Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchange 2007 "Associated External Account" (msExchMasterAccountSid)

Status
Not open for further replies.
djtech2k

djtech2k

MIS
Jul 24, 2003
1,097
US
Ok, so I am a bit stuck and need some assistance. I need to come up with some vbscript code that will read the "msExchMasterAccountsid" on user accounts in AD 2003 with Exchange 2007 and resolve it back to a name. The value stored in that field is a SID from another account, most likely in another domain.

I just need to read the field and resolve it back to a name instead of displaying a sid.

Thanks!
 
Sort by date Sort by votes
Ok, so I have something together now, but would like a peer review of it to see if I am missing something or overlooking something. If any of you guru's could review this and see if I am getting what I am looking for, please let me know.

Code: 
Option Explicit

' List all declarations, constants, and variables
' Many of these are not used in this script
' They are kept here for future script expansion
CONST ADS_ACETYPE_ACCESS_ALLOWED = 0
CONST ADS_ACETYPE_ACCESS_DENIED = 1
CONST ADS_ACETYPE_SYSTEM_AUDIT = 2
CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5
CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7
CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8

CONST ADS_ACEFLAG_INHERIT_ACE = 2
CONST ADS_RIGHT_DS_CREATE_CHILD = 1
CONST ADS_READ_MAILBOX_PERMS = &h20000
CONST EX_MB_SEND_AS_ACCESSMASK  = &H00100
CONST SEND_AS = &h2
CONST SEND_AS_GUID = "{AB721A54-1E2F-11D0-9819-00AA0040529B}"
CONST ASSOCIATED_EXTERNAL = &h4

Dim objRootDSE, strDNSDomain, objCommand
Dim objConnection, strQuery, strBase, strFilter
Dim objRecordSet, strDN, strName, strAttributes

Dim objUser
Dim oSecurityDescriptor 
Dim dacl 
Dim ace

' Determine DNS domain name dynamically.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection

' Search through all user objects with mailboxes. Sort by displayName.
strBase = "<LDAP://" & strDNSDomain & ">"
strFilter = "(&(objectCategory=person)(objectClass=user)(homeMDB=*))"
strAttributes = "displayName,distinguishedName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
objCommand.Properties("Sort On") = "displayName"
Set objRecordSet = objCommand.Execute
  
 Do Until objRecordSet.EOF
	strName = objRecordSet.Fields("displayName")
	strDN = objRecordSet.Fields("distinguishedName")
	Call GetACL(strDN, strName)
	objRecordSet.MoveNext
 Loop

objConnection.Close


Function GetACL(strDN, strName)
	' Bind to each User.
	Set objUser = GetObject("LDAP://" & strDN)

	' Read the Mailbox Security Descriptor
	Set oSecurityDescriptor = objUser.msExchMailboxSecurityDescriptor

	' Pull out the DACL for reading.
	Set dacl = oSecurityDescriptor.DiscretionaryAcl
	Set ace = CreateObject("AccessControlEntry")

		For Each ace In dacl
		'Display properties of the ACEs which identify the "Associated External Account"
			If ace.AccessMask And ASSOCIATED_EXTERNAL then    
			' Line for Debugging.  Reports all properties for troubleshooting
			'  wscript.echo ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType & " END" & vbcrlf
			wscript.echo "The Associated External Account for " & strName & " is: " & ace.Trustee
			End If
		Next
	' Cleanup Variables
	objUser = ""
End Function
 
Upvote 0 Downvote
Revised. Any opinions:


Code: 
Option Explicit

' List all declarations, constants, and variables
' Many of these are not used in this script
' They are kept here for future script expansion
CONST ADS_ACETYPE_ACCESS_ALLOWED = 0
CONST ADS_ACETYPE_ACCESS_DENIED = 1
CONST ADS_ACETYPE_SYSTEM_AUDIT = 2
CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5
CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7
CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8

CONST ADS_ACEFLAG_INHERIT_ACE = 2
CONST ADS_RIGHT_DS_CREATE_CHILD = 1
CONST ADS_READ_MAILBOX_PERMS = &h20000
CONST EX_MB_SEND_AS_ACCESSMASK  = &H00100
CONST SEND_AS = &h2
CONST SEND_AS_GUID = "{AB721A54-1E2F-11D0-9819-00AA0040529B}"
CONST ASSOCIATED_EXTERNAL = &h4

Dim objRootDSE, strDNSDomain, objCommand
Dim objConnection, strQuery, strBase, strFilter
Dim objRecordSet, strDN, strName, strAttributes

Dim objUser
Dim oSecurityDescriptor 
Dim dacl 
Dim ace

' Determine DNS domain name dynamically.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection

' Search through all user objects with mailboxes. Sort by displayName.
strBase = "<LDAP://" & strDNSDomain & ">"
strFilter = "(&(objectCategory=person)(objectClass=user)(homeMDB=*)(msExchMasterAccountSid=*))"
strAttributes = "displayName,distinguishedName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
objCommand.Properties("Sort On") = "displayName"
Set objRecordSet = objCommand.Execute
  
 Do Until objRecordSet.EOF
	strName = objRecordSet.Fields("displayName")
	strDN = objRecordSet.Fields("distinguishedName")
	Call GetACL(strDN, strName)
	objRecordSet.MoveNext
 Loop

objConnection.Close


Function GetACL(strDN, strName)
	' Bind to each User.
	Set objUser = GetObject("LDAP://" & strDN)

	' Read the Mailbox Security Descriptor
	Set oSecurityDescriptor = objUser.msExchMailboxSecurityDescriptor

	' Pull out the DACL for reading.
	Set dacl = oSecurityDescriptor.DiscretionaryAcl
	Set ace = CreateObject("AccessControlEntry")

		For Each ace In dacl
		'Display properties of the ACEs which identify the "Associated External Account"
			If ace.AccessMask And ASSOCIATED_EXTERNAL then    
			' Line for Debugging.  Reports all properties for troubleshooting
			'  wscript.echo ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType & " END" & vbcrlf
			wscript.echo "The Associated External Account for " & strName & " is: " & ace.Trustee
			End If
		Next
	' Cleanup Variables
	objUser = ""
End Function
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PiotrMP006
  • Locked
  • Question
WshShell.Run (&quot;cmd /c start &quot;&quot;&quot;&quot;..... always return code 0
Replies
1
Views
236
Rick998
Rick998
Palito1916
  • Locked
  • Question
Disable multiple computer accounts using TXT file with computer names
Replies
2
Views
365
Palito1916
Palito1916
saahg
  • Locked
  • Question
Metadata &quot;class/object&quot;
Replies
3
Views
237
strongm
strongm
jmarkus
  • Locked
  • Question
VBScript - CreateObject(&quot;WScript.Shell&quot;) Prerequisites
Replies
5
Views
498
jmarkus
jmarkus
raiden69
  • Locked
  • Question
rename computer account with vbscript using task sequence variable
Replies
0
Views
123
raiden69
raiden69

Part and Inventory Search

Sponsor

Back
Top