Adaxes

Trying to create a report to show the delegate access on selected mailbox

0 votes

I've got the following script so far using the SDK but running into an error:

You cannot call a method on a null-valued expression.
At line:1 char:1
+ $Context.BindToObjectByDN($object.SearchResult.AdsPath.DN)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Here's my script currently:

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Reference Custom report collumns
$column_access = "{e4626b03-8fc7-4baa-8961-2a6fe0e19699}" #Collumn ID of Access custom text collumn
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn

# Split out multiple mailboxes
$mailboxes = "%param-Mailbox%"
$mailboxes = $mailboxes.split(";")

Foreach ($mailbox in $mailboxes) {

    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, "$mailbox")

    # Bind to the mailbox
    $user = $admService.OpenObject("Adaxes://$mailbox", $NULL, $NULL, 0)

    # Get Exchange properties
    $mailboxParams = $user.GetMailParameters()

    # Full Access
    $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
    if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Full Access")
        foreach ($object in $fullAccess) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }

    # Send As
    $sendAs = $mailboxParams.SendAs
    if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Send As")
        foreach ($object in $sendAs) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }

    # Send on Behalf Of
    $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
    if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
    Else {
        # Specify column value
        $columnValues.Add($column_access, "Send On Behalf Of")
        foreach ($object in $sendOnBehalfOf) {
            If ($object.DisplayName -ne "self"){
                # Add item to report 
                $item = $Context.BindToObjectByDN("$object.SearchResult.AdsPath.DN") 
                $Context.Items.Add($item, $columnValues)
            }
        }
    }
}
by (260 points)
0

Hello Richard,

Sorry for the confusion, but we are not sure what exactly you are trying to achieve. Are you trying to generate a report using a script? Could you please, describe the desired behavior in all the possible details with live examples?

by (289k points)
0

I'm trying to get a report to show the delegate access on a mailbox in exchange, showing the access type and also which mailbox (so multiple can be selected) showing the delegate user's information e.g. department.

Something like this (I've manually specified my DN here for my account in the results as the above script isn't working): Annotation 2021-05-19 135718.png

I can see the information in exchange properties for each individual mailbox but can't export and can't run for multiple mailboxes

by (260 points)
0

I'm following this guide but trying to adapt it to run in a report

by (260 points)
0

Hello Richard,

Thank you for clarifying. For a mailbox, each type of permissions can be delegated to multiple objects. Unfortunately, it is not possible to make multi-line output in report columns. As a solution, we suggest that report items will be grouped by the mailboxes selected in the report parameter (e.g. name and ADS path of the account will be displayed) and then information on the delegates will be displayed. There will also be another parameter that will be used to select the type of permissions for which to output delegates. Does this approach meet your needs?

by (289k points)
0

Ahh ok, that's unfortunate, is it possible to assemble the results into a string per user?

so text collumn for email address of mailboxes and seperated with a semicolon, and same for permission type?

by (260 points)
0

Hello Richard,

What exactly do you mean? Could you, please, provide a live example of such a report with a detailed description of columns?

by (289k points)
0

I'm thinking something like this

screenshot

by (260 points)
0

Hello Richard,

Do we understand correctly that the Name and Email columns should contain comma-separated names and email addresses of all the delegates independently on the permissions they have?

by (289k points)
0

there's should be a line per 'name', per mailbox? it shows myself there twice so should be able to show a result per line right? just with the combined permission type rather than that being per line too?

by (260 points)
0

Hello Richard,

The Name column is always present in a report. The best approach for multiple mailboxes would be as follows:

  • The report items will be grouped by the selected mailbox.
  • Each group will contain the objects that are granted permissions over the mailbox.
  • The report will have the Name column for delegates and custom columns Send on Behalf, Full Access and Send As.
  • Each custom column will have value Yes or No based on the permissions of the delegate in the mailbox. Does this approach meet your needs?
by (289k points)
reshown by
0

I think i've managed to create what I'm after now. It seems to be working well for me (added a parameter for the permission type)

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Reference Custom report collumns
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}" #Collumn ID of Mailbox custom objectID collumn

{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}

# Split out multiple mailboxes
$mailboxes = "%param-Mailbox%"
$mailboxes = $mailboxes.split(";")

Foreach ($mailbox in $mailboxes) {

    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, "$mailbox")
    $columnValues.Add($column_permission, "%param-permission%")

