No announcement yet.

Bulk permissions change using ADModify.NET

  • Filter
  • Time
  • Show
Clear All
new posts

  • Bulk permissions change using ADModify.NET


    We are running Exchange 2003 sp2 in a Server 2003 environment.

    I have been tasked with with ensuring that all the members of an AD group (let's call it 'untrusted users') are prevented from opening any of the mailbox folders belonging to the members of another group ('trusted users').

    It may be the case that users in 'trusted users' have set their calenders etc to be viewable by anyone by default, so my thinking was to use ADModify.NET to add a deny entry for 'untrusted users' onto the permissions of every user's mailbox.

    To this end I have created the following mbxrights.xml file and ran it through

    <MailboxRights><user UserDN="LDAP  CN=John Doe,OU=Test,DC=domain,DC=co,DC=uk"><Inherited></Inherited><NotInherited><Entry Trustee="MYDOMAIN\UntrustedUsers" Mask="ACE_MB_FULL_ACCESS|Denied " /></NotInherited></user></MailboxRights>
    However, when I have tested this in Outlook, it does not seem to work and a user in 'untrusted users' can still open another user's calendar. I have looked at the mailbox permisions after i've ran it and the deny entry is definitely there.

    Does anyone have any ideas? Or am I going about this the wrong way, is there an easier way to do this?

  • #2
    Re: Bulk permissions change using ADModify.NET

    Use PFDAVADMIN. This will show you the MAPI permissions on the mailstore. You can modify them in bulk from there and propogate down. Anonymous or Default may have been granted additional rights.


    • #3
      Re: Bulk permissions change using ADModify.NET

      Permissions set on the mailbox through AD do not block permissions set on folders in Outlook. Therefore you would have to correct the permissions through the mailbox.

      Furthermore, most permissive wins. Therefore if Default has been set to Reviewer, then you cannot block anyone from accessing the mailbox. Even if you put in a group that has no permissions, because Default is more permissive, it wins.
      You would have to set Default to none and then ask the users to adjust the permissions appropriately.

      Finally, you have the problem that you cannot stop users from granting permissions. Therefore while you can set a group to have no permissions, you would be unable to stop the individual user from changing the permission to how they like, which could include setting the default permission.
      The most you could do is run a script that reset the permissions every night, and hope that the users get annoyed with resetting it, but that of course could mean that some people will get so annoyed they simply tell you to stop running the script.

      There is no technical solution to this. The solution is a behavioural one, that needs to be corrected by HR. Ultimately though, there is nothing anyone can do to stop someone from sharing their mailbox out.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.