RE: [ActiveDir] Export Security Mailbox Rights members
Well actually ADFIND can do this. It just may not be as clean as you may like. It will dump out the SDDL of the mailbox security descriptor. The SDDL will have either a code for a well known security principal like DA=Domain Admins and WD=everyone (world). For any non-well knowns it will have the SID. For instance here is a dump of a user object from my test domain (note that each attribute - lines started with would be one line in the output, you will probably see it wrap...). [Thu 04/14/2005 19:40:59.62]F:\DEV\cpp\SecTokadfind -default -f [EMAIL PROTECTED] -sddl msexchmailboxsecuritydescriptor AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:CN=joe,OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=commsExchMailboxSecurityDescriptor: [SDDL] O:S-1-5-21-1862701446-4008382571-2198042679-G:S-1-5-21-1862701446-4008382571-2198042679-D:AI(A;CI;CCDCRC;;;PS)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(D;CIID;CC;;;DA)(D;CIID;CC;;;EA)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1672)(A;CIID;SDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;RC;;;WD)(A;CIID;RC;;;AN)(A;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;EA)(A;CIID;CCSDRCWDWO;;;DA)msExchMailboxSecurityDescriptor: [OWNER] O:S-1-5-21-1862701446-4008382571-2198042679-msExchMailboxSecurityDescriptor: [GROUP] G:S-1-5-21-1862701446-4008382571-2198042679-msExchMailboxSecurityDescriptor: [DACL] D:AI(A;CI;CCDCRC;;;PS)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(D;CIID;CC;;;DA)(D;CIID;CC;;;EA)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1672)(A;CIID;SDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;RC;;;WD)(A;CIID;RC;;;AN)(A;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;EA)(A;CIID;CCSDRCWDWO;;;DA)msExchMailboxSecurityDescriptor: [SACL] Not specified in SD or insufficient rights 1 Objects returned [Thu 04/14/2005 19:41:05.93] Now it has always been in the reading that I have done that only explicit ACEs are listed in that attribute, however I am not finding that to be true now that I can enumerate it directly. The above cleans up to be (A;CI;CCDCRC;;;PS)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(D;CIID;CC;;;DA) (D;CIID;CC;;;EA)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1672)(A;CIID;SDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;RC;;;WD)(A;CIID;RC;;;AN)(A;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;EA)(A;CIID;CCSDRCWDWO;;;DA) for the DACL (just grab the one line that says ""msExchMailboxSecurityDescriptor: [DACL]).You can clearly see that inherited ACEs are definitely in the data being returned. For more info on SDDL see http://msdn.microsoft.com/library/default.asp?url=""> http://msdn.microsoft.com/library/default.asp?url=""> http://msdn.microsoft.com/library/default.asp?url=""> joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, April 07, 2005 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Export Security Mailbox Rights members Is there an option for this in adfind? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, April 07, 2005 10:08 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Export Security Mailbox Rights members I have an account that has a few unknown SIDs under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon
RE: [ActiveDir] Export Security Mailbox Rights members
Has anyone figured out how to do this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Is there an option for this in adfind? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Export Security Mailbox Rights members I have an account that has a few unknown SID's under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Export Security Mailbox Rights members
Archives dude. :-) I asked that question just over a year ago. :-P http://www.mail-archive.com/activedir@mail.activedir.org/msg14221.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, April 11, 2005 4:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Has anyone figured out how to do this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Is there an option for this in adfind? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Export Security Mailbox Rights members I have an account that has a few unknown SID's under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Export Security Mailbox Rights members
IIRC, that's information that's contained in the store and not in the directory. Have you checked the exchange tools to see what you can do with that? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, April 11, 2005 4:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Has anyone figured out how to do this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Is there an option for this in adfind? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Export Security Mailbox Rights members I have an account that has a few unknown SID's under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Export Security Mailbox Rights members
I didn't see any Exchange tools that could do this. I just want to export the S-1-5-21-3-xx-- account to either screen or test. I can then use psgetsid.exe to get the user ID. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, April 11, 2005 5:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members IIRC, that's information that's contained in the store and not in the directory. Have you checked the exchange tools to see what you can do with that? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, April 11, 2005 4:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Has anyone figured out how to do this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Is there an option for this in adfind? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Export Security Mailbox Rights members I have an account that has a few unknown SID's under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Export Security Mailbox Rights members
That's correct but it's available via an automation interface (MailboxRights). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, April 11, 2005 5:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members IIRC, that's information that's contained in the store and not in the directory. Have you checked the exchange tools to see what you can do with that? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, April 11, 2005 4:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Has anyone figured out how to do this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Is there an option for this in adfind? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Export Security Mailbox Rights members I have an account that has a few unknown SID's under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Export Security Mailbox Rights members
I have an account that has a few unknown SIDs under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon __This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Export Security Mailbox Rights members
Is there an option for this in adfind? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Export Security Mailbox Rights members I have an account that has a few unknown SIDs under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.