|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Delegated Admin View OnlyI have a need within my application to verify if a given user has the view
only admin rights delegated to him / her. I wish to enumerate within C#.NET application all user names who have such access. I downloaded Exch 2003 SDK and browsed through the samples. I didn't find any that resembles what I am looking for. My feeling is I would have to examine the Security Descriptor of Exch object and examine its dacl and iterate through all ACEs? Don't know what the Exch object I should be opening? Any pointers will be appreciated. Thanks. The only DACL you should have to check is the root of the Exchange
configuration container in the Active directory Configuration partition eg Set iAdRootDSE = GetObject("LDAP://RootDSE") strNameingContext = iAdRootDSE.Get("configurationNamingContext") sUserADsPath = "LDAP://CN=Microsoft Exchange,CN=Services," & strNameingContext Set objadlist = GetObject(sUserADsPath) Set oSecurityDescriptor = objadlist.Get("ntSecurityDescriptor") Set dacl = oSecurityDescriptor.DiscretionaryAcl Set ace = CreateObject("AccessControlEntry") For Each ace In dacl if ace.AceFlags = 2 then select case ace.AccessMask case 131220 Wscript.echo ace.Trustee & " Exchange View Only Adiministrator" case 197119 Wscript.echo ace.Trustee & " Exchange Administrator" case 983551 Wscript.echo ace.Trustee & " Exchange Full Administrator" end select end if Next wscript.echo wscript.echo "Done viewing descriptor" On 2007 this is done via Groups rather then adding each user explicitly. Cheers Glen Show quoteHide quote "systinte5" <systin***@discussions.microsoft.com> wrote in message news:4C64B78B-5FD2-4B8E-8D08-70851F54B890@microsoft.com... >I have a need within my application to verify if a given user has the view > only admin rights delegated to him / her. I wish to enumerate within > C#.NET > application all user names who have such access. I downloaded Exch 2003 > SDK > and browsed through the samples. I didn't find any that resembles what I > am > looking for. My feeling is I would have to examine the Security Descriptor > of > Exch object and examine its dacl and iterate through all ACEs? Don't know > what the Exch object I should be opening? Any pointers will be > appreciated. > > Thanks. Thanks Glen. I appreciate it. I will try this out. Thanks again.
Show quoteHide quote "Glen Scales [MVP]" wrote: > The only DACL you should have to check is the root of the Exchange > configuration container in the Active directory Configuration partition eg > > Set iAdRootDSE = GetObject("LDAP://RootDSE") > strNameingContext = iAdRootDSE.Get("configurationNamingContext") > sUserADsPath = "LDAP://CN=Microsoft Exchange,CN=Services," & > strNameingContext > Set objadlist = GetObject(sUserADsPath) > Set oSecurityDescriptor = objadlist.Get("ntSecurityDescriptor") > Set dacl = oSecurityDescriptor.DiscretionaryAcl > Set ace = CreateObject("AccessControlEntry") > For Each ace In dacl > if ace.AceFlags = 2 then > select case ace.AccessMask > case 131220 Wscript.echo ace.Trustee & " Exchange View Only Adiministrator" > case 197119 Wscript.echo ace.Trustee & " Exchange Administrator" > case 983551 Wscript.echo ace.Trustee & " Exchange Full Administrator" > end select > end if > Next > wscript.echo > wscript.echo "Done viewing descriptor" > > On 2007 this is done via Groups rather then adding each user explicitly. > > Cheers > Glen > > > > > "systinte5" <systin***@discussions.microsoft.com> wrote in message > news:4C64B78B-5FD2-4B8E-8D08-70851F54B890@microsoft.com... > >I have a need within my application to verify if a given user has the view > > only admin rights delegated to him / her. I wish to enumerate within > > C#.NET > > application all user names who have such access. I downloaded Exch 2003 > > SDK > > and browsed through the samples. I didn't find any that resembles what I > > am > > looking for. My feeling is I would have to examine the Security Descriptor > > of > > Exch object and examine its dacl and iterate through all ACEs? Don't know > > what the Exch object I should be opening? Any pointers will be > > appreciated. > > > > Thanks. > > > Thanks Glen,
I tried it in .NET 2.0 (C#). It worked well. I noticed, beside the three AccessMask values, there was another one I encountered 131092 by trustee 'Exchange Domain Servers'. I tried on Exch 2003. For my knowledge and future references, can you point me to the source where these access masks are documented? I tried Exch SDK and .NET framework and didn't find a source for these values (131092 etc). Again, I appreciate your post. You were great help. Thanks. Show quoteHide quote "systinte5" wrote: > Thanks Glen. I appreciate it. I will try this out. Thanks again. > > "Glen Scales [MVP]" wrote: > > > The only DACL you should have to check is the root of the Exchange > > configuration container in the Active directory Configuration partition eg > > > > Set iAdRootDSE = GetObject("LDAP://RootDSE") > > strNameingContext = iAdRootDSE.Get("configurationNamingContext") > > sUserADsPath = "LDAP://CN=Microsoft