0 votes

I've got the following script so far using the SDK but running into an error:

You cannot call a method on a null-valued expression.
At line:1 char:1
+ $Context.BindToObjectByDN($object.SearchResult.AdsPath.DN)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Here's my script currently:

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Reference Custom report collumns
$column_access = "{e4626b03-8fc7-4baa-8961-2a6fe0e19699}" #Collumn ID of Access custom text collumn
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn

# Split out multiple mailboxes
$mailboxes = "%param-Mailbox%"
$mailboxes = $mailboxes.split(";")

Foreach ($mailbox in $mailboxes) {

    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, "$mailbox")

    # Bind to the mailbox
    $user = $admService.OpenObject("Adaxes://$mailbox", $NULL, $NULL, 0)

    # Get Exchange properties
    $mailboxParams = $user.GetMailParameters()

    # Full Access
    $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
    if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Full Access")
        foreach ($object in $fullAccess) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }

    # Send As
    $sendAs = $mailboxParams.SendAs
    if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Send As")
        foreach ($object in $sendAs) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }

    # Send on Behalf Of
    $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
    if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Send On Behalf Of")
        foreach ($object in $sendOnBehalfOf) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }
}
by (260 points)
0

I'm thinking something like this

screenshot

0

Hello Richard,

Do we understand correctly that the Name and Email columns should contain comma-separated names and email addresses of all the delegates independently on the permissions they have?

0

there's should be a line per 'name', per mailbox? it shows myself there twice so should be able to show a result per line right? just with the combined permission type rather than that being per line too?

0

Hello Richard,

The Name column is always present in a report. The best approach for multiple mailboxes would be as follows:

  • The report items will be grouped by the selected mailbox.
  • Each group will contain the objects that are granted permissions over the mailbox.
  • The report will have the Name column for delegates and custom columns Send on Behalf, Full Access and Send As.
  • Each custom column will have value Yes or No based on the permissions of the delegate in the mailbox. Does this approach meet your needs?
0

I think i've managed to create what I'm after now. It seems to be working well for me (added a parameter for the permission type)

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Reference Custom report collumns
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}" #Collumn ID of Mailbox custom objectID collumn

{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}

# Split out multiple mailboxes
$mailboxes = "%param-Mailbox%"
$mailboxes = $mailboxes.split(";")

Foreach ($mailbox in $mailboxes) {

    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, "$mailbox")
    $columnValues.Add($column_permission, "%param-permission%")

    # Bind to the mailbox
    $user = $admService.OpenObject("Adaxes://$mailbox", $NULL, $NULL, 0)

    # Get Exchange properties
    $mailboxParams = $user.GetMailParameters()

    If ("%param-permission%" -eq "Full Access"){
        $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
        if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
        Else {
            foreach ($object in $fullAccess) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN")
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
    ElseIf ("%param-permission%" -eq "Send As"){
        $sendAs = $mailboxParams.SendAs
        if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
        Else {
            foreach ($object in $sendAs) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN") 
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
    Else {
        $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
        if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
        Else {
            foreach ($object in $sendOnBehalfOf) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report 
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN") 
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
}

Also created one for running on an OU/Domain too (might take a while)

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")


# Search filter
$filterUsers = "(sAMAccountType=805306368)"
$Context.DirectorySearcher.AppendFilter($filterUsers)

# Reference Custom report collumns
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}" #Collumn ID of Mailbox custom objectID collumn

# Add properties necessary to generate the report
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("distinguishedname")

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        $MailboxDN = $searchResult.GetPropertyByName("distinguishedname").Values[0]

        # Bind to the mailbox
        $user = $admService.OpenObject("Adaxes://$mailboxDN", $NULL, $NULL, 0)

        # Get Exchange properties
        $mailboxParams = $user.GetMailParameters()

        $columnValues = @{
            $column_mailbox = $MailboxDN;
            $column_permission = "%param-permission%";}
        #$Context.Items.Add($searchResult, $columnValues, $NULL)

        If ("%param-permission%" -eq "Full Access"){
            $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
            if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
            Else {
                foreach ($object in $fullAccess) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN")
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
        ElseIf ("%param-permission%" -eq "Send As"){
            $sendAs = $mailboxParams.SendAs
            if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
            Else {
                foreach ($object in $sendAs) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN") 
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
        Else {
            $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
            if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
            Else {
                foreach ($object in $sendOnBehalfOf) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report 
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN") 
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

1 Answer

0 votes
by (289k points)

Hello Richard,

The scripts will not work properly as Send As and Send on Behalf permissions are retrieved as collections, not as arrays. We update the scripts accordingly.

