The script creates an HTML-formatted report on all Adaxes security roles and sends it by e-mail. The script should be executed in Windows PowerShell on the computer where Adaxes service runs.
Parameters:
- $to - Specifies email addresses of recipients of the report.
- $from - Specifies the e-mail address from which the message will be sent.
- $smtpServer - Specifies the SMTP server to use when sending a notification.
- $subject - Specifies the subject of the email message with the report.
- $reportHeader - Specifies the report header.
- $reportFooter - Specifies the report footer.
PowerShell
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")
# Email message settings
$to = "recipient@domain.com" # TODO: modify me
$from = "noreply@domain.com" # TODO: modify me
$smtpServer = "mail.domain.com" # TODO: modify me
$subject = "Security Roles Report" # TODO: modify me
$reportHeader = "<h2><b>Security Roles Report</b></h2>
<table border='1'>
<tr>
<th>Name</th>
<th>Description</th>
<th>Assignments</th>
<th>Permissions</th>
</tr>" # TODO: modify me
$reportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me
# Function to resolve trustee names
function GetTrusteeName($trustee)
{
if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee))
{
$wellknownPrincipal = [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::GetInfo($trustee)
return $wellknownPrincipal.DisplayName
}
if ([Softerra.Adaxes.Adsi.Sid]::PrimaryOwnerSid -eq $trustee)
{
return "Owner (ManagedBy)"
}
elseif ([Softerra.Adaxes.Adsi.Sid]::ManagerSid -eq $trustee)
{
return "Manager"
}
elseif ([Softerra.Adaxes.Adsi.Sid]::SecretarySid -eq $trustee)
{
return "Secretary"
}
elseif ([Softerra.Adaxes.Adsi.Sid]::AssistantSid -eq $trustee)
{
return "Assistant"
}
# Get object name
$objectSid = New-Object "Softerra.Adaxes.Adsi.Sid" $trustee
try
{
$object = $global:admService.OpenObject("Adaxes://<SID=$objectSid>", $NULL, $NULL, 0)
$objectName = $object.Get("name")
}
catch
{
$objectName = $objectSid.ToString()
}
return $objectName
}
# Function to resolve Custom Command Names (for permissions to launch Custom Commands)
function FindCustomCommandName($commandID, $customCommandHashTable, $customCommandContainerPath)
{
$commandName = $customCommandHashTable[$commandID]
if ($commandName -ne $NULL)
{
return $commandName
}
$guidByte = (New-Object "System.Guid" $commandID).ToByteArray()
$guidHexString = [Softerra.Adaxes.Utils.Transform]::ToRfc2254HexString($guidByte)
$criteria = New-Object Softerra.Adaxes.Directory.Criteria.Criteria
$simpleItem = $criteria.CreateSimple()
[void]$simpleItem.SetProperty("adm-CustomCommandID").SetComparisonOperator("eq").AddValue($commandID)
[void]$criteria.AddType("adm-CustomCommand", $simpleItem)
$searcher = $global:admService.OpenObject($customCommandContainerPath, $NULL, $NULL, 0)
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.Criteria = $criteria
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
try
{
$searchResult = $searcher.ExecuteSearch()
$result = $searchResult.FetchAll()
if ($result.Count -ne 0)
{
