Option Explicit '------------------------------------------------------------------------- ' mbacl.vbs ' ' Beschreibung: Sucht Objekte einer angegebenen Mailadresse ' ' Laufzeitfehler werde nicht abgefangen und beenden das Skript. ' ' Das Skript wird mit den Berechtigungen des angemeldeten Benutzers ' ausgeführt. Die entsprechenden Berechtigungen sind sicher zu stellen ' ' (c)2004 Net at Work Netzwerksysteme GmbH ' ' Voraussetzung: ' Exchhange System Manager mit 2000 SP2 oder Exchange 2003 ' Infos ' MSDN suche nach IADsAccessControlEntry ' KB 322890 How to associate an external account with an existing Exchange 2000 mailbox ' ' Version 1.0 (30. Aug 2006) Frank Carius ' Erste Version ' Version 1.1 (31. Aug 2006) Frank Carius ' Verbesserte Ausgabe der Rechte ' Version 1.2 (31. Aug 2006) Frank Carius ' Ergänzung um Ausgabe der Exchangetypischen Beschreibung '------------------------------------------------------------------------- const intDetail = 1 dim AccessMask, AccessMaskEx, AceType, AceFlags, Flags 'ms-help://MS.MSDNQTR.v80.en/MS.MSDN.v80/MS.WIN32COM.v10.en/adsi/adsi/iadsaccesscontrolentry_property_methods.htm AccessMask = Array(_ &H10000,"ADS_RIGHT_DELETE","The right to delete the object.",_ &H20000,"ADS_RIGHT_READ_CONTROL" , "The right to read data from the security descriptor of the object, not including the data in the SACL.",_ &H40000,"ADS_RIGHT_WRITE_DAC", "The right to modify the discretionary access-control list (DACL) in the object security descriptor.",_ &H80000,"ADS_RIGHT_WRITE_OWNER","The right to assume ownership of the object. The User must be an object trustee. The User cannot transfer the ownership to other Users.",_ &H100000,"ADS_RIGHT_SYNCHRONIZE","The right to use the object für synchronization. This enables a thread to wait until the object is in the signaled state.",_ &H1000000,"ADS_RIGHT_ACCESS_SYSTEM_SECURITY","The right to get or set the SACL in the object security descriptor.",_ &H80000000,"ADS_RIGHT_GENERIC_READ","The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container.",_ &H40000000,"ADS_RIGHT_GENERIC_WRITE","The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object.",_ &H20000000,"ADS_RIGHT_GENERIC_EXECUTE","The right to read permissions on, and list the contents of, a container object.",_ &H10000000,"ADS_RIGHT_GENERIC_ALL","The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with an extended right.",_ &H1,"ADS_RIGHT_DS_CREATE_CHILD","The right to create child objects of the object. The ObjectType member of an ACE can contain a GUID that identifies the type of child object whose creation is controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child object types.",_ &H2,"ADS_RIGHT_DS_DELETE_CHILD","The right to delete child objects of the object. The ObjectType member of an ACE can contain a GUID that identifies a type of child object whose deletion is controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object types.",_ &H4,"ADS_RIGHT_ACTRL_DS_LIST","The right to list child objects of this object. für more information about this right, see Controlling Object Visibility.",_ &H8,"ADS_RIGHT_DS_SELF","The right to perform an operation controlled by a validated write access right. The ObjectType member of an ACE can contain a GUID that identifies the validated write. If ObjectType does not contain a GUID, the ACE controls the rights to perform all valid write operations associated with the object.",_ &H10,"ADS_RIGHT_DS_READ_PROP","The right to read properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to read all of the object properties.",_ &H20,"ADS_RIGHT_DS_WRITE_PROP","The right to write properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to write all of the object properties.",_ &H40,"ADS_RIGHT_DS_DELETE_TREE","The right to delete all child objects of this object, regardless of the permissions of the child objects.",_ &H80,"ADS_RIGHT_DS_LIST_OBJECT","The right to list a particular object. If the User is not granted such a right, and the User does not have ADS_RIGHT_ACTRL_DS_LIST set on the object parent, the object is hidden from the User. This right is ignored if the third character of the dSHeuristics property is '0' or not set. für more information, see Controlling Object Visibility.",_ &H100,"ADS_RIGHT_DS_CONTROL_ACCESS","The right to perform an operation controlled by an extended access