Announcement

Collapse
No announcement yet.

Script / report that finds mailbox access info?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Script / report that finds mailbox access info?

    FYI I'm doing this manually right now as a one time thing (not that much to go through), but I was curious if this is possible as a coding exercise.

    1. Find all AD users / Groups / Public Mailboxes with email addresses associated with them. EDIT: Partially answered in THIS THREAD I believe.

    cmd /c csvde.exe -r "(&(objectCategory=person)(objectClass=user)(mail= *))" -l name,mail -f "c:\PrimaryEmailAddresses.csv"

    outputs:
    DN **** name **** mail
    CN=Administrator,CN=Users,DC=<TSK TSK>,DC=com,DC=local **** Administrator **** [email protected]<TSK TSK>.com


    2. Find out who has access to the mail being sent to them, either by forwarding to them, or mailbox access. (Note: we really only need this for general accounts, e.g. Accounting user, Accounting Group, Accounting Public folder), but you can't really program that part

    So, anyone ever done something like this?
    Last edited by Wired; 19th February 2009, 21:11.
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

  • #2
    Re: Script / report that finds mailbox access info?

    Note: My mind is mush from doing that manually lol.
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Script / report that finds mailbox access info?

      I think this should be possible...it might take some excel-foo though after exporting which can be scripted. I'll see if I can put something together.

      Comment


      • #4
        Re: Script / report that finds mailbox access info?

        This should work for exporting all the users into a spreadsheet, make sure you have the excel file created before running the script:

        Code:
        sXLS = "C:\export.xls"   'excel file must be created before script is ran
        
         Set objRootDSE = GetObject("LDAP://rootDSE")
         strDNSDomain = objRootDSE.Get("defaultNamingContext")
        
         'Start the ADO connection
         Set objCommand = CreateObject("ADODB.Command")
         Set objConnection = CreateObject("ADODB.Connection")
         objConnection.Provider = "ADsDSOObject"
         objConnection.Open "Active Directory Provider"
         objCommand.ActiveConnection = objConnection
        
         'Set the ADO connection query strings
         StartNode = strDNSDomain
         SearchScope = "subtree"
        
         FilterString = "(&(objectCategory=person)(objectClass=user)" _
          		   & "(mail=*)" _
            		    & "(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
         Attributes = "adspath"
        
         'Create the LDAP-Query
         LDAPQuery = "<LDAP://" & StartNode & ">;" & FilterString & ";" _
                    	& Attributes & ";" & SearchScope
        
         objCommand.CommandText = LDAPQuery
         objCommand.Properties("Page Size") = 100
         objCommand.Properties("Timeout") = 30
         objCommand.Properties("Cache Results") = False
        
         Set objRecordSet = objCommand.Execute
        
         Set objExcel = CreateObject("Excel.Application")
        	objExcel.Application.DisplayAlerts = False
        	objExcel.Visible = False
        
         	Set objWorkbook = objExcel.Workbooks.Open(sXLS)
        
            	objExcel.Cells(1,1).Value = "Logon Name"
            	objExcel.Cells(1,2).Value = "Display Name"
            	objExcel.Cells(1,7).Value = "Email Address"
        
              	xRow = 1
              	yColumn = 1
        
           	Do Until yColumn = 4
               		objExcel.Cells(xRow,yColumn).Font.Bold = True
            		objExcel.Cells(xRow,yColumn).Font.Size = 11
            		objExcel.Cells(xRow,yColumn).Interior.ColorIndex = 11 
            		objExcel.Cells(xRow,yColumn).Interior.Pattern = 1
            		objExcel.Cells(xRow,yColumn).Font.ColorIndex = 2
            		objExcel.Cells(xRow,yColumn).Borders.LineStyle = 1
            		objExcel.Cells(xRow,yColumn).WrapText = True
        	yColumn = yColumn + 1
              	Loop
        
        	x = 2
        	y = 1
        
         	If NOT objRecordSet.eof Then
          	  objRecordSet.MoveFirst
          	    While Not objRecordset.EOF
            		Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)
        			y1 = y
              				objExcel.Cells(x,y1).Value = objUser.sAMAccountName
              				y1 = y1 + 1
              				objExcel.Cells(x,y1).Value = objUser.displayName
        				y1 = y1 + 1
              				objExcel.Cells(x,y1).Value = objUser.mail
              				x = x + 1 'go to the next Row
            	  	objRecordSet.MoveNext
          	    Wend
         	End If
        
         objExcel.Columns("A:C").Select
         objExcel.Selection.HorizontalAlignment = 3 	'center all data
         objExcel.Selection.Borders.LineStyle = 1 	'apply borders
         objExcel.Columns("A:AH").EntireColumn.AutoFit  'autofit all columns
        
         appVerInt = split(objExcel.Version, ".")(0)
        	If appVerInt-Excel2007 >=0 Then
          	    objExcel.ActiveWorkbook.SaveAs(sXLS), 56  'office 2007
        	Else
          	    objExcel.ActiveWorkbook.SaveAs(sXLS), 43  'office 2003
        	End If
        
         objExcel.Quit
        
         set objExcel = Nothing
         Set objUser = Nothing
        
        msgbox "Done!"
        WScript.Quit
        Now to get the mailbox rights of each user...I wasn't too sure, but I found this:

        http://www.devnewsgroups.net/group/m...opic39204.aspx

        Somehow add that into the script above

        If all your descriptions are correct in AD, you can also add into the filterstring to only select users with "accounting" in the description, or anything else you would want to add...I just figured this part out recently:

        Code:
         FilterString = "(&(objectCategory=person)(objectClass=user)" _
          		   & "(mail=*)" _
          		    & "(description=*accounting*)" _
            		     & "(!(userAccountControl:1.2.840.113556.1.4.803:=2))))"
        Let me know if that helps.