Exchange,CN=Services," & > > strNameingContext > > Set objadlist = GetObject(sUserADsPath) > > Set oSecurityDescriptor = objadlist.Get("ntSecurityDescriptor") > > Set dacl = oSecurityDescriptor.DiscretionaryAcl > > Set ace = CreateObject("AccessControlEntry") > > For Each ace In dacl > > if ace.AceFlags = 2 then > > select case ace.AccessMask > > case 131220 Wscript.echo ace.Trustee & " Exchange View Only Adiministrator" > > case 197119 Wscript.echo ace.Trustee & " Exchange Administrator" > > case 983551 Wscript.echo ace.Trustee & " Exchange Full Administrator" > > end select > > end if > > Next > > wscript.echo > > wscript.echo "Done viewing descriptor" > > > > On 2007 this is done via Groups rather then adding each user explicitly. > > > > Cheers > > Glen > > > > > > > > > > "systinte5" <systin***@discussions.microsoft.com> wrote in message > > news:4C64B78B-5FD2-4B8E-8D08-70851F54B890@microsoft.com... > > >I have a need within my application to verify if a given user has the view > > > only admin rights delegated to him / her. I wish to enumerate within > > > C#.NET > > > application all user names who have such access. I downloaded Exch 2003 > > > SDK > > > and browsed through the samples. I didn't find any that resembles what I > > > am > > > looking for. My feeling is I would have to examine the Security Descriptor > > > of > > > Exch object and examine its dacl and iterate through all ACEs? Don't know > > > what the Exch object I should be opening? Any pointers will be > > > appreciated. > > > > > > Thanks. > > > > > > I've never seen them fully documented probably
http://books.google.com.au/books?id=Xy54BfNok-8C&pg=PA184&lpg=PA184&dq=exchange+accessmask&source=bl&ots=3I84KaKC6p&sig=FwufDgETNBDC2NCgR6bNkEZIWW8&hl=en&sa=X&oi=book_result&resnum=3&ct=result#PPA185,M1 is the best I've seen cheers Glen Show quoteHide quote "systinte5" <systin***@discussions.microsoft.com> wrote in message news:6688E733-13FC-41AC-BD58-A8ACCA977DF6@microsoft.com... > Thanks Glen, > > I tried it in .NET 2.0 (C#). It worked well. I noticed, beside the three > AccessMask values, there was another one I encountered 131092 by trustee > 'Exchange Domain Servers'. I tried on Exch 2003. For my knowledge and > future > references, can you point me to the source where these access masks are > documented? I tried Exch SDK and .NET framework and didn't find a source > for > these values (131092 etc). Again, I appreciate your post. You were great > help. Thanks. > > "systinte5" wrote: > >> Thanks Glen. I appreciate it. I will try this out. Thanks again. >> >> "Glen Scales [MVP]" wrote: >> >> > The only DACL you should have to check is the root of the Exchange >> > configuration container in the Active directory Configuration partition >> > eg >> > >> > Set iAdRootDSE = GetObject("LDAP://RootDSE") >> > strNameingContext = iAdRootDSE.Get("configurationNamingContext") >> > sUserADsPath = "LDAP://CN=Microsoft Exchange,CN=Services," & >> > strNameingContext >> > Set objadlist = GetObject(sUserADsPath) >> > Set oSecurityDescriptor = objadlist.Get("ntSecurityDescriptor") >> > Set dacl = oSecurityDescriptor.DiscretionaryAcl >> > Set ace = CreateObject("AccessControlEntry") >> > For Each ace In dacl >> > if ace.AceFlags = 2 then >> > select case ace.AccessMask >> > case 131220 Wscript.echo ace.Trustee & " Exchange View Only >> > Adiministrator" >> > case 197119 Wscript.echo ace.Trustee & " Exchange Administrator" >> > case 983551 Wscript.echo ace.Trustee & " Exchange Full Administrator" >> > end select >> > end if >> > Next >> > wscript.echo >> > wscript.echo "Done viewing descriptor" >> > >> > On 2007 this is done via Groups rather then adding each user >> > explicitly. >> > >> > Cheers >> > Glen >> > >> > >> > >> > >> > "systinte5" <systin***@discussions.microsoft.com> wrote in message >> > news:4C64B78B-5FD2-4B8E-8D08-70851F54B890@microsoft.com... >> > >I have a need within my application to verify if a given user has the >> > >view >> > > only admin rights delegated to him / her. I wish to enumerate within >> > > C#.NET >> > > application all user names who have such access. I downloaded Exch >> > > 2003 >> > > SDK >> > > and browsed through the samples. I didn't find any that resembles >> > > what I >> > > am >> > > looking for. My feeling is I would have to examine the Security >> > > Descriptor >> > > of >> > > Exch object and examine its dacl and iterate through all ACEs? Don't >> > > know >> > > what the Exch object I should be opening? Any pointers will be >> > > appreciated. >> > > >> > > Thanks. >> > >> > >> >  
Other interesting topics
How to find message limit
Intercepting emails as they are sent Forms-based authentication in Exchange 2003 AND Exchange 2007 Exchange Web Service - Listening events on all user's mailboxes Exchange 2003 store.exe CPU usage Exchange 2007 Backup/Restore API problem Exchange OWA 2003 Frontend Convert to 2007 Adding a new property to the mail Problems adding appointments to the calendar of a different user using web services Intercepting emails as they are sent |
|||||||||||||||||||||||
