Function Get-SendToPermissions {
  Param(
    [String]$Identity,
    [String]$SearchRoot = $Null,
    [String]$LDAPFilter = "(objectCategory=group)",
    [Switch]$GC
  )

  If ($GC) { $Port = "GC" } else { $Port = "LDAP" }
  If ($SearchRoot) { $SearchRoot = [ADSI]"$Port://$SearchRoot" }

  $Properties = @("name", "distinguishedName", "dLMemSubmitPerms", `
    "dLMemRejectPerms", "authOrig", "unauthOrig", "msExchRequireAuthToSendTo")

  $Searcher = New-Object `
    DirectoryServices.DirectorySearcher($SearchRoot, $LDAPFilter)
  $Searcher.PageSize = 1000
  $Searcher.PropertiesToLoad.AddRange($Properties)

  $Searcher.FindAll() | %{
    $_ | Select-Object `
      @{n='Name';e={ $_.Properties['name'] }}, `
      @{n='DN';e={ $_.Properties['distinguishedname'] }}, `
      @{n='RequireAuthToSendTo';e={
        If ($_.Properties['msexchrequireauthtosendto']) {
          $True
        } Else {
          $False
        } }}, `
      @{n='AcceptFromMembersOfGroup';e={ $_.Properties['dlmemsubmitperms'] }}, `
      @{n='RejectFromMembersOfGroup';e={ $_.Properties['dlmemrejectperms'] }}, `
      @{n='AcceptFromUsers';e={ $_.Properties['authorig'] }}, `
      @{n='RejectFromUsers';e={ $_.Properties['unauthorig'] }}
  }
End Function

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

The differences

The following table notes the differences in property names between Exchange 2003 and Exchange 2007.

In addition to these the MailboxGuid attribute is formatted slightly differently. The MailboxGuid is enclosed in curly braces, {}, these are stripped in the code (or added when a search is being performed using a GUID)

No formatting is applied to the output. The output from this function can be made to look like the Exchange 2007 version of Get-MailboxStatistics by using Format-Table.

Get-2003MailboxStatistics | Format-Table MailboxDisplayName, TotalItems, `
  StorageLimitStatus, LastLogonTime

This is the code for the function, it is not as flexible as the Exchange 2007 version with regard to pipelines, but it should accept simple input and work in much the same way otherwise.

Usage examples

# With a Mailbox Display Name
Get-2003MailboxStatistics "Chris Dent"
# With a Legacy Exchange DN ("-Identity" itself is optional)
Get-2003MailboxStatistics -Identity "/O=SomeOrg/OU=AdminGroup/CN=RECIPIENTS/CN=Someone"
# For a single Mailbox Database
Get-2003MailboxStatistics -Database "Mailbox Database"
# For a different server
Get-2003MailboxStatistics -Server "ExchangeServer02"

Get-MailboxStatistics for Exchange 2003

Function Get-2003MailboxStatistics {
  Param(
     [String]$Identity = "",
     [String]$Server = $Env:ComputerName,
     [String]$Database = ""
  )

  $Filter = "ServerName='$Server'"
  if ($Database -ne "" ) {
    $Filter = "$Filter AND StoreName='$Database'"
  }
  if ($Identity -ne "") {
    $Filter = "$Filter AND (MailboxGuid='{$Identity}' OR LegacyDN='$Identity'"
    $Filter = "$Filter OR MailboxDisplayName='$Identity')"
  }

