Что нового

Редактирование прав MailboxRights (ActiveDirectory)

HaeMHuK

Новичок
Сообщения
43
Репутация
0
Всем привет!
По умолчанию, в закладке MailboxRights при создании почтового ящика для пользователя, права для SELF выставляются по Read permissions, Full access.
Так вот, мне нужно убрать галочку с Full access. Скрипт ее же ставит либо на Allow либо на Deny.
Если удалить SELF, а потом запустить скрипт, то будет все как надо.
Помогите пожалуйста переделать скрипт, чтобы он просто убирал галочку с Full access либо удалял Trustee.

Код:
;********************************************************************
;Change this variable according to your environment.
;
$sUserADsPath = "CN=John Doe,OU=AAA,OU=BBB,DC=domain,DC=com"
$sTrustee = "NT AUTHORITY\SELF"
;********************************************************************

;Get directory user object.
Local $objUser = ObjGet("LDAP://" & $sUserADsPath)

;Get the Mailbox security descriptor (SD).
Local $oSecurityDescriptor = $objUser.MailboxRights

;Extract the Discretionary Access Control List (DACL) using the IADsSecurityDescriptor.
;Interface.
Local $dacl = $oSecurityDescriptor.DiscretionaryAcl
$ace = ObjCreate("AccessControlEntry")

;''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
;'  The following block of code demonstrates how to read all the
;'  ACEs on a DACL for the Exchange 2000 mailbox.
;''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
;'wscript.echo "Here are the existing ACEs in the mailbox's DACL:"
;'
;'' Enumerate all the Access Control Entries (ACE) in the DACL using the IADsAccessControlList.
;'' Interface, therefore, displaying the current mailbox rights.
;'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
;'

;'Reporting commented out.  Uncomment to see permissions.
;For $ace In $dacl
;'' Display all the properties of the ACEs using the IADsAccessControlEntry interface.
;msgbox(0, "properties of the ACEs", $ace.Trustee & ", " & $ace.AccessMask & ", " & $ace.AceType & ", " & $ace.AceFlags & ", " & $ace.Flags & ", " & $ace.ObjectType & ", " & $ace.InheritedObjectType)
;Next

;''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
;'  The following block of code demonstrates adding a new ACE to the DACL
;'  for the Exchange 2003/2000 mailbox with the Trustee specified in sTrustee,
;'  which permits full control over this mailbox.
;'  This is the same task that is performed by ADUnC when you follow these
;'  steps to modify the properties of a user: on the Exchange Advanced tab,
;'  under Mailbox Rights, click Add, select the Trustee, and then select the
;'  Full Mailbox Access Rights check box.
;'  Similarly, you can also remove ACEs from this ACL by using the IADsAccessControlEntry interfaces.
;''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

;' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
;AddAce ($dacl, $sTrustee, $ADS_RIGHT_DS_CREATE_CHILD + $ADS_READ_MAILBOX_PERMS, _
;       $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0)
For $ace In $dacl
$dacl.RemoveAce($ace)
Next
AddAce ($dacl, $sTrustee, "&h20000", 0, 2, 0, 0, 0)

; Add the modified DACL to the security descriptor.
$oSecurityDescriptor.DiscretionaryAcl = $dacl

; Save new SD onto the user.
$objUser.MailboxRights = $oSecurityDescriptor

; Commit changes from the property cache to the information store.
$objUser.SetInfo

MsgBox (0, "!", "Done modifying the mailbox permissions for Full Control")

;'********************************************************************
;'*
;'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
;'*          gAceFlags, gFlags, gObjectType, gInheritedObjectType)
;'*
;'* Purpose: Adds an ACE to a DACL
;'* Input:   dacl            Object's Discretionary Access Control List
;'*          TrusteeName     SID or Name of the trustee user account
;'*          gAccessMask     Access Permissions
;'*          gAceType        ACE Types
;'*          gAceFlags       Inherit ACEs from the owner of the ACL
;'*          gFlags          ACE has an object type or inherited object type
;'*          gObjectType     Used for Extended Rights
;'*          gInheritedObjectType
;'*
;'* Output:  Object - New DACL with the ACE added
;'*
;'********************************************************************

Func AddAce($dacl, $TrusteeName, $gAccessMask, $gAceType, $gAceFlags, $gFlags, $gObjectType, $gInheritedObjectType)
    Dim $Ace1
    ;' Create a new ACE object.
    $Ace1 = ObjCreate("AccessControlEntry")
    $Ace1.AccessMask = $gAccessMask
    $Ace1.AceType = $gAceType
    $Ace1.AceFlags = $gAceFlags
    $Ace1.Flags = $gFlags
    $Ace1.Trustee = $TrusteeName
    ;See whether ObjectType must be set
    If String($gObjectType) <> "0" Then
       $Ace1.ObjectType = $gObjectType
    EndIf

    ;See whether InheritedObjectType must be set.
    If String($gInheritedObjectType) <> "0" Then
        $Ace1.InheritedObjectType = $gInheritedObjectType
    EndIf
    $dacl.AddAce($Ace1)

    ; Destroy objects.
    $Ace1 = "Nothing"
EndFunc

;Cleanup
$sUserADsPath = ""
$sTrustee = ""
 
Автор
H

HaeMHuK

Новичок
Сообщения
43
Репутация
0
Скрипт поправил, теперь все работает. Помощь уже не нужна.
Не хватало:
Код:
For $ace In $dacl
$dacl.RemoveAce($ace)
Next
 
Верх