RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown

[Alain Lissoir]

Great! You're welcome! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Tuesday, August 16, 2005 3:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain,   We set the revision level in the security descriptor in the meta code. And it indeed works fine. Thanks for all your time and guidance. This has indeed come out to be a product defect.   Thanks again, Mayuresh.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown   Rebuild because the revision required is not set. When building a security descriptor under Windows, you are building an object containing ACE (DACL and SACL). Doing this on Windows is easy as we have the APIs for it (Win32, ADSI, WMI, etc ...) Under Unix by manipulating an SDDL string to construct the security descriptor is an other story as don't have the API to build the MS security descriptor... but I'm pretty sure that your problem comes from the fact that the revision level is not set properly.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 8:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown For solving this error, Microsoft says, rebuild security object. What does this imply? And how can I rebuild the security object?   Any help, would be beneficial.   Thanks, Mayuresh.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown   Hi Alain,   This error is being returned by the meta directory server. For which I don’t have the access to code. At them most I can find the reason and try to eliminate it.   I would be just converting the binary SID to text transformation and give it to the Meta directory for settings.   Any idea why this would be caused?   Regards, Mayuresh   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown   Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4.       objDACL.AclRevision = ADS_ACL_REVISION_DS       ' "Self" Trustee     Set objACE = CreateObject("AccessControlEntry")     objACE.Trustee = "Self"     objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED     objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _                         E2K_MB_FULL_MB_ACCESS Or _                         E2K_MB_SEND_AS     objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE     objDACL.AddAce objACE     Set objACE = Nothing   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 4:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi,   I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error “the revision level is unknown”.   Any known issue you know that might be causing this?   Thanks, Mayuresh   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning   Hi All,   Found a perl function in laman.pm. which converts sid to string:   sub SidToString {             return undef                         unless unpack("C", substr($_[0], 0, 1)) == 1;               return undef                         unless length($_[0]) == 8 + 4 * unpack("C", substr($_[0], 1, 1));               my $sid_str = "S-1-";               $sid_str .= (unpack("C", substr($_[0], 7, 1)) + (unpack("C", substr($_[0], 6, 1)) << 8) +                              (unpack("C", substr($_[0], 5, 1)) << 16) + (unpack("C",substr($_[0], 4, 1)) << 24));               for $loop (0 .. unpack("C", substr($_[0], 1, 1)) - 1)             {                         $sid_str .= "-" . unpack("I", substr($_[0], 4 * $loop + 8, 4));             }               return $sid_str; }   Hope this will do the job.   What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else.   Thanks, Mayuresh.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning   Thanks for the pointer.   Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX.   Regards, Mayuresh.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning   O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);   In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language)    O:sid is the SID of the owner G:sid is the SID of the group D: is a DACL   I’ll let you look over the rest and determine what you have in your strings…..   http://msdn.microsoft.com/library/default.asp?url="">   Rick   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning   Using a newer version of ldp I could gather the following things:   The mailbox users have the following attribute set. usert -  O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);   ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372);   ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368);   ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369);   O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) – This part was common for all entries.   S-1-5-21-3308934242-2785796821-2776977491-xxxx is the objectSID for the object in the other domain to whom I want to give permissions. Also the attribute msExchMasterAccountSid is set to the value of object sid.   But this part *** (A;CI;CCLCRC;;; *** before the objectsid, differs in some entries. What are all these fields? How can I find out these values programmatically and make a single attribute value which I can then give to the meta directory for setting?   Regards, Mayuresh   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning   Yes. But I want to do it using scripting + Meta directory server.   The steps I understand until now is that: give appropriate permissions in the security tab to the user in different domain. give appropriate permissions in the Mailbox right.   Since my Meta directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there be other ways? I understand that I would have to set the msexchmailboxsecuritydescriptor attribute. How can I generate a binary value for this using a perl script, so that I can give this value to the meta dir to process and set in the exchange entry.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryon Barkley Sent: Thursday, August 11, 2005 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning   Mayuresh,   You should be able to just give Full Permissions to the user on the mailbox rights tab located under the Exchange Advanced Tab of the user's properties.    BB -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 4:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MailBox permissioning Hi Gurus,   I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it.   Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this?   I’ll be doing this permissioning using a meta directory server.   Thanks, Mayuresh.