To grant full mailbox access to a user for a limited time period, you need to use Adaxes business rules and scheduled tasks. You need to do the following:
- Create a business rule that will trigger After Updating a User and execute Script 1. The script grants full mailbox access to the user and adds a record specifying when to revoke the permission.
- Create a scheduled task that runs Script 2 on a periodical basis. It will revoke the full mailbox access from the user.
Script 1: Grant full mailbox access
This script can be used in a business rule that will grant full mailbox access to the user
Parameters
- $userListProperty - Specifies the LDAP name of the property that stores a list of users with temporary full mailbox access and the times when to revoke the permission.
- $mailboxDNProperty - Specifies the LDAP name of the property that stores the distinguished name of the mailbox.
- $durationInHoursProperty - Specifies the LDAP name of the property that stores duration for full mailbox access (in hours).
PowerShell
$userListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
$mailboxDNProperty = "assistant" # TODO: modify me
$durationInHoursProperty = "adm-CustomAttributeInt1" # TODO: modify me
function ClearProperties($propertyName)
{
$Context.TargetObject.Put($propertyName, $NULL)
$Context.TargetObject.SetInfoEx(@($propertyName))
}
# Get duration
try
{
$durationInHours = $Context.TargetObject.Get($durationInHoursProperty)
}
catch
{
$Context.LogMessage("Duration not specified", "Warning")
return
}
ClearProperties $durationInHoursProperty
# Get mailbox DN
try
{
$mailboxDN = $Context.TargetObject.Get($mailboxDNProperty)
}
catch
{
$Context.LogMessage("Mailbox not specified", "Warning")
return
}
ClearProperties $mailboxDNProperty
# Get user sid
$sidBytes = $Context.TargetObject.Get("objectSID")
$userSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
$userSidValue = $userSid.Value
# Build user record
$endDate = [System.Datetime]::Now.AddHours($durationInHours)
$userRecord = $endDate.ToString("MM/dd/yyyy hh mm tt") + " SID=$userSidValue"
# Get mailbox records
$mailbox = $Context.BindToObjectByDN($mailboxDN)
try
{
$records = $mailbox.GetEx($userListProperty)
}
catch
{
$records = @()
}
# Check if the user already has access to the mailbox
$addNewRecord = $True
for ($i = 0; $i -lt $records.Length; $i++)
{
$sid = ($records[$i] | Select-String -Pattern "(?<=SID=).+").Matches[0].Value
if ($sid -ne $userSidValue)
{
continue
}
# The user already has access to this mailbox, update date
$records[$i] = $userRecord
$addNewRecord = $False
break
}
if ($addNewRecord)
{
# Add a information on when to remove access to the mailbox
$records += $userRecord
# Add Full Mailbox Access permission for the user
$mailboxParams = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxParameters"
$objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
$objReference.ObjectDN = "%distinguishedName%"
$permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
$permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
$permission.Trustee = $objReference
$permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
$permissionModification.Operation = "ADS_PROPERTY_APPEND"
$permissionModification.Permission = $permission
$mailboxRights = $mailboxParams.MailboxRights
$mailboxRights.AddModification($permissionModification)
$mailboxParams.MailboxRights = $mailboxRights
# Save the changes
$mailbox.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}
# Update mailbox records
$mailbox.PutEx("ADS_PROPERTY_UPDATE", $userListProperty, $records)
$mailbox.SetInfo()
Script 2: Revoke full mailbox access
This script can be used in a scheduled task that revokes full mailbox access from users when their temporary permissions expire.
Parameters
- $userListProperty - Specifies the LDAP name of the property that stores a list of users with temporary full mailbox acsess and the times when to revoke the permission. It must be the same as $userListProperty in Script 1.
PowerShell
$userListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
# Get mailbox records
try
{
$records = $Context.TargetObject.GetEx($userListProperty)
}
catch
{
return # No records
}
$currentDate = [DateTime]::Now
$sidsToRemove = New-Object "System.Collections.Generic.HashSet[System.String]"
for ($i = 0; $i -lt $records.Length; $i++)
{
# Get user's ADS sid and date when to remove Full Mailbox Access permission
$sid = ($records[$i] | Select-String -Pattern "(?<=SID=).+").Matches[0].Value
$date = ($records[$i] | Select-String -Pattern "\d{2}\/\d{2}\/\d{4}\s\d{2}\s\d{2}\s.{2}" -AllMatches).Matches | %%{[DateTime]::ParseExact($_.Value, "MM/dd/yyyy hh mm tt", $NULL)}
if ($date -le $currentDate)
{
[void]$sidsToRemove.Add($sid)
$records[$i] = $NULL
}
}
if ($sidsToRemove.Count -ne 0)
{
# Get Exchange properties
$mailboxParams = $Context.TargetObject.GetMailParameters()
# Remove permissions
$mailboxRights = $mailboxParams.MailboxRights
foreach ($sid in $sidsToRemove)
{
$objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
$objReference.ObjectSid = $sid
$permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
$permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
$permission.Trustee = $objReference
$mailboxRights.RemovePermission($permission)
}
$mailboxParams.MailboxRights = $mailboxRights
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
# Update list of users with temporary full access
[System.String[]]$records = $records | ?{$_}
$Context.TargetObject.PutEx("ADS_PROPERTY_UPDATE", $userListProperty, $records)
$Context.TargetObject.SetInfo()
}