Pages

9/04/2011

Enumerate Mailbox Permissions

$root = [ADSI]'LDAP://RootDSE' $dfDefaultRootPath = "LDAP://" + $root.DefaultNamingContext.tostring() $dfRoot = [ADSI]$dfDefaultRootPath $gfGALQueryFilter = "(&(&(&(mailnickname=*)(objectCategory=person)(objectClass=user))))" $dfsearcher = new-object System.DirectoryServices.DirectorySearcher($dfRoot) $dfsearcher.PageSize = 4500 $dfsearcher.Filter = $gfGALQueryFilter $dfsearcher.PropertiesToLoad.Add("msExchMailboxSecurityDescriptor") $srSearchResult = $dfsearcher.FindAll() "Mailbox ACE User" foreach ($emResult in $srSearchResult) { $uoUserobject = New-Object System.DirectoryServices.directoryentry $uoUserobject = $emResult.GetDirectoryEntry() $emProps = $emResult.Properties [byte[]]$DaclByte = $emProps["msexchmailboxsecuritydescriptor"][0] $adDACL = new-object System.DirectoryServices.ActiveDirectorySecurity $adDACL.SetSecurityDescriptorBinaryForm($DaclByte) $mbRightsacls =$adDACL.GetAccessRules($true, $false, [System.Security.Principal.SecurityIdentifier]) foreach ($ace in $mbRightsacls){ if($ace.IdentityReference.Value -ne "S-1-5-10" -band $ace.IdentityReference.Value -ne "S-1-5-18" -band $ace.IsInherited -ne $true){ $sidbind = "LDAP://" $AceName = $ace.IdentityReference.Value $aceuser = [ADSI]$sidbind if ($aceuser.name -ne $null){ $AceName = $aceuser.samaccountname } "" + $uoUserobject.DisplayName + " " + $AceName } } }

No comments: