustee, 983040, ADS_ACETYPE_ACCESS_DENIED, 2,0,0,0
>> oSecurityDescriptor.DiscretionaryAcl = dacl
>> myUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor
>> myUser.SetInfo
>>
>> AddAce dacl, strustee, 1, 1, 2, 0,0 ,0
>> oSecurityDescriptor.DiscretionaryAcl = dacl
>> myUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor
>> myUser.Put "Description","Processo De Revisao Terceiros"
>> 'Grava informacoes do usuario
>> myuser.SetInfo
>>
>> 'ORDENA ACL
>> myuser.GetInfoEx Array("msExchMailboxSecurityDescriptor"),0
>> Set oSecurityDescriptor = myuser.Get("msExchMailboxSecurityDescriptor")
>> Set dacl = oSecurityDescriptor.DiscretionaryAcl
>> ReorderACL(dacl)
>> oSecurityDescriptor.DiscretionaryAcl = dacl
>> myuser.SetInfo
>> end if
>> Loop
>>
>>
>>
>> 'Wscript.Echo myUser.DisplayName
>> 'wscript.Echo myUser.sAMAccountName
>>
>>
>> Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags,
>> gFlags, gObjectType, gInheritedObjectType)
>> Dim Ace1
>> ' Create a new ACE object
>> Set Ace1 = CreateObject("AccessControlEntry")
>> Ace1.AccessMask = gAccessMask
>> Ace1.AceType = gAceType
>> Ace1.AceFlags = gAceFlags
>> Ace1.Flags = gFlags
>> Ace1.Trustee = TrusteeName
>>
>> 'Check to see if ObjectType needs to be set
>>
>> If CStr(gObjectType) <> "0" Then
>> Ace1.ObjectType = gObjectType
>> End If
>> 'Check to see if InheritedObjectType needs to be set
>> If CStr(gInheritedObjectType) <> "0" Then
>> Ace1.InheritedObjectType = gInheritedObjectType
>> End If
>> dacl.AddAce Ace1
>> 'Destroy objects
>>
>> Set Ace1 = Nothing
>>
>> End Function
>>
>> Function DelAce(dacl, szTrusteeName)
>>
>> Dim objOACE
>>
>> 'On Error Resume Next
>>
>> szTrusteeName = "FOOBAR\" & szTrusteeName
>>
>> ' Create a temp ACE Object.
>> Set objOACE = CreateObject("AccessControlEntry")
>>
>> ' Recurse through the ACL.
>>
>> For Each objOACE In dacl
>>
>> ' Find the Trustee you are looking to delete.
>> If (Trim(LCase(objOACE.Trustee)) =
>> Trim(LCase(szTrusteeName))) Then
>>
>> ' Delete the ACE from the ACL
>> 'wscript.Echo "Opa remove ai dom"
>> dacl.RemoveAce (objOACE)
>> 'else
>> 'wscript.Echo objOAce.Trustee & " !=" & szTrusteeName
>> End If
>> Next
>>
>> ' Clean up.
>> Set objOACE = Nothing
>> End Function
>>
>> Function ReorderACL(objDacl)
>> ' Dim Objects.
>>
>> Dim ImpDenyDacl
>> Dim ImpDenyObjectDacl
>> Dim ImpAllowDacl
>> Dim ImpAllowObjectDacl
>> Dim objSD
>> Dim newDACL
>>
>> ' Dim Other Variables.
>> Dim ace
>>
>>
>> ' Create the New DACL.
>> Set objSD = CreateObject("SecurityDescriptor")
>>
>> ' Create the ACL Objects.
>> Set newDACL = CreateObject("AccessControlList")
>> Set ImpDenyDacl = CreateObject("AccessControlList")
>> Set ImpDenyObjectDacl = CreateObject("AccessControlList")
>> Set ImpAllowDacl = CreateObject("AccessControlList")
>> Set ImpAllowObjectDacl = CreateObject("AccessControlList")
>>
>> For Each ace In objDacl
>> Select Case ace.AceType
>> Case ADS_ACETYPE_ACCESS_DENIED
>> ImpDenyDacl.AddAce ace
>> Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
>> ImpDenyObjectDacl.AddAce ace
>> Case ADS_ACETYPE_ACCESS_ALLOWED
>> ImpAllowDacl.AddAce ace
>> Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
>> ImpAllowObjectDacl.AddAce ace
>> Case Else
>> 'bad ace, bad bad ace..
>> End Select
>> Next
>> '
>> ' Combine the ACEs in the Proper Order
>> ' Implicit Deny
>> ' Implicit Deny Object
>> ' Implicit Allow
>> ' Implicit Allow Object
>> '
>>
>> ' Implicit Deny.
>> For Each ace In ImpDenyDacl
>> newDACL.AddAce ace
>> Next
>>
>> ' Implicit Deny Object.
>> For Each ace In ImpDenyObjectDacl
>> newDACL.AddAce ace
>> Next
>>
>> ' Implicit Allow.
>> For Each ace In ImpAllowDacl
>> newDACL.AddAce ace
>> Next
>>
>> ' Implicit Allow Object.
>> For Each ace In ImpAllowObjectDacl
>> newDACL.AddAce ace
>> Next
>>
>>
>> 'Set the Appropriate revision level for the DACL.
>> newDACL.AclRevision = objDacl.AclRevision
>>
>> ' Return Properly Ordered DACL.
>> Set ReorderACL = newDACL
>>
>> ' Clean up.
>> Set newDACL = Nothing
>> Set ImpAllowObjectDacl = Nothing
>> Set ImpAllowDacl = Nothing
>> Set ImpDenyObjectDacl = Nothing
>> Set ImpDenyDacl = Nothing
>> Set objSD = Nothing
>>
>> End Function
>>
>>
>>
>> "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
>> news:Ov8c8xEmFHA.1204@TK2MSFTNGP12.phx.gbl...
>>
>>>Hi, can i use the SetACL.exe to configure a mailbox dacl ?
>>>
>>>I want to deny all access to a mailbox but using some functions ripped
>>>from msdn isn't working.
>>>
>>>Thanks in advance,
>>>
>>>Victor
>>>
>>
>>