    # Bind to the mailbox
    $user = $admService.OpenObject("Adaxes://$mailbox", $NULL, $NULL, 0)

    # Get Exchange properties
    $mailboxParams = $user.GetMailParameters()

    If ("%param-permission%" -eq "Full Access"){
        $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
        if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
        Else {
            foreach ($object in $fullAccess) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN")
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
    ElseIf ("%param-permission%" -eq "Send As"){
        $sendAs = $mailboxParams.SendAs
        if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
        Else {
            foreach ($object in $sendAs) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN") 
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
    Else {
        $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
        if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
        Else {
            foreach ($object in $sendOnBehalfOf) {
                If ($object.DisplayName -ne "self"){
                    # Add item to report 
                    $userDN = $object.SearchResult.AdsPath.DN
                    $item = $Context.BindToObjectByDN("$userDN") 
                    $Context.Items.Add($item, $columnValues)
                }
            }
        }
    }
}

Also created one for running on an OU/Domain too (might take a while)

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")


# Search filter
$filterUsers = "(sAMAccountType=805306368)"
$Context.DirectorySearcher.AppendFilter($filterUsers)

# Reference Custom report collumns
$column_mailbox = "{b4ee813c-2ae8-4a62-9fc8-2a0cf1bf909b}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{d5ae6fbf-3ce6-4ab1-8ada-dce2c64fa8a4}" #Collumn ID of Mailbox custom objectID collumn

# Add properties necessary to generate the report
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("distinguishedname")

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        $MailboxDN = $searchResult.GetPropertyByName("distinguishedname").Values[0]

        # Bind to the mailbox
        $user = $admService.OpenObject("Adaxes://$mailboxDN", $NULL, $NULL, 0)

        # Get Exchange properties
        $mailboxParams = $user.GetMailParameters()

        $columnValues = @{
            $column_mailbox = $MailboxDN;
            $column_permission = "%param-permission%";}
        #$Context.Items.Add($searchResult, $columnValues, $NULL)

        If ("%param-permission%" -eq "Full Access"){
            $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
            if ($fullAccess.Length -eq 0) {$Context.LogMessage("No 'Full Access' rights on mailbox", "Information")}
            Else {
                foreach ($object in $fullAccess) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN")
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
        ElseIf ("%param-permission%" -eq "Send As"){
            $sendAs = $mailboxParams.SendAs
            if ($sendAs.Length -eq 0) {$Context.LogMessage("No 'Send as' rights on mailbox", "Information")}
            Else {
                foreach ($object in $sendAs) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN") 
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
        Else {
            $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
            if ($sendOnBehalfOf.Length -eq 0) {$Context.LogMessage("No 'Send On Behalf Of' rights on mailbox", "Information")}
            Else {
                foreach ($object in $sendOnBehalfOf) {
                    If ($object.DisplayName -ne "self"){
                        # Add item to report 
                        $userDN = $object.SearchResult.AdsPath.DN
                        $item = $Context.BindToObjectByDN("$userDN") 
                        $Context.Items.Add($item, $columnValues)
                    }
                }
            }
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}
by (260 points)

1 Answer

0 votes
by (289k points)

Hello Richard,

The scripts will not work properly as Send As and Send on Behalf permissions are retrieved as collections, not as arrays. We update the scripts accordingly.

Script 1

$permissionParameterValue = "%param-permission%"

# Reference Custom report collumns
$column_mailbox = "{b12566fb-25a3-41d1-96fe-db944a2f6c7d}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{577c8156-b6ef-4e07-a931-ceddea75bf2c}" #Collumn ID of Mailbox custom objectID collumn

# Split out multiple mailboxes
$mailboxDNs = "%param-Mailbox%".Split(";")

foreach ($mailboxDN in $mailboxDNs) 
{
    # Create hash table and specify column value
    $columnValues = @{ }
    $columnValues.Add($column_mailbox, $mailboxDN)
    $columnValues.Add($column_permission, $permissionParameterValue)

    # Get Exchange properties
    $user = $Context.BindToObjectByDNEx($mailboxDN, $True)
    $mailboxParams = $user.GetMailParameters()