  Get-WMIObject -ComputerName $Server `
    -Namespace "root/MicrosoftExchangeV2" -Class "Exchange_Mailbox" `
    -Filter $Filter | `
  Select-Object `
    AssocContentCount, `
    @{n='DateDiscoveredAbsentInDs';e={
      If ($_.DateDiscoveredAbsentInDs -ne $Null) {
        [Management.ManagementDateTimeConverter]::ToDateTime(`
          $_.DateDiscoveredAbsentInDs)
      }} }, `
    MailboxDisplayName, TotalItems, LastLoggedOnUserAccount, `
    @{n='LastLogonTime';e={ if ($_.LastLogonTime -ne $Null) { `
      [Management.ManagementDateTimeConverter]::ToDateTime($_.LastLogonTime)}}
    }, `
    @{n='LastLogoffTime';e={ if ($_.LastLogoffTime -ne $Null) { `
      [Management.ManagementDateTimeConverter]::ToDateTime($_.LastLogoffTime)}}
    }, `
    LegacyDN, `
    @{n='MailboxGuid';e={
      ([String]$_.MailboxGuid).ToLower() -Replace "\{|\}" }}, `
    @{n='ObjectClass';e={ "Mailbox" }}, `
    @{n='StorageLimitStatus';e={ `
      Switch ($_.StorageLimitInfo) {
        1 { "BelowLimit" }
        2 { "IssueWarning" }
        4 { "ProhibitSend" }
        8 { "NoChecking" }
        16 { "MailboxDisabled" } }} }, `
    DeletedMessageSize, Size, `
    @{n='Database';e={
      "$($_.ServerName)\$($_.StorageGroupName)\$($_.StoreName)" }}, `
    ServerName, StorageGroupName, StoreName, `
    @{n='Identity';e={ ([String]$_.MailboxGuid).ToLower() -Replace "\{|\}" }}
}

Related posts:

1. Changing the Primary Group with PowerShell Exactly as the title says, an example of how to...

Related posts brought to you by Yet Another Related Posts Plugin.

Download GetMailboxStatistics.vbs

A number of people have been looking for Get-MailboxStatistics for Exchange 2003. I have a PowerShell version of this script for exactly that reason here.

This script is only intended for use with Exchange 2003. Exchange 2000 must use MAPI, Exchange 2007 has a PowerShell cmdlet, Get-MailboxStatistics, which can much more easily return this information.

It requires access to WMI on each Exchange Server, but does not require any of the Exchange System Tools. legacyExchangeDN is used to match accounts between AD and Exchange.

The script performs a number of searches in Active Directory. The largest number if multiple Admin Groups are selected (/a:”Admin Group*”). It can be instructed to use a single DC by specifying a name with the /dc switch. For forest-wide searches that must be a Global Catalog. If no DC is specified the script executes a DNS query for Global Catalog service records on the current forest name to attempt to find a (responding) GC in the current site, failing back to any GC in the forest otherwise.

Usage

cscript GetMailboxStatistics.vbs [/o] [/s:<exchangeServer>]
        [/a:"<administrative Group Name>"] [/d:<domainName>]
        [/dc:<domainControllerName>] [/f:<fileName>]

One of the following parameters must be specified:

/o      Get statistics from all Exchange Servers in the organisation
        This option overrides all others
/s      Get statistics for this Exchange Server only
        This option overrides all except /o
/a      Get statistics from all Exchange Servers in the specified Administrative Group
/d      Get statistics from all Exchange Servers in the specified Domain

The following parameters are optional:

/dc     A Domain Controller to use for this process. Must be a Global Catalog
        for reporting that covers a Forest. The script will attempt to find a
        GC in the current site if not specified.
/f      File Name for the output. Default file name is MailboxReport.csv

The following details are returned by this script:

• Name
• DN
• AccountStatus (Enabled / Disabled)
• UseDefaultQuotas (True / False)
• Warn (in Mb, Warning Limit if specified on User Account)
• ProhibitSend (in Mb, if specified on User Account)
• ProhibitSendAndReceive (in Mb, if specified on User Account)
• Size (in Mb)
• TotalItems
• MailboxStatus (BelowLimit, IssueWarning, ProhibitSend, NoChecking, MailboxDisabled)
• AssocContentCount (Total Number of messages associated with the mailbox folders)
• DeletedMessageSize (in Mb)
• LastLoggedOnUser
• LastLogon
• LastLogoff
• DateDeleted (for mailboxes which have been disconnected, waiting to be purged)
• MailboxDisplayName
• MailboxGuid
• ServerName (Exchange Server)
• StorageGroup
• Store
• legacyExchangeDN

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

It can be used against Exchange 2000 or Exchange 2003. Exchange 2007 can use Get-MailboxPermission to query the same information.