$command = $global:admService.OpenObject($result[0].AdsPath, $NULL, $NULL, 0)
$commandName = $command.Get("name")
$customCommandHashTable.Add($commandID, $commandName) | Out-Null
return $commandName
}
}
finally
{
$searchResult.Dispose()
}
return $NULL
}
# Function to resolve object types (e.g. user, group, OU etc)
function GetObjectType($objectTypeGuid, $customCommandHashTable, $customCommandContainerPath)
{
try
{
$objectType = $global:admService.Schema.Classes.GetObject($objectTypeGuid)
}
catch
{
$objectType = $NULL
}
if ($objectType -ne $NULL)
{
return $objectType.AdminDisplayName
}
try
{
$atributeType = $global:admService.Schema.Properties.GetObject($objectTypeGuid)
}
catch
{
$atributeType = $NULL
}
if ($atributeType -ne $NULL)
{
return $atributeType.AdminDisplayName
}
$extendedRightsGuid = @{"{014bf69c-7b3b-11d1-85f6-08002be74fab}" = "ChangeDomainMaster";
"{cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd}" = "ChangeInfrastructureMaster";
"{bae50096-4752-11d1-9052-00c04fc2d4cf}" = "ChangePdc";
"{d58d5f36-0a98-11d1-adbb-00c04fd8d5cd}" = "ChangeRidMaster";
"{e12b56b6-0a95-11d1-adbb-00c04fd8d5cd}" = "ChangeSchemaMaster";
"{fec364e0-0a98-11d1-adbb-00c04fd8d5cd}" = "DoGarbageCollection";
"{69ae6200-7f46-11d2-b9ad-00c04f79f805}" = "DSCheckStalePhantoms";
"{0bc1554e-0a99-11d1-adbb-00c04fd8d5cd}" = "RecalculateHierarchy";
"{62dd28a8-7f46-11d2-b9ad-00c04f79f805}" = "RecalculateSecurityInheritance";
"{9432c620-033c-4db7-8b58-14ef6d0bf477}" = "RefreshGroupCache";
"{be2bb760-7f46-11d2-b9ad-00c04f79f805}" = "UpdateSchemaCache";
"{00299570-246d-11d0-a768-00aa006e0529}" = "UserForceChangePassword";
"{ab721a53-1e2f-11d0-9819-00aa0040529b}" = "UserChangePassword";
"{ab721a54-1e2f-11d0-9819-00aa0040529b}" = "SendAs";
"{B5C7D5F3-F235-43ad-A8D7-9D8374892123}" = "ReadLoggingInformation";
"{ED838A5C-56C2-486e-A85E-4D1B23CD2B54}" = "ReadSummaryLog";
"{8B3541F7-E278-4AC7-9FF9-D73220847E52}" = "RunScript";
"{BD3422E8-7737-4232-A1A6-B78CAB5FEA2D}" = "ExecuteAllCustomCommands";
"{D81B5354-169B-4482-981D-090484B7A328}" = "EnrollDisenrollUser";
"{649CDC16-A7E3-4D95-AE01-CECD32C79704}" = "GetPasswordSelfServiceReport";
"{E783B4EC-83FC-4C51-A0C2-9E3A1FFF9E6A}" = "SendSms";
"{299557F6-C974-4696-BC02-17859F1D613B}" = "MoveMailbox";
"{D5E7B1E7-C34F-4458-B33B-CEE66C0FBBC6}" = "ExportMailbox";
"{F19E8E0A-C601-4234-86A6-4774197A4B99}" = "CreateMailbox";
"{DB382E2C-FA7C-499A-85E4-907CFFE3E3E1}" = "DeleteMailbox";
"{828D990A-5FA7-4F8D-96D5-2C0F9A833EDF}" = "EstablishEmailAddress";
"{6F6D257A-A44E-4EE6-9FF6-1BF5A9144F88}" = "DeleteEmailAddress";
"{ADBACEA1-0A7A-407C-9535-D3E51B6AC303}" = "ArchiveHomeDirectory";
"{D8F76534-EAFF-4C38-9B4C-D6C0C29365BB}" = "ExchangeProperties";
"{87547735-7D75-4D9F-BDA3-EEBD1789397A}" = "ExchangeGeneralProperties";
"{EB7861A9-DCE0-434D-A2D9-59B062310BB6}" = "ExchangeEmailAddressesProperties";
"{A97C32B0-69D7-47CA-BBC2-0A815C18BCA3}" = "ExchangeSendAsProperties";
"{B9BBF393-6BF6-4C82-8957-2DDC25DA169D}" = "ExchangeSendOnBehalfProperties";
"{C7C0C556-62F7-45E5-B12D-ABFF8A857A84}" = "ExchangeMailboxRightsProperties";