Script 1

$permissionParameterValue = "%param-permission%"

# Reference Custom report collumns
$column_mailbox = "{b12566fb-25a3-41d1-96fe-db944a2f6c7d}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{577c8156-b6ef-4e07-a931-ceddea75bf2c}" #Collumn ID of Mailbox custom objectID collumn

# Split out multiple mailboxes
$mailboxDNs = "%param-Mailbox%".Split(";")

foreach ($mailboxDN in $mailboxDNs) 
{
    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, $mailboxDN)
    $columnValues.Add($column_permission, $permissionParameterValue)

    # Get Exchange properties
    $user = $Context.BindToObjectByDNEx($mailboxDN, $True)
    $mailboxParams = $user.GetMailParameters()

    $objectFound = 0
    if ($permissionParameterValue -eq "Full Access")
    {
        $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
        foreach ($object in $fullAccess) 
        {
            if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            # Add item to report
            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }
    elseif ($permissionParameterValue -eq "Send As")
    {
        $sendAs = $mailboxParams.SendAs
        for ($i = 0; $i -lt $sendAs.Count; $i++)
        {
            $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }
    else
    {
        $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
        for ($i = 0; $i -lt $sendOnBehalfOf.Count; $i++)
        {
            $object = $sendOnBehalfOf.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }

    if ($objectFound -eq 0) 
    {
        $Context.Items.Add(-1, "No '$permissionParameterValue' rights on mailbox", "Information", $columnValues)
        continue
    }
}

Script 2

$permissionParameterValue = "%param-permission%"

# Reference Custom report collumns
$column_mailbox = "{b12566fb-25a3-41d1-96fe-db944a2f6c7d}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{577c8156-b6ef-4e07-a931-ceddea75bf2c}" #Collumn ID of Mailbox custom objectID collumn

$Context.DirectorySearcher.AppendFilter("(&(sAMAccountType=805306368)(msExchRecipientTypeDetails=1))")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("distinguishedname")
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $mailboxDN = $searchResult.GetPropertyByName("distinguishedname").Values[0]

        # Create hash table and specify column value
        $columnValues = @{ }
        $columnValues.Add($column_mailbox, $mailboxDN)
        $columnValues.Add($column_permission, $permissionParameterValue)

        # Get Exchange properties
        $user = $Context.BindToObjectBySearchResultEx($searchResult, $True)
        $mailboxParams = $user.GetMailParameters()

        $objectFound = 0
        if ($permissionParameterValue -eq "Full Access")
        {
            $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
            foreach ($object in $fullAccess) 
            {
                if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                    [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
                {
                    continue
                }

                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                # Add item to report
                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }
        elseif ($permissionParameterValue -eq "Send As")
        {
            $sendAs = $mailboxParams.SendAs
            for ($i = 0; $i -lt $sendAs.Count; $i++)
            {
                $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
                if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                    [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
                {
                    continue
                }

                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }
        else
        {
            $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
            for ($i = 0; $i -lt $sendOnBehalfOf.Count; $i++)
            {
                $object = $sendOnBehalfOf.GetItem($i, [ref]"ADS_PROPERTY_NONE")
                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }

        if ($objectFound -eq 0) 
        {
            $Context.Items.Add(-1, "No '$permissionParameterValue' rights on mailbox", "Information", $columnValues)
            continue
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

Related questions

0 votes
1 answer

During the creation of a new user I want to be able to select the job title from a drop-down list which populates different values based on which Department is selected. Is there a way to achieve this? Thanks. Dario.

asked Oct 2, 2020 by winstonsmith (40 points)
0 votes
1 answer

Is there a report that would show the Adaxes websites and who has access to them?

asked Feb 16 by lavonnabalo (40 points)
0 votes
1 answer

Hallo Everyone I've seen the Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights: https://www.adaxes.com/questions/ ... . Example: User: Peter.Steinmann Identity: Which Mailboxes AccessRights: FullAccess Kind regards,

asked Jul 6, 2022 by Sandberg94 (340 points)
0 votes
1 answer

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3, 2021 by RayBilyk (240 points)
0 votes
1 answer

Using the built in 'Deprovision' Custom Command, I would like the person that is trying to Deprovision a user (Help Desk member) be asked who (from a list of existing active ... to leave the question 'blank', which means that no one gets access to the mailbox.

asked Apr 22, 2020 by RayBilyk (240 points)
3,552 questions
3,242 answers
8,243 comments
547,828 users