        Comment


        • #5
          Re: Script / report that finds mailbox access info?

          I was able to hack something together, and also fixed some little errors that I had in the above example. I couldn't get what type of rights each user had in a mailbox, but I was able to get if they are allowed access or not (nothing ever showed for the individual rights). Depending on how many users you have with "accounting" in their description...this file could get very large, or even exceed the amount of excel cells...that happened to me

          If anyone knows of a better way of doing this...please help!

          Code:
          On Error Resume Next
          
          sXLS = "C:\export.xls"   'excel file must be created before script is ran
          
           Set objRootDSE = GetObject("LDAP://rootDSE")
           strDNSDomain = objRootDSE.Get("defaultNamingContext")
          
           'Start the ADO connection
           Set objCommand = CreateObject("ADODB.Command")
           Set objConnection = CreateObject("ADODB.Connection")
           objConnection.Provider = "ADsDSOObject"
           objConnection.Open "Active Directory Provider"
           objCommand.ActiveConnection = objConnection
          
           'Set the ADO connection query strings
           StartNode = strDNSDomain
           SearchScope = "subtree"
          
           FilterString = "(&(objectCategory=person)(objectClass=user)" _
            		   & "(description=*accounting*)" _
            		    & "(mail=*)" _
              		     & "(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
           Attributes = "adspath"
          
           'Create the LDAP-Query
           LDAPQuery = "<LDAP://" & StartNode & ">;" & FilterString & ";" _
                      	& Attributes & ";" & SearchScope
          
           objCommand.CommandText = LDAPQuery
           objCommand.Properties("Page Size") = 100
           objCommand.Properties("Timeout") = 30
           objCommand.Properties("Cache Results") = False
          
           Set objRecordSet = objCommand.Execute
          
           Set objExcel = CreateObject("Excel.Application")
          	objExcel.Application.DisplayAlerts = False
          	objExcel.Visible = True
          
           	'Set objWorkbook = objExcel.Workbooks.Open(sXLS)
                  objExcel.Workbooks.Add
          
              	objExcel.Cells(1,1).Value = "Logon Name"
              	objExcel.Cells(1,2).Value = "Display Name"
              	objExcel.Cells(1,3).Value = "Email Address"
              	objExcel.Cells(1,4).Value = "Mailbox Rights"
          
                	xRow = 1
                	yColumn = 1
          
             	Do Until yColumn = 5
                 		objExcel.Cells(xRow,yColumn).Font.Bold = True
              		objExcel.Cells(xRow,yColumn).Font.Size = 11
              		objExcel.Cells(xRow,yColumn).Interior.ColorIndex = 11 
              		objExcel.Cells(xRow,yColumn).Interior.Pattern = 1
              		objExcel.Cells(xRow,yColumn).Font.ColorIndex = 2
              		objExcel.Cells(xRow,yColumn).Borders.LineStyle = 1
              		objExcel.Cells(xRow,yColumn).WrapText = True
          	yColumn = yColumn + 1
                	Loop
          
          	x = 2
          	y = 1
          
           	If NOT objRecordSet.eof Then
            	  objRecordSet.MoveFirst
            	    While Not objRecordset.EOF
              		Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)
          			y1 = y
                				objExcel.Cells(x,y1).Value = objUser.sAMAccountName
                				y1 = y1 + 1
                				objExcel.Cells(x,y1).Value = objUser.displayName
          				y1 = y1 + 1
                				objExcel.Cells(x,y1).Value = objUser.mail
          				y1 = y1 + 1
          					Set oSecurityDescriptor = objuser.Get("msExchMailboxSecurityDescriptor")
          					Set dacl = oSecurityDescriptor.DiscretionaryAcl
          					Set ace = CreateObject("AccessControlEntry")
          					  For Each ace In dacl
          						mystring = ace.Trustee
          						If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then
          							x = x + 1
                							objExcel.Cells(x,y1).Value = mystring & " has access"
          						ElseIf (ace.AceType = ADS_ACETYPE_ACCESS_DENIED) Then
          							x = x + 1
                							objExcel.Cells(x,y1).Value = mystring & " is denied access"
          						End If
          					  Next
                				x = x + 1 'go to the next Row
              	  	objRecordSet.MoveNext
            	    Wend
           	End If
          
           objExcel.Columns("A:D").Select
           objExcel.Selection.HorizontalAlignment = 3 	'center all data
           objExcel.Selection.Borders.LineStyle = 1 	'apply borders
           objExcel.Columns("A:AH").EntireColumn.AutoFit  'autofit all columns
          
           appVerInt = split(objExcel.Version, ".")(0)
          	If appVerInt-Excel2007 >=0 Then
            	    objExcel.ActiveWorkbook.SaveAs(sXLS), 56  'office 2007
          	Else
            	    objExcel.ActiveWorkbook.SaveAs(sXLS), 43  'office 2003
          	End If
          
           objExcel.Quit
          
           set objExcel = Nothing
           Set objUser = Nothing
          
          msgbox "Done!"
          WScript.Quit
          Last edited by ekrengel; 10th March 2009, 13:13. Reason: Fixed excel to create the spreadsheet, not open it

          Comment

          Working...
          X