right. The ObjectType member of an ACE can contain a GUID that identifies the extended right. If ObjectType does not contain a GUID, the ACE controls the right to perform all extended right operations associated with the object.") AccessMaskEx = Array(_ &H10000,"ADS_RIGHT_DELETE","Postfachspeicher löschen",_ &H20000,"ADS_RIGHT_READ_CONTROL" , "Leseberechtigungen",_ &H40000,"ADS_RIGHT_WRITE_DAC", "änderungsberechtiungen",_ &H80000,"ADS_RIGHT_WRITE_OWNER","In Besitz nehmen",_ &H1,"ADS_RIGHT_DS_CREATE_CHILD","Vollständiger Postfachzugriff",_ &H2,"ADS_RIGHT_DS_DELETE_CHILD","Vollständiger Postfachzugriff ?",_ &H4,"ADS_RIGHT_ACTRL_DS_LIST","Zugeordnetes externes Konto") AceType = array (_ 0,"ADS_ACETYPE_ACCESS_ALLOWED","The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and InheritedObjectType fields are NULL.",_ &H1,"ADS_ACETYPE_ACCESS_DENIED","The ACE is of the standard system-audit type, where the ObjectType and InheritedObjectType fields are NULL.",_ &H2,"ADS_ACETYPE_SYSTEM_AUDIT","The ACE is of the standard system type, where the ObjectType and InheritedObjectType fields are NULL.",_ &H5,"ADS_ACETYPE_ACCESS_ALLOWED_OBJECT","The ACE grants access to an object or a subobject of the object, such as a property set or property. ObjectType or InheritedObjectType or both contain a GUID that identifies a property set, property, extended right, or type of child object.Windows NT 4.0: Not used.",_ &H6,"ADS_ACETYPE_ACCESS_DENIED_OBJECT","The ACE denies access to an object or a subobject of the object, such as a property set or property. ObjectType or InheritedObjectType or both contain a GUID that identifies a property set, property, extended right, or type of child object.Windows NT 4.0: Not used.",_ &H7,"ADS_ACETYPE_SYSTEM_AUDIT_OBJECT","The ACE audits access to an object or a subobject of the object, such as a property set or property. ObjectType or InheritedObjectType or both contain a GUID that identifies a property set, property, extended right, or type of child object.Windows NT 4.0: Not used.",_ &H8,"ADS_ACETYPE_SYSTEM_ALARM_OBJECT","Not used.",_ &H9,"ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK","Same functionality as ADS_ACETYPE_ACCESS_ALLOWED, but used with applications that use Authz to verify ACEs.Windows NT 4.0: Not used.",_ &HA,"ADS_ACETYPE_ACCESS_DENIED_CALLBACK","Same functionality as ADS_ACETYPE_ACCESS_DENIED, but used with applications that use Authz to verify ACEs.Windows NT 4.0: Not used.",_ &HB,"ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK_OBJECT","Same functionality as ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, but used with applications that use Authz to verify ACEs.Windows NT 4.0: Not used.",_ &HC,"ADS_ACETYPE_ACCESS_DENIED_CALLBACK_OBJECT","Same functionality as ADS_ACETYPE_ACCESS_DENIED_OBJECT, but used with applications that use Authz to check ACEs.Windows NT 4.0: Not used.",_ &HD,"ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK","Same functionality as ADS_ACETYPE_SYSTEM_AUDIT, but used with applications that use Authz to check ACEs.Windows NT 4.0: Not used.",_ &HE,"ADS_ACETYPE_SYSTEM_ALARM_CALLBACK","Not used.",_ &HF,"ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK_OBJECT","Same functionality as ADS_ACETYPE_SYSTEM_AUDIT_OBJECT, but used with applications that use Authz to verify ACEs.Windows NT 4.0: Not used.",_ &H10,"ADS_ACETYPE_SYSTEM_ALARM_CALLBACK_OBJECT","Not used.") AceFlags = array (_ &H2,"ADS_ACEFLAG_INHERIT_ACE","Child objects will inherit this access-control entry (ACE). The inherited ACE is inheritable unless the ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE flag is set.",_ &H4,"ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE","The system will clear the ADS_ACEFLAG_INHERIT_ACE flag für the inherited ACEs of child objects. This prevents the ACE from being inherited by subsequent generations of objects.",_ &H8,"ADS_ACEFLAG_INHERIT_ONLY_ACE","Indicates that an inherit-only ACE that does not exercise access control on the object to which it is attached. If this flag is not set, the ACE is an effective ACE that exerts access control on the object to which it is attached.",_ &H10,"ADS_ACEFLAG_INHERITED_ACE","Indicates whether or not the ACE was inherited. The system sets this bit.",_ &H1f,"ADS_ACEFLAG_VALID_INHERIT_FLAGS","Indicates whether the inherit flags are valid. The system sets