The script grants Full Access and Send As permissions to members of the target group over a specific mailbox. The script can be executed in a business rule, custom command or scheduled task configured for the Group object type.
Parameters:
- $mailboxDN - Specifies the distinguished name (DN) of the mailbox to grant permissions over. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject/.
- $onlyDirectMembers - Specifies whether to grant permissions only to direct members of the target group. If set to $False, the permissions will also be granted to all members of all nested groups.
PowerShell
$mailboxDN = "CN=Mailbox,OU=Mailboxes,DC=Example,DC=com" # TODO: modify me
$onlyDirectMembers = $True # TODO: modify me
function ModifySendAsPermission($objectReference, $operation, $sendAs)
{
switch($operation)
{
"Add"
{
$sendAs.Add("ADS_PROPERTY_APPEND", $objectReference)
}
"Remove"
{
$sendAs.Remove($objectReference)
}
}
}
function ModifyFullAccessPermission($objectReference, $operation, $mailboxRights)
{
$permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
$permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
$permission.Trustee = $objectReference
$permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
$permissionModification.Permission = $permission
switch($operation)
{
"Add"
{
$permissionModification.Operation = "ADS_PROPERTY_APPEND"
}
"Remove"
{
$permissionModification.Operation = "ADS_PROPERTY_DELETE"
}
}
$mailboxRights.AddModification($permissionModification)
}
# Get mailbox parameters
$mailbox = $Context.BindToObjectByDNEx($mailboxDN, $True)
$mailboxParams = $mailbox.GetMailParameters()
# Get Send As trustees
$sendAs = $mailboxParams.SendAs
$sendAsTrustees = @{}
for ($i = $sendAs.Count - 1; $i -ge 0; $i--)
{
$objectReference = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
if ([System.String]::IsNullOrEmpty($objectReference.ObjectSid))
{
ModifySendAsPermission $objectReference "Remove" $sendAs
continue
}
if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($objectReference.ObjectSid)))
{
continue
}
$sendAsTrustees.Add($objectReference.ObjectSid, $objectReference)
}
# Get Full Access trustees
$mailboxRights = $mailboxParams.MailboxRights
$objectReferences = $mailboxRights.GetTrusteesGrantedRights(
"ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
$fullAccessTrustees = @{}
foreach ($objectReference in $objectReferences)
{
if ([System.String]::IsNullOrEmpty($objectReference.ObjectSid))
{
ModifyFullAccessPermission $objectReference "Remove" $mailboxRights
continue
}
if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($objectReference.ObjectSid))
{
continue
}
$fullAccessTrustees.Add($objectReference.ObjectSid, $objectReference)
}
if ($onlyDirectMembers)
{
$membersProperty = "adm-DirectMembersGuid"
}
else
{
$membersProperty = "adm-MembersGuid"
}
# Get members
try
{
$memberGuidsBytes = $Context.TargetObject.GetEx($membersProperty)
}
catch
{
$memberGuidsBytes = @()
}
# Get user SIDs
$membersToAdd = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($memberGuidBytes in $memberGuidsBytes)
{
$guid = [Guid]$memberGuidBytes
$member = $Context.BindToObject("Adaxes://<GUID=$guid>")
if ($member.Class -ne "user")
{
continue
}
$sidBytes = $member.Get("objectSid")
$sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
$sidString = $sid.Value
$objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
$objReference.ObjectSid = $sidString
if (-not($sendAsTrustees.ContainsKey($sidString)))
{
# Add Send As permission
ModifySendAsPermission $objReference "Add" $sendAs
}
else
{
$sendAsTrustees.Remove($sidString)
}
if (-not($fullAccessTrustees.ContainsKey($sidString)))
{
# Add Full Access permission
ModifyFullAccessPermission $objReference "Add" $mailboxRights
}
else
{
$fullAccessTrustees.Remove($sidString)
}
}
foreach ($sid in $sendAsTrustees.Keys)
{
# Apply modifications
ModifySendAsPermission $sendAsTrustees[$sid] "Remove" $sendAs
}
foreach ($sid in $fullAccessTrustees.Keys)
{
# Apply modifications
ModifyFullAccessPermission $fullAccessTrustees[$sid] "Remove" $mailboxRights
}
$mailboxParams.SendAs = $sendAs
$mailboxParams.MailboxRights = $mailboxRights
try
{
# Save the changes
$mailbox.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}
catch
{
$Context.LogMessage($_.Exception.Message, "Warning")
}
The below version of the script explicitly enables auto-mapping for all delegates gaining the permissions.
