The script checks whether Full Access permissions are modified for a mailbox. To run the script, use the If PowerShell script returns true condition in a business rule triggering Before/After modifying a user/modifying Exchange properties of a user.
PowerShell
$Context.ConditionIsMet = $False
# Check whether mailbox rights are modified
$modifiedMailboxParams = $Context.Action.MailParameters
if (-not($modifiedMailboxParams.MailboxRightsModificationEnabled))
{
return # Mailbox rights are not modified
}
# Check modifications
$modifiedMailboxRights = $modifiedMailboxParams.MailboxRights
$modifications = $modifiedMailboxRights.GetModifications()
if ($modifications.Length -ne 0)
{
$fullAccessFlag = [Softerra.Adaxes.Interop.Adsi.Exchange.ADM_EXCHANGE_MAILBOX_RIGHTS_ENUM]::ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS
foreach ($modification in $modifications)
{
$permissions = $modification.Permission
if ($permissions.AllowedRights -band $fullAccessFlag -or
$permissions.InheritedAllowedRights -band $fullAccessFlag -or
$permissions.DeniedRights -band $fullAccessFlag -or
$permissions.InheritedDeniedRights -band $fullAccessFlag)
{
$Context.ConditionIsMet = $True
return
}
}
return
}
# Compare current permissions with modified
$mailboxParams = $Context.TargetObject.GetMailParameters()
$fullAccess = New-Object "System.Collections.Generic.HashSet[System.Object]"
$modifiedFullAccess = New-Object "System.Collections.Generic.HashSet[System.Object]"
$mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS") | %%{[void]$fullAccess.Add($_)}
$modifiedMailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS") | %%{[void]$modifiedFullAccess.Add($_)}
$Context.ConditionIsMet = -not($fullAccess.SetEquals($modifiedFullAccess))