"{274614ED-130F-40BC-BC72-601F0C1D5138}" = "ExchangeMailTipProperties";
"{82E50D86-1850-4EEE-9792-82D61A45F53A}" = "ExchangeDeliveryOptionsProperties";
"{7A2F504B-F7A7-4D21-B731-8FF9E9BBF48E}" = "ExchangeMessageDeliveryRestrictionsProperties";
"{79511D62-2638-4E80-A59B-24D92ABCE291}" = "ExchangeMessageModerationProperties";
"{61A0C1FD-9866-46EF-8BD4-60D792DFE554}" = "ExchangeMessageSizeRestrictionsProperties";
"{DD6540B6-CA2B-45C6-8D0D-EFBCD51EBD3E}" = "ExchangeMailboxQuotasProperties";
"{2C902617-EA87-4AEE-A26A-C3DCA79B38BE}" = "ExchangeMailboxPoliciesProperties";
"{CA1A1A17-09D6-4AA7-8369-2B936CCBC674}" = "ExchangeUMFeatureProperties";
"{360B7E6B-8042-436E-9117-D9691B10AC0F}" = "ExchangeActiveSyncFeatureProperties";
"{3BEF8F48-F5E4-422D-B100-168D4F06ABD9}" = "ExchangeArchiveFeatureProperties";
"{3CF80F35-49ED-4BEF-B41F-88C7456BE394}" = "ExchangeMapiFeatureProperties";
"{31DE0C27-4D5A-4E23-8F9C-7CB179635D35}" = "ExchangeOwaFeatureProperties";
"{795AB3ED-D1B4-49D1-8D16-1C47F2CF2ED7}" = "ExchangeRetentionHoldFeatureProperties";
"{3D497EF4-E358-4EB7-91A3-1E16EA054AFF}" = "ExchangeLitigationHoldFeatureProperties";
"{AF777E74-5ACB-4848-864C-70707B78C2C3}" = "ExchangePop3FeatureProperties";
"{BB3BD947-9C0F-4B38-AACC-2F3BFE301453}" = "ExchangeImapFeatureProperties";
"{4F16A030-3C93-4935-8C7F-A9ABEBC60693}" = "ExchangeAutoReplyConfigurationProperties";
"{16CAAFF5-74D3-429D-8D66-BCBA270C075C}" = "ExchangeCalendarSettingsProperties";
"{683AEA04-F847-4CEB-8D0B-B9534EB0EEEC}" = "Office365AccountProperties";
"{609CEF0E-7B62-436D-A621-CFAE0740BDD1}" = "AdaxesCustomAttributes";
"{77b5b886-944a-11d1-aebd-0000f80367c1}" = "PersonalInformation";
"{e45795b3-9455-11d1-aebd-0000f80367c1}" = "WebInformation";
"{e45795b2-9455-11d1-aebd-0000f80367c1}" = "EmailInformation";
"{e9db7f44-3799-441f-9719-33f32c20cdc3}" = "ResetMultifactorAuthentication";
"{A813457B-48DE-4821-A22F-253AAB73D5AE}" = "ConvertToSharedMailbox";
"{86908D09-1566-4698-A315-0E2792A5EB73}" = "ConvertToRegularMailbox";
"{D8640203-5F31-49C6-9A32-C880FB45EECA}" = "GenerateReport";}
$extendedRights = $extendedRightsGuid[$objectTypeGuid]
if ($extendedRights -ne $NULL)
{
return $extendedRights
}
$commandName = FindCustomCommandName $objectTypeGuid $customCommandHashTable $customCommandContainerPath
if ($commandName -ne $NULL)
{
return "Execute: $commandName"
}
return $objectTypeGuid
}
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$global:admService = $admNS.GetServiceDirectly("localhost")
# Find all Security Roles
$securityRolesPath = $global:admService.Backend.GetConfigurationContainerPath("AccessControlRoles")
$searcher = $global:admService.OpenObject($securityRolesPath, $NULL, $NULL, 0)
$criteria = New-Object Softerra.Adaxes.Directory.Criteria.Criteria
[void]$criteria.AddType("adm-Role", $NULL)
$searcher.Criteria = $criteria
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
try
{
# Execute search
$searchResult = $searcher.ExecuteSearch()
$roles = $searchResult.FetchAll()
# Build report
$customCommandHashTable = New-Object "System.Collections.Hashtable"
