I wrote a while back about the Exchange System Manager, and while it was useful, it turns out that access rights to mailboxes are defined in the msExchMailboxSecurityDescriptor attribute in the AD. The problem is, rather than listing usernames, it lists ObjectIDs.
I’ve found a nifty way of pulling them out though:
DistinguishedName = “DN of Object”
set ObjUser = GetObject(“LDAP://” & DistinguishedName)
Set objsd = objUser.Get(“msExchMailboxSecurityDescriptor”)
Set dacl = objsd.DiscretionaryAcl
For Each ace In dacl
I’ve put this together in a script to report the access rights for lists of mail accounts. It’s one of those things I’ve been thinking about for a while, but finally got the chance to put it all together today.