    $objectFound = 0
    if ($permissionParameterValue -eq "Full Access")
    {
        $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
        foreach ($object in $fullAccess) 
        {
            if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            # Add item to report
            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }
    elseif ($permissionParameterValue -eq "Send As")
    {
        $sendAs = $mailboxParams.SendAs
        for ($i = 0; $i -lt $sendAs.Count; $i++)
        {
            $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }
    else
    {
        $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
        for ($i = 0; $i -lt $sendOnBehalfOf.Count; $i++)
        {
            $object = $sendOnBehalfOf.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $Context.Items.Add($object.SearchResult, $columnValues)
            $objectFound++
        }
    }

    if ($objectFound -eq 0) 
    {
        $Context.Items.Add(-1, "No '$permissionParameterValue' rights on mailbox", "Information", $columnValues)
        continue
    }
}

Script 2

$permissionParameterValue = "%param-permission%"

# Reference Custom report collumns
$column_mailbox = "{b12566fb-25a3-41d1-96fe-db944a2f6c7d}" #Collumn ID of Mailbox custom objectID collumn
$column_permission = "{577c8156-b6ef-4e07-a931-ceddea75bf2c}" #Collumn ID of Mailbox custom objectID collumn

$Context.DirectorySearcher.AppendFilter("(&(sAMAccountType=805306368)(msExchRecipientTypeDetails=1))")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("distinguishedname")
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $mailboxDN = $searchResult.GetPropertyByName("distinguishedname").Values[0]

        # Create hash table and specify column value
        $columnValues = @{ }
        $columnValues.Add($column_mailbox, $mailboxDN)
        $columnValues.Add($column_permission, $permissionParameterValue)

        # Get Exchange properties
        $user = $Context.BindToObjectBySearchResultEx($searchResult, $True)
        $mailboxParams = $user.GetMailParameters()

        $objectFound = 0
        if ($permissionParameterValue -eq "Full Access")
        {
            $fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
            foreach ($object in $fullAccess) 
            {
                if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                    [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
                {
                    continue
                }

                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                # Add item to report
                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }
        elseif ($permissionParameterValue -eq "Send As")
        {
            $sendAs = $mailboxParams.SendAs
            for ($i = 0; $i -lt $sendAs.Count; $i++)
            {
                $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
                if (!([System.String]::IsNullOrEmpty($object.ObjectSid)) -and 
                    [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($object.ObjectSid))
                {
                    continue
                }

                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }
        else
        {
            $sendOnBehalfOf = $mailboxParams.GrantSendOnBehalfTo
            for ($i = 0; $i -lt $sendOnBehalfOf.Count; $i++)
            {
                $object = $sendOnBehalfOf.GetItem($i, [ref]"ADS_PROPERTY_NONE")
                if ($NULL -eq $object.SearchResult)
                {
                    continue
                }

                $Context.Items.Add($object.SearchResult, $columnValues)
                $objectFound++
            }
        }

        if ($objectFound -eq 0) 
        {
            $Context.Items.Add(-1, "No '$permissionParameterValue' rights on mailbox", "Information", $columnValues)
            continue
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

Related questions

0 votes
1 answer
User Provisioning: is there a way to show only the job titles based on the selected department?

During the creation of a new user I want to be able to select the job title from a drop-down list which populates different values based on which Department is selected. Is there a way to achieve this? Thanks. Dario.

asked Oct 2, 2020 by winstonsmith (40 points)
0 votes
1 answer
Is there a report to show who has access in Adaxes?

Is there a report that would show the Adaxes websites and who has access to them?

asked Feb 16 by lavonnabalo (40 points)
0 votes
1 answer
Create a report about a user and the number of mailboxes with Full Access permission.

Hallo Everyone I've seen the Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights: https://www.adaxes.com/questions/ ... . Example: User: Peter.Steinmann Identity: Which Mailboxes AccessRights: FullAccess Kind regards,

asked Jul 6, 2022 by Sandberg94 (340 points)
0 votes
1 answer
Is there a report that will show users recently moved (in the last 7 days) to one of four different OUs in AD?

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3, 2021 by RayBilyk (240 points)
0 votes
1 answer
How to I delegate Send As permission and Full Access permission to a defined user during Deprovision?

Using the built in 'Deprovision' Custom Command, I would like the person that is trying to Deprovision a user (Help Desk member) be asked who (from a list of existing active ... to leave the question 'blank', which means that no one gets access to the mailbox.

asked Apr 22, 2020 by RayBilyk (240 points)
3,552 questions
3,242 answers
8,243 comments
547,828 users