$customCommandContainerPath = $global:admService.Backend.GetConfigurationContainerPath("CustomCommands")
foreach ($roleId in $roles)
{
# Bind to the Security Role
$role = $global:admService.OpenObject($roleId.AdsPath, $NULL, $NULL, 0)
# Role name
$roleName = $role.RoleName
$reportHeader += "<tr valign='top'><td>$roleName</td>"
Write-Host "Adding role '$roleName'"
# Description
$description = $role.Description
$reportHeader += "<td>$description</td>"
# Assignments
$assignments = $role.Assignments
$reportHeader += "<td>"
if ($assignments.Count -ne 0)
{
$reportHeader += "<table border='1' width = '100%'><tr><th>Trustee</th><th>AssignedOver</th><th>Exclude</th><th>Inheritance</th></tr>"
foreach ($assignment in $role.Assignments)
{
$trusteeName = GetTrusteeName $assignment.Trustee
foreach ($item in $assignment.ActivityScopeItems)
{
switch ($item.Type)
{
"ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
{
$itemName = "All objects"
}
"ADM_SCOPEBASEOBJECTTYPE_CONFIGURATION"
{
$itemName = "Configuration objects"
}
default
{
try
{
$itemName = $item.BaseObject.Get("name")
}
catch
{
$itemName = [Guid]$item.Get("adm-ScopeBaseObjectGuid")
}
}
}
switch ($item.Inheritance)
{
"ADS_SCOPE_BASE"
{
$inheritance = "This object only"
}
"ADS_SCOPE_ONELEVEL"
{
$inheritance = "One level"
}
"ADS_SCOPE_SUBTREE"
{
$inheritance = "Subtree"
}
}
$exclude = $item.Exclude
$reportHeader += "<tr><td>$trusteeName</td><td>$itemName</td><td>$exclude</td><td>$inheritance</td></tr>"
}
}
$reportHeader += "</table>"
}
else
{
$reportHeader += "N/A"
}
$reportHeader += "</td>"
# Permissions
$rolePermissions = $role.Permissions
$reportHeader += "<td>"
$reportHeader += "<table border='1' width = '100%'><tr><th>Access Mask</th><th>Object Type</th><th>Access Type</th><th>Applies to</th></tr>"
for ($i = 0; $i -lt $rolePermissions.Count; $i++)
{
$permissionEntry = $rolePermissions.GetObject($i)
# Access mask
$accessMask = $permissionEntry.AccessMask.ToString()
# Object type
$objectTypeGuid = $permissionEntry.ObjectType
if ($objectTypeGuid -eq $NULL)
{
$objectType = "All"
}
else
{
$objectType = GetObjectType $objectTypeGuid $customCommandHashTable $customCommandContainerPath
}
# Access type
if ($permissionEntry.AccessType -eq "ADM_PERMISSION_TYPE_ALLOW")
{
$accessType = "Allow"
}
else
{
$accessType = "Deny"
}
# Applies to
$inheritedObjectTypeGuid = $permissionEntry.InheritedObjectType
if ($inheritedObjectTypeGuid -eq $NULL)
{
$inheritedObjectTypeName = "All"
}
else
{
$inheritedObjectTypeName = GetObjectType $inheritedObjectTypeGuid $customCommandHashTable $customCommandContainerPath
}
$reportHeader += "<tr><td>$accessMask</td><td>$objectType</td><td>$accessType</td><td>$inheritedObjectTypeName</td></tr>"
}
$reportHeader += "</table></td></tr>"
}
$reportHeader += "</table>"
$htmlReport = $reportHeader + $reportFooter
# Send message
Send-MailMessage -To $to -from $from -SmtpServer $smtpServer -Subject $subject -Body $htmlReport -BodyAsHtml -Encoding ([System.Text.Encoding]::UTF8)
}
finally
{
$searchResult.Dispose()
}