PowerShell
$mailboxDN = "CN=Mailbox,OU=Mailboxes,DC=Example,DC=com" # TODO: modify me
$onlyDirectMembers = $True # TODO: modify me
$autoMappingEnabled = $False # TODO: modify me
function ModifySendAsPermission($objectReference, $operation, $sendAs)
{
switch($operation)
{
"Add"
{
$sendAs.Add("ADS_PROPERTY_APPEND", $objectReference)
}
"Remove"
{
$sendAs.Remove($objectReference)
}
}
}
function ModifyFullAccessPermission($objectReference, $operation, $mailboxRights, $autoMappingEnabled)
{
$permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
$permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
$permission.Trustee = $objectReference
$permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
$permissionModification.Permission = $permission
switch($operation)
{
"Add"
{
$permissionModification.Operation = "ADS_PROPERTY_APPEND"
$mailboxRights.SetAutoMappingFor($objReference, $autoMappingEnabled)
}
"Remove"
{
$permissionModification.Operation = "ADS_PROPERTY_DELETE"
}
}
$mailboxRights.AddModification($permissionModification)
}
$autoMapping = @{
$True = "ADM_EXCHANGE_AUTOMAPINGSTATE_ENABLED";
$False = "ADM_EXCHANGE_AUTOMAPINGSTATE_DISABLED";
}
# Get mailbox parameters
$mailbox = $Context.BindToObjectByDNEx($mailboxDN, $True)
try
{
$mailboxParams = $mailbox.GetMailParameters("ADM_GET_EXCHANGE_PARAMS_FLAGS_NONE")
}
catch
{
$Context.LogMessage("Mailbox does not exist", "Warning")
return
}
# Get Send As trustees
$sendAs = $mailboxParams.SendAs
$sendAsTrustees = @{}
for ($i = $sendAs.Count - 1; $i -ge 0; $i--)
{
$objectReference = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
if ([System.String]::IsNullOrEmpty($objectReference.ObjectSid))
{
ModifySendAsPermission $objectReference "Remove" $sendAs
continue
}
if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($objectReference.ObjectSid)))
{
continue
}
$sendAsTrustees.Add($objectReference.ObjectSid, $objectReference)
}
# Get Full Access trustees
$mailboxRights = $mailboxParams.MailboxRights
$objectReferences = $mailboxRights.GetTrusteesGrantedRights(
"ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
$fullAccessTrustees = @{}
foreach ($objectReference in $objectReferences)
{
if ([System.String]::IsNullOrEmpty($objectReference.ObjectSid))
{
ModifyFullAccessPermission $objectReference "Remove" $mailboxRights $NULL
continue
}
if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($objectReference.ObjectSid))
{
continue
}
$fullAccessTrustees.Add($objectReference.ObjectSid, $objectReference)
}
if ($onlyDirectMembers)
{
$membersProperty = "adm-DirectMembersGuid"
}
else
{
$membersProperty = "adm-MembersGuid"
}
# Get members
try
{
$memberGuidsBytes = $Context.TargetObject.GetEx($membersProperty)
}
catch
{
$memberGuidsBytes = @()
}
# Get user SIDs
$membersToAdd = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($memberGuidBytes in $memberGuidsBytes)
{
$guid = [Guid]$memberGuidBytes
$member = $Context.BindToObject("Adaxes://<GUID=$guid>")
if ($member.Class -ne "user")
{
continue
}
$sidBytes = $member.Get("objectSid")
$sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
$sidString = $sid.Value
$objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
$objReference.ObjectSid = $sidString
if (-not($sendAsTrustees.ContainsKey($sidString)))
{
# Add Send As permission
ModifySendAsPermission $objReference "Add" $sendAs
}
else
{
$sendAsTrustees.Remove($sidString)
}
$objReferenceAutoMapping = $mailboxRights.GetAutoMappingFor($objReference)
if (-not($fullAccessTrustees.ContainsKey($sidString)))
{
# Add Full Access permission
ModifyFullAccessPermission $objReference "Add" $mailboxRights $autoMappingEnabled
}
else
{
$fullAccessTrustees.Remove($sidString)
if ($objReferenceAutoMapping -ne $autoMapping[$autoMappingEnabled])
{
$mailboxRights.SetAutoMappingFor($objReference, $autoMappingEnabled)
}
}
}
foreach ($sid in $sendAsTrustees.Keys)
{
# Apply modifications
ModifySendAsPermission $sendAsTrustees[$sid] "Remove" $sendAs
}
foreach ($sid in $fullAccessTrustees.Keys)
{
# Apply modifications
ModifyFullAccessPermission $fullAccessTrustees[$sid] "Remove" $mailboxRights $NULL
}
$mailboxParams.SendAs = $sendAs
$mailboxParams.MailboxRights = $mailboxRights
try
{
# Save the changes
$mailbox.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}
catch
{
$Context.LogMessage($_.Exception.Message, "Warning")
}