Need advice please on how to check if an account has the perms tomailbox-enable a user (without making changes).

A

Alan

Hello,

We just migrating to Exchange 2003 from a third-party mailsystem. All
our Windows accounts are mail-enabled and we'll run a VBS script to
mailbox-enable them.

Problem is that the Windows account which our scripts run under won't
have permissions on everyone because some user have been given custom
rights, e.g., inheritance disabled.

I need to identify those problem user accounts before the migration
starts. We have several thousand users, so I need to write a script to
check.

Can anyone suggest please what I can check - using the script - to see
if my Windows account has the rights to mailbox-enable a user?

The script to check shouldn't make any changes or at least none that
would interfere with the current config.

Thanks,

- Alan.
 
J

jamestechman

I would start out with adfind. This will produce an audit of all
objects, the trustees and ACEs. The inherited switch will only produce
a trustee list that has been explicity granted rights. Then examine
the output if you don't see this windows account in there, more than
likely it will not have rights to mailbox enable the user.

adfind -default -f * -s one ntsecuritydescriptor -sddl++ -resolvesids -
sddlnotfilter ;inherited

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

On Sep 29, 11:26 am, Alan <bru...@gmail.com> wrote:
> Hello,
>
> We just migrating to Exchange 2003 from a third-party mailsystem. All
> our Windows accounts are mail-enabled and we'll run a VBS script to
> mailbox-enable them.
>
> Problem is that the Windows account which our scripts run under won't
> have permissions on everyone because some user have been given custom
> rights, e.g., inheritance disabled.
>
> I need to identify those problem user accounts before the migration
> starts. We have several thousand users, so I need to write a script to
> check.
>
> Can anyone suggest please what I can check - using the script - to see
> if my Windows account has the rights to mailbox-enable a user?
>
> The script to check shouldn't make any changes or at least none that
> would interfere with the current config.
>
> Thanks,
>
> - Alan.


 

Top