MailboxRights is used to retrieve the mailbox security descriptor. As part of CDOEXM (Collaboration Data Objects for Exchange Management) the Exchange System Tools must be installed on the system executing the script.

Option Explicit

' FindMailboxAccess.vbs
'
' Short Script to Find and Enumerate Mailbox Access for the specified
' security principal. Searches current domain, must be run as an Exchange Admin
' account to invoke MailboxRights method.
'
' This script is slow, it's speed is unavoidable as MailboxRights cannot be
' executed until connected to an individual user. That means we have to connect
' to every user account to determine whether or not the security principal is
' present within the ACL.
'
' Author: Chris Dent
' Modified: 04/01/2008

Sub UsageText
  Dim strMessage

  strMessage = "Usage:" & VbCrLf & VbCrLf
  strMessage = strMessage & "cscript " & WScript.ScriptName & _
    " <search String>" & VbCrLf
  strMessage = strmessage & VbCrLf
  strMessage = strMessage & "Note: This script must be executed as Exchange " & _
    "Administrator to enumerate" & VbCrLf
  strMessage = strMessage & "the Mailbox Security Descriptor" & VbCrLf
  WScript.Echo strMessage
  WScript.Quit
End Sub

Sub SortArgv
  Dim objArgv

  Set objArgv = WScript.Arguments
  If objArgv.Count < 1 Then
    UsageText
  End If

  strSearchString = objArgv(0)

  Set objArgv = Nothing
End Sub

Sub SearchAD
  Const ADS_SCOPE_SUBTREE = 2

  Dim objConnection, objCommand, objRootDSE, objRecordSet, objUser
  Dim objMailboxSD, objDACL, objACE

  Set objConnection = CreateObject("ADODB.Connection")
  objConnection.Provider = "ADsDSOObject"
  objConnection.Open "Active Directory Provider"

  Set objCommand = CreateObject("ADODB.Command")
  objCommand.ActiveConnection = objConnection

  Set objRootDSE = GetObject("LDAP://RootDSE")
  objCommand.CommandText = "SELECT distinguishedName, homeMDB " &_
    "FROM 'LDAP://" & objRootDSE.Get("defaultNamingContext") &_
    "' WHERE objectClass='user' AND objectCategory='person'"
  WScript.Echo "Searching: " & objRootDSE.Get("defaultNamingContext")
  Set objRootDSE = Nothing

  objCommand.Properties("Page Size") = 1000
  objCommand.Properties("Timeout") = 600
  objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
  objCommand.Properties("Cache Results") = False

  Set objRecordSet = objCommand.Execute

  While Not objRecordSet.EOF
    On Error Resume Next
    If Not IsNull(objRecordSet.Fields("homeMDB")) Then
      ' Can't avoid connecting to the user, need to call the MailboxRights method

      Set objUser = _
        GetObject("LDAP://" & objRecordSet.Fields("distinguishedName").Value)

      Err.Clear
      Set objMailboxSD = objUser.MailboxRights
      Set objDACL = objMailboxSD.DiscretionaryAcl
      If Err.Number <> 0 Then
        ' Ignore It
      Else
        For Each objACE in objDACL
          If InStr(1, objACE.Trustee, strSearchString, VbTextCompare) Then
            WScript.Echo "Found In Mailbox ACL: " & objUser.Name
          End If
        Next
      End If
      On Error Goto 0
    End If

    objRecordSet.MoveNext
  Wend
  objConnection.Close

  Set objRecordSet = Nothing
  Set objCommand = Nothing
  Set objConnection = Nothing
End Sub

'
' Main Code
'

Dim strSearchString

SortArgv

WScript.Echo "Search String: " & strSearchString

SearchAD

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

The outbound rules do not apply when using a Smart Host to send mail. The inbound rules do not apply if receiving mail through a third-party (such as an anti-spam service).

