The script removes all the trustees from the Full Access list of a mailbox. You can use the script in the Run a program or PowerShell script action in business rules, scheduled tasks and custom commands.
Parameter:
- $trusteeDNsToSkip - Specifies distinguished names (DNs) of the trustees that should not be removed from the Full Access list if present.
PowerShell
$trusteeDNsToSkip = @("CN=MyGroup,OU=Groups,DC=domain,DC=com", "CN=John Smith,OU=Users,DC=domain,DC=com") # TODO: modify me
# Get trustee SIDs
$sidsToSkip = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($dn in $trusteeDNsToSkip)
{
$object = $Context.BindToObjectByDN($dn)
$sidBytes = $object.Get("objectSID")
$sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
$sidsToSkip.Add($sid.Value)
}
# Get Exchange properties
$mailboxParams = $Context.TargetObject.GetMailParameters()
# Get SIDs of objects that have Full Access permissions
$mailboxRights = $mailboxParams.MailboxRights
$fullAccess = $mailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
foreach ($objReference in $fullAccess)
{
$sid = $objReference.ObjectSid
if ([System.String]::IsNullOrEmpty($sid))
{
continue
}
if ($sidsToSkip.Contains($sid))
{
continue
}
$permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
$permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
$permission.Trustee = $objReference
$mailboxRights.RemovePermission($permission)
}
# Update permissions
$mailboxParams.MailboxRights = $mailboxRights
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")