VBScript to read exchange permissions (msexchmailboxsecuritydescriptor)

Since the permissions involving sending and reading mail are stored in different places, you need to read both the AD object permissions as well as the Exchange security descriptor.

The AD permissions contain only entries related to the user itself, such as send-as/receive-as, while the Exchange permissions contain entries related to the mailbox, such as read and full access.

strUserODN = wscript.arguments(0)
strExportFile = wscript.arguments(1)

Const RIGHT_DS_DELETE = &H10000
Const RIGHT_DS_READ = &H20000
Const RIGHT_DS_CHANGE = &H40000
Const RIGHT_DS_TAKE_OWNERSHIP = &H80000
Const RIGHT_DS_MAILBOX_OWNER = &H1
Const RIGHT_DS_SEND_AS = &H2
Const RIGHT_DS_PRIMARY_OWNER = &H4
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1

set ObjUser = GetObject(“LDAP://” & strUserODN)
set fso = CreateObject(“Scripting.FileSystemObject”)
set output = fso.CreateTextFile(strExportFile, True)

Set objsd = objUser.Get(“msExchMailboxSecurityDescriptor”)
Set dacl = objsd.DiscretionaryAcl

For Each ace In dacl
output.Write strUserODN & “;”
output.Write ace.Trustee & “;”

strTemp = “”
If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then
strTemp = “Allow”
ElseIf (ace.AceType = ADS_ACETYPE_ACCESS_DENIED) Then
strTemp = “Deny”
End If
output.Write strTemp & “;”

strTemp = “”
If (ace.AccessMask And RIGHT_DS_SEND_AS) Then
strTemp = “SendAs”
End If

If (ace.AccessMask And RIGHT_DS_CHANGE) Then
strTemp = “ModifyUserAttributes”
End If

If (ace.AccessMask And RIGHT_DS_DELETE) Then
strTemp = “DeleteMailboxStore”
End If

If (ace.AccessMask And RIGHT_DS_READ) Then
strTemp = “ReadPermissions”
End If

If (ace.AccessMask And RIGHT_DS_TAKE_OWNERSHIP) Then
strTemp = “TakeOwnership”
End If

If (ace.AccessMask And RIGHT_DS_MAILBOX_OWNER) Then
strTemp = “MailboxOwner”
End If

If (ace.AccessMask And RIGHT_DS_PRIMARY_OWNER) Then
strTemp = “PrimaryOwner”
End If
output.Write strTemp & “;”
output.WriteLine “#”
Next