Notes:

1. The server used to send mail does not have to be the same as the server used to receive mail.
2. Outbound SMTP servers do not have to appear in an MX record, those are for inbound mail only.
3. If the outbound server is not the same as the inbound server there is no way to dynamically find the outbound server outside of the network. The majority of sites that check SMTP configuration assume that the inbound and outbound servers are the same.

Host (A) record – inbound and outbound mail

If a server needs to accept inbound mail it must have a name created in a public DNS service. The record must point to the public IP address your mail server will use for receiving (and / or sending) mail, in most cases that IP address is set on a Firewall or Router.

For example:

mail.highorbit.co.uk.   IN A   1.2.3.4
smtp.highorbit.co.uk.   IN A   1.2.3.4

Mail Exchanger (MX) record – inbound mail

To accept inbound mail an MX Record should be created for the SMTP domain. The MX record must point to the record created above. MX Records must point to a Host (A) record to be RFC complaint, no Alias (CNAME) records and no IP addresses.

MX Records are written in the form:

email-domain  IN MX   priority   server

For example, this MX record will accept mail bound for anyrecipient@somedomain.example and pass it onto mail.somedomain.example.

somedomain.example.   IN MX   10   mail.somedomain.example.

Pointer (PTR) record – outbound mail

The reverse lookup zone maps IP Addresses back to names using Pointer (PTR) records. This forms the basis of a simple test to see if an SMTP server looks real rather than a virus / malware ridden machine sending spam.

If a server is sending out mail to hosts on the internet (that is, not relaying through a third-party service) it must have a PTR record configured. Failure to do so will cause mail to be rejected by many recipient systems.

The PTR record is generally be requested via an ISP; those responsible for providing the internet connection the mail server uses. The rare exception to this is where responsibility for the Reverse Lookup Zone has been delegated elsewhere.

The PTR record for mail.somedomain.example running on the public IP 1.2.3.4 would look like this:

4.3.2.1.in-addr.arpa.   IN PTR   mail.somedomain.example.

Many ISPs will understand a request for a Reverse Lookup Record for 1.2.3.4 to mail.somedomain.example. That is, it is not necessary to know the exact syntax above.

Responsibility for the Classful reverse lookup zone can be seen using NSLookup as follows:

nslookup -q=ns 3.2.1.in-addr.arpa.

Or using Dig it is possible to trace responsibility for the record with:

dig 4.3.2.1.in-addr.arpa ptr +trace

SMTP service name – outbound mail

If the server is sending out mail it must use a public name in HELO / EHLO. Failure to correctly set the name will cause some mail to fail as the server name does not match the Host (A) record or the Pointer (PTR) record.

For Exchange 2007 the name is set in the Properties for the Send Connector. It is possible to set the name for the Receive Connector as well however this will have no impact on mail delivery. It may be considered good practice to set a public name on the Receive Connector for the sake of consistency.

For Exchange 2000 and 2003 the name is set in the Properties for the Virtual SMTP Server (Delivery, Advanced, Server FQDN).

Sender Policy Framework (SPF / TXT) record – outbound mail

This record is not required for a functional SMTP server. However, it can reduce abuse of a domain name and is worth considering for that.

The Sender Policy Framework allows you to state explicitly which servers can send mail as a domain name.

While this is not universally used it will help reduce abuse of a domain name by third-parties and also reduce the number of non-delivery reports returned to a system for mail with spoofed addresses.

Wizards to help create a record can be found here:

www.openspf.org
www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

The record would be added as a TXT record to a public domain. It is only checked by systems receiving mail.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

This script will create contacts in Active Directory based on a formatted CSV file. It was written to allow automatic synchronisation of contacts using a CSV file as the source.

