Issue with Restricting Exchange Mailbox Rights:
I am trying to delegate basic exchange management outside the Exchange team and I need to restrict the delegated administrators ability to only select “Read permissions” and “Full mailbox access” when granting or removing rights to a users mailbox. I was looking to restrict it with a policy script by reading the in-process attributes on pre-modify of the msExchMailboxSecurityDescriptor. The issue I am having is capturing the in-process attribute and trying to determine what the Delegated Administrator is doing. I have tried to determine the ACEMask however I have not been successful in seeing that the in-process item is a Security Descriptor.
Policy Script Below:
'---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Option explicit
Const strLogFile1="C:\Exchange_Debug.log" 'Path for logging when turned on.
Const bolLogEnabled1 = True 'Used to turn on and off logging.
Const strMessage = "Only Read and Full Mailbox Access may be Granted to a mailbox"
Sub Log1(msg)
On Error Resume Next
If bolLogEnabled1 Then
Dim fso1, File1
Set fso1 = CreateObject("Scripting.FileSystemObject")
Set File1 = fso1.OpenTextFile(strLogFile1, 8, True)
File1.WriteLine (CStr(Now()) + vbTab + msg)
File1.Close
End If
End Sub
Sub onPreModify(Request)
Log1("--------------------------")
Log1("Exchange Security Descriptor Restriction - onPreModify Begin")
Log1("--------------------------")
'On Error Resume Next
Dim i, item, strUID, value
If Request.Class = "user" Then
strUID = Request.get("sAMAccountName")
Log1("Account: " & strUID)
Log1("ProperyCount: " & Request.PropertyCount)
Dim str
Dim oSecurityDescriptor
Dim dacl
Dim ace
'Retrieve properties from in-process data
For i=0 To Request.PropertyCount-1
Set item = Request.Item(i)
str = str + item.Name + ": "
str=str+ vbCrLf
Log1("Item Name: " + item.Name)
For Each value In item.Values
Select Case value.ADsType
Case ADSTYPE_DN_STRING
str = str + value.DNString + ", "
Case ADSTYPE_CASE_EXACT_STRING
str = str + value.CaseExactString + ", "
Case ADSTYPE_CASE_IGNORE_STRING
str = str + value.CaseIgnoreString + ", "
Case ADSTYPE_PRINTABLE_STRING
str = str + value.PrintableString + ", "
Case ADSTYPE_NUMERIC_STRING
str = str + value.NumericString + ", "
Case ADSTYPE_BOOLEAN
str = str + CStr (value.Boolean) + ", "
Case ADSTYPE_INTEGER
str = str + CStr (value.Integer) + ", "
Case ADSTYPE_NT_SECURITY_DESCRIPTOR
str = str + CStr ("SECURITY_DESCRIPTOR") + ", "
' Set oSecurityDescriptor = item.ntSecurityDescriptor=20
' Set dacl = oSecurityDescriptor.DiscretionaryAcl
' For Each ace In dacl
' Log1("Trustee: " & ace.Trustee)
' Log1("Mask: " & ace.AccessMask)
' Next
End Select
Next
Log1(str)
Next
End If
End Sub
' -------------------------------------------------------------------------------------------------------------------------------------------------