this bit.",_ &H40,"ADS_ACEFLAG_SUCCESSFUL_ACCESS","Generates audit messages für successful access attempts, used with ACEs that audit the system in a system access-control list (SACL).",_ &H80,"ADS_ACEFLAG_FAILED_ACCESS","Generates audit messages für failed access attempts, used with ACEs that audit the system in a SACL.") Flags = array (_ &H1,"ADS_FLAG_OBJECT_TYPE_PRESENT","The ObjectType field is present in the ACE.",_ &H2,"ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT","The InheritedObjectType field is present in the ACE.") Dim objArgs Dim SMTPAddress Dim oSMTPSearcher Dim strInput Dim strDN ' Eingabe von Kommandozeile einlesen oder Abfragen if wscript.arguments.count = 1 then strInput = wscript.arguments(0) else strInput = inputbox("Bitte SamAccountname, Mailadresse oder DN eingeben") end if wscript.echo "Ihre Eingabe:" & strInput if instr(lcase(strInput),"cn=") = 1 then wscript.echo "Eingabe wird als DN interpretiert" strDN = "LDAP://" & strInput elseif instr(lcase(strInput),"@") <> 0 then wscript.echo "Eingabe wird als Mailadresse interpretiert" strDN = SearchGC("(proxyaddresses=SMTP:" & strInput & ")") else wscript.echo "Eingabe wird als Alias (MailNickname) interpretiert" strDN = SearchGC("(mailnickname=" & strInput & ")") end if if instr(lcase(strDN),"cn=") = 0 then wscript.echo "Kein gültiger DN ermittelbar:" &strDN else call DumpMailboxACL(strDN) end if sub DumpMailboxACL(sUserADsPath) '~ CONST ADS_ACETYPE_ACCESS_ALLOWED = 0 '~ CONST ADS_ACETYPE_ACCESS_DENIED = 1 '~ CONST ADS_ACETYPE_SYSTEM_AUDIT = 2 '~ CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5 '~ CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6 '~ CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7 '~ CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8 Dim objUser, oSecurityDescriptor, dacl, ace, count, totalacl 'Get directory User object. wscript.echo "Bind:" & sUserADsPath Set objUser = GetObject(sUserADsPath) ' Get the Mailbox security descriptor (SD). Set oSecurityDescriptor = objUser.MailboxRights ' Extract the Discretionary Access Control List (DACL) using the IADsSecurityDescriptor. ' Interface. Set dacl = oSecurityDescriptor.DiscretionaryAcl '~ Set ace = CreateObject("AccessControlEntry") wscript.echo "Existing ACEs in the mailbox's DACL:" ' Enumerate all the Access Control Entries (ACE) in the DACL using the IADsAccessControlList. ' Interface, therefore, displaying the current mailbox rights. wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType" totalacl = 0 For Each ace In dacl totalacl = totalacl + 1 '~ Display all the properties of the ACEs using the IADsAccessControlEntry interface. wscript.echo ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType if intDetail >0 then for count = 0 to ubound(AccessMaskEx) step 3 if (AccessMaskEx(count) and ace.AccessMask) = AccessMaskEx(count) then wscript.echo " AccessMask:" & AccessMaskEx(count+1) & vbtab & " Detail:" & AccessMaskEx(count+2) next for count = 0 to ubound(AceType) step 3 if (AceType(count) and ace.AceType) = AceType(count) then wscript.echo " AceType :" & AceType(count+1) next for count = 0 to ubound(AceFlags) step 3 if (AceFlags(count) and ace.AceFlags) = AceFlags(count) then wscript.echo " AceFlags :" & AceFlags(count+1) next for count = 0 to ubound(Flags) step 3 if (Flags(count) and ace.Flags) = Flags(count) then wscript.echo " Flags: " & Flags(count+1) next end if Next wscript.echo "----------------------Total ACLs:" & TotalACL end sub function SearchGC(strSearchfilter) Dim oConnection 'As ADODB.Connection Dim oRecordset 'As ADODB.Recordset Dim oCont 'As IADsContainer Dim oGC 'As IADs Dim strADsPath 'As String Set oCont = GetObject("GC:") 'Global Catalog server suchen For Each oGC In oCont : strADsPath = oGC.ADsPath Next Set oConnection = CreateObject("ADODB.Connection") Set oRecordset = CreateObject("ADODB.Recordset") oConnection.Provider = "ADsDSOObject" 'The ADSI OLE-DB provider oConnection.Open "ADs Provider" set oRecordset = oConnection.Execute("<" & strADsPath & ">;" & strSearchfilter & ";adsPath;subtree") if oRecordset.recordcount = 0 then SearchGC="NONE" Elseif oRecordset.recordcount = 1 then SearchGC = oRecordSet.Fields("adsPath").Value Else SearchGC=oRecordset.recordcount End If Set oCont = Nothing : Set oGC = Nothing : Set oConnection = Nothing : Set oRecordset = Nothing end function