Autoit and MailboxRights

[HaeMHuK]

Hi All!

Please, help me with the script for MailboxRights.

User SELF should has only "Read permissions". By default it has "Full access" also.

This script can mark "Full access" as Allowed or Deny. But I need to uncheck "Full access" at all.

By the way, If I delete SELF from security tab and run the this script after that, the result is that I need - user has only Read access checked.

Original: http://support.microsoft.com/kb/304935.

expandcollapse popup

;********************************************************************
;Change this variable according to your environment.
;
$sUserADsPath = "CN=John Doe,OU=AAA,OU=BBB,DC=domain,DC=com"
$sTrustee = "NT AUTHORITY\SELF"
;********************************************************************

;Get directory user object.
Local $objUser = ObjGet("LDAP://" & $sUserADsPath)

;Get the Mailbox security descriptor (SD).
Local $oSecurityDescriptor = $objUser.MailboxRights

;Extract the Discretionary Access Control List (DACL) using the IADsSecurityDescriptor.
;Interface.
Local $dacl = $oSecurityDescriptor.DiscretionaryAcl
$ace = ObjCreate("AccessControlEntry")

;''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
;'  The following block of code demonstrates how to read all the
;'  ACEs on a DACL for the Exchange 2000 mailbox.
;''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
;'wscript.echo "Here are the existing ACEs in the mailbox's DACL:"
;'
;'' Enumerate all the Access Control Entries (ACE) in the DACL using the IADsAccessControlList.
;'' Interface, therefore, displaying the current mailbox rights.
;'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
;'

;'Reporting commented out.  Uncomment to see permissions.
;For $ace In $dacl
;'' Display all the properties of the ACEs using the IADsAccessControlEntry interface.
;msgbox(0, "properties of the ACEs", $ace.Trustee & ", " & $ace.AccessMask & ", " & $ace.AceType & ", " & $ace.AceFlags & ", " & $ace.Flags & ", " & $ace.ObjectType & ", " & $ace.InheritedObjectType)
;Next

;''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
;'  The following block of code demonstrates adding a new ACE to the DACL
;'  for the Exchange 2003/2000 mailbox with the Trustee specified in sTrustee,
;'  which permits full control over this mailbox.
;'  This is the same task that is performed by ADUnC when you follow these
;'  steps to modify the properties of a user: on the Exchange Advanced tab,
;'  under Mailbox Rights, click Add, select the Trustee, and then select the
;'  Full Mailbox Access Rights check box.
;'  Similarly, you can also remove ACEs from this ACL by using the IADsAccessControlEntry interfaces.
;''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

;' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
;AddAce ($dacl, $sTrustee, $ADS_RIGHT_DS_CREATE_CHILD + $ADS_READ_MAILBOX_PERMS, _
;       $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0)
For $ace In $dacl
$dacl.RemoveAce($ace)
Next
AddAce ($dacl, "NT AUTHORITY\SELF", "&h20000", 0, 2, 0, 0, 0)

; Add the modified DACL to the security descriptor.
$oSecurityDescriptor.DiscretionaryAcl = $dacl

; Save new SD onto the user.
$objUser.MailboxRights = $oSecurityDescriptor

; Commit changes from the property cache to the information store.
$objUser.SetInfo

MsgBox (0, "!", "Done modifying the mailbox permissions for Full Control")

;'********************************************************************
;'*
;'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
;'*          gAceFlags, gFlags, gObjectType, gInheritedObjectType)
;'*
;'* Purpose: Adds an ACE to a DACL
;'* Input:   dacl            Object's Discretionary Access Control List
;'*          TrusteeName     SID or Name of the trustee user account
;'*          gAccessMask     Access Permissions
;'*          gAceType        ACE Types
;'*          gAceFlags       Inherit ACEs from the owner of the ACL
;'*          gFlags          ACE has an object type or inherited object type
;'*          gObjectType     Used for Extended Rights
;'*          gInheritedObjectType
;'*
;'* Output:  Object - New DACL with the ACE added
;'*
;'********************************************************************

Func AddAce($dacl, $TrusteeName, $gAccessMask, $gAceType, $gAceFlags, $gFlags, $gObjectType, $gInheritedObjectType)
    Dim $Ace1
    ;' Create a new ACE object.
    $Ace1 = ObjCreate("AccessControlEntry")
    $Ace1.AccessMask = $gAccessMask
    $Ace1.AceType = $gAceType
    $Ace1.AceFlags = $gAceFlags
    $Ace1.Flags = $gFlags
    $Ace1.Trustee = $TrusteeName
    ;See whether ObjectType must be set
    If String($gObjectType) <> "0" Then
       $Ace1.ObjectType = $gObjectType
    EndIf

    ;See whether InheritedObjectType must be set.
    If String($gInheritedObjectType) <> "0" Then
        $Ace1.InheritedObjectType = $gInheritedObjectType
    EndIf
    $dacl.AddAce($Ace1)

    ; Destroy objects.
    $Ace1 = "Nothing"
EndFunc

;Cleanup
$sUserADsPath = ""
$sTrustee = ""

Thanks in advance.

Edited June 14, 2011 by HaeMHuK

[HaeMHuK]

I've edited my script.

This is what I needed:

For $ace In $dacl
$dacl.RemoveAce($ace)
Next