The usage for the script will echo when run without any parameters. Here’s a summary:

cscript ContactImport.vbs -f <file Name> -o "<organisational Unit Path>"
    [-r] [-s] [-a <attributes>] [-d <delimiter>] [-n "<name Format>"] [-t]

  -f <file Name> - Input File Name (Required)
  -o <organisational Unit Path> - Target OU for Contact Objects (Required)
  -r - Read the Header Line as AD Fields
  -s - Skip the Header Line
  -a <attributes> - AD Attibutes to write Fields to
    (Required if not using Header)
  -d <delimiter> - File Delimiter. Uses comma if not specified.
  -n <name Format> - DisplayName and CN Format by AD Attributes.
    Uses TargetAddress if not specified.
  -t - Test Only

Usage examples

Reading data from a CSV using the header line as fields

Example CSV file data:

givenName,sn,TargetAddress,streetAddress,streetAddress
Chris,Dent,chris.dent@somedomain.example,123 Somewhere Street,London

The following command will read the header line as the fields to import, then create contacts using givenName and sn as the display name / name.

cscript ContactImport.vbs -f Contacts.csv -o "OU=Contacts,DC=somedomain,DC=example" -r -n "givenName sn"

The attribute streetAddress appears twice, it will be concatenated using a comma as a delimiter. The streetAddress attribute will contain “123 Somewhere Street, London” in this example.

Defining attributes on the command line

Example CSV file data:

Chris,Dent,chris.dent@somedomain.example,SomeCorp,SomeOffice

The following command will read the file, then import attributes based on the -a value which must reflect the order of attributes in the import file.

cscript ContactImport.vbs -f Contacts.csv -o "OU=Contacts,DC=somedomain,DC=example" -a "givenName,sn,targetAddress,company,physicalDeliveryOfficeName"

Because no displayName format has been specified the targetAddress field will be used.

Using a custom file delimiter

Example file data:

FirstName|LastName|Address
Chris|Dent|chris@somedomain.example

In this example the header line contains names that cannot be used as attributes in Active Directory so the script is instructed to ignore it with -s. The fields are defined instead using the -a option. The Delimited is specified with -d.

cscript ContactImport.vbs -f Contacts.txt -o "OU=Contacts,DC=somedomain,DC=example" -a "givenName,sn,targetAddress" -s -d "|"

As above, because no displayName format is specified the targetAddress is used.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Function GetStores
  ' Return Type: Scripting.Dictionary
  '
  ' Finds all Private Information Stores in AD

  Const ADS_SCOPE_SUBTREE = 2

  Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
  objConnection.Provider = "ADsDSOObject"
  objConnection.Open "Active Directory Provider"

  Dim objCommand : Set objCommand = CreateObject("ADODB.Command")
  objCommand.ActiveConnection = objConnection

  Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")
  objCommand.CommandText = "SELECT name, distinguishedName " & _
    "FROM 'LDAP://" & objRootDSE.Get("configurationNamingContext") & _
    "' WHERE objectClass='msExchPrivateMDB'"

  objCommand.Properties("Page Size") = 1000
  objCommand.Properties("Timeout") = 600
  objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
  objCommand.Properties("Cache Results") = False

  Dim objRecordSet : Set objRecordSet = objCommand.Execute

  Dim objStores : Set objStores = CreateObject("Scripting.Dictionary")

  While Not objRecordSet.EOF
    Dim strDN : strDN = objRecordSet.Fields("distinguishedName").Value
    Dim strName : strName = objRecordSet.Fields("name").Value
    objStores.Add strDN, strName

    objRecordSet.MoveNext
  WEnd

  Set GetStores = objStores
End Function

Usage example

Set objStores = GetStores

For Each strDN in objStores
  WScript.Echo "DN: " & strDN & vbCrLf & "Name: " & objStores(strDN)
Next

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.