They say you learn something new every day.

I wrote a while back about the Exchange System Manager, and while it was useful, it turns out that access rights to mailboxes are defined in the msExchMailboxSecurityDescriptor attribute in the AD. The problem is, rather than listing usernames, it lists ObjectIDs.

I’ve found a nifty way of pulling them out though:

DistinguishedName  = “DN of Object” 

set ObjUser = GetObject(“LDAP://” & DistinguishedName)
Set objsd = objUser.Get(“msExchMailboxSecurityDescriptor”)
Set dacl = objsd.DiscretionaryAcl

For Each ace In dacl

  wscript.echo ace.Trustee 


I’ve put this together in a script to report the access rights for lists of mail accounts. It’s one of those things I’ve been thinking about for a while, but finally got the chance to put it all together today.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Tag Cloud

%d bloggers like this: