Re: [Norton AntiSpam] RE: [ActiveDir] OT: ADSI and Exchange 5.5
Actually, yes you can unless I totally misunderstood your requirement. To be sure, I think you're saying you want to remove the primary windows nt account value and replace it with a user representative but you want to allow the existing value represented to continue to have access to the mailboxes. You don't need to get granular and grant/revoke access at the folder level. If that's correct, then what Tony was talking about has worked for me in the past. I've used it in migration scenarios vs. just cleanup. i.e. migrating from domain1 to newDomain and want to let newDomain users have access to their mailboxes as if nothing happened. Solution: using import/export move the existing value to the obj-User field and replace the primary-Windows-NT value with newDomain\user value. In your case, you just need to identify which ones are groups vs. user accounts (looping through the spreadsheet and figure out which are groups and which are not might be one way to do this). To identify which are shared accounts you must have some other sort of knowledge because to the system a shared account (account where more than one wetware element knows the credentials) is the same as one security principal-one wetware element. Developing anything against 5.5 is a dead-end scenario that has a limited return on your time and resources invested. Might be fun, but I think if you write a lot of code for this one time use, it might not be an equitable transaction. Al On 2/13/06, Jacqui Hurst <[EMAIL PROTECTED]> wrote: I am working on directory cleanup activities for the existing Exchange 5.5 directory. Where accounts are sharing an NT account or using a group I would like to replace the primary NT account with an unique account and update the additional permissions to include the account that was previously the primary NT account (so still allowing access to the mailbox). Most of the cleanup activities have used imports and exports but as you can imagine I can't acheive permissions update using this method. I found some VB code which I beleive is meant to do this but this just doesn't appear to be working. An other methods of achieving the same goals would be appreciated. Cheers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tony MurraySent: 12 February 2006 09:22To: ActiveDir@mail.activedir.org Subject: [Norton AntiSpam] RE: [ActiveDir] OT: ADSI and Exchange 5.5 As Al indicates, there may be other methods. One option could be to look at directory export/import to achieve what you want. Header.exe facilitates the creation of an export CSV template with additional fields, including Primary Windows NT Account and Obj-User (which shows those accounts with "User" role on the mailbox). You can also find accounts with delegate permissions on a mailbox by including public-delegates and public-delegates-bl in the CSV template. You can download header.exe here: http://exchange.mvps.org/Headerexe.htm Tony www.activedir.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Sunday, 12 February 2006 12:26 p.m.To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: ADSI and Exchange 5.5 This would be a great time to ask: when you say "update Permissions on Exchange 5.5 mailboxes" what are you trying to accomplish exactly? It may be possible that what you want to do is possible with some other method. Al On 2/11/06, joe < [EMAIL PROTECTED]> wrote: I don't think so. Here are the reasons. o Exchange 5.5 ACLing isn't based on SIDs which is what ADSI perm mods work with (including ADsSecurity.dll). o I don't see MS doing ANYTHING to support 5.5, heck it is near impossible to get a change for Exchange Server 2003 at this point. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jacqui HurstSent: Friday, February 10, 2006 6:56 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: ADSI and Exchange 5.5 Can anyone advise me if there has been a change in the ADSI that now allows the ACL of an Exchange 5.5 mailbox to be manipulated? I have some sample VB code from the ADSI 2.0 SDK that appears to offer the ability but as yet I cannot get this to work. I have found articles on the MS web site that say it is not possible with code other than C or C++ (detailed in the Exchange 5.5 SDK). If it is possible where am I going wrong? I have an XP client with the ADSI resource kit installed (including ADsSecurity.dll) I have installed ADSI 2.5 on my Exchange 5.5 server (not sure if this was required) I have imported the code into Visual Basic 2005 Express edition and complied it (Build Security) The code builds but when I run it against my environment I get an MS error to be sent to Microsoft. Has anyone any advise
[Norton AntiSpam] Re: [ActiveDir] OT: ADSI and Exchange 5.5
Thanks I will take a look at the tool. Might save me lots of grief :-) Cheers Also just found this... not sure whether its exactly what you are after but it may save you some programming time. This tool allows setting permissions across multiple mailboxes in 5.5. Setperm.exe @ http://www.fnds.net/html/downloads.html. Cheers, Matty On 12/02/06, Matt Holland <[EMAIL PROTECTED]> wrote: The ACL COM object (ACL.DLL) provided in the platform SDK can be used to manipulate 5.5 Mailbox ACLs. Can be used with VB/_vbscript_ or .NET (via Interop). These VB examples may help you http://www.cdolive.com/aclviewer.htm http://support.microsoft.com/?kbid=240911 Cheers, Matty On 12/02/06, Tony Murray <[EMAIL PROTECTED] > wrote: As Al indicates, there may be other methods. One option could be to look at directory export/import to achieve what you want. Header.exe facilitates the creation of an export CSV template with additional fields, including Primary Windows NT Account and Obj-User (which shows those accounts with "User" role on the mailbox). You can also find accounts with delegate permissions on a mailbox by including public-delegates and public-delegates-bl in the CSV template. You can download header.exe here: http://exchange.mvps.org/Headerexe.htm Tony www.activedir.org From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Sunday, 12 February 2006 12:26 p.m.To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: ADSI and Exchange 5.5 This would be a great time to ask: when you say "update Permissions on Exchange 5.5 mailboxes" what are you trying to accomplish exactly? It may be possible that what you want to do is possible with some other method. Al On 2/11/06, joe <[EMAIL PROTECTED]> wrote: I don't think so. Here are the reasons. o Exchange 5.5 ACLing isn't based on SIDs which is what ADSI perm mods work with (including ADsSecurity.dll). o I don't see MS doing ANYTHING to support 5.5, heck it is near impossible to get a change for Exchange Server 2003 at this point. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jacqui HurstSent: Friday, February 10, 2006 6:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: ADSI and Exchange 5.5 Can anyone advise me if there has been a change in the ADSI that now allows the ACL of an Exchange 5.5 mailbox to be manipulated? I have some sample VB code from the ADSI 2.0 SDK that appears to offer the ability but as yet I cannot get this to work. I have found articles on the MS web site that say it is not possible with code other than C or C++ (detailed in the Exchange 5.5 SDK). If it is possible where am I going wrong? I have an XP client with the ADSI resource kit installed (including ADsSecurity.dll) I have installed ADSI 2.5 on my Exchange 5.5 server (not sure if this was required) I have imported the code into Visual Basic 2005 Express edition and complied it (Build Security) The code builds but when I run it against my environment I get an MS error to be sent to Microsoft. Has anyone any advise on code I can use to update Permissions on Exchange 5.5 mailboxes? As you can gather I'm not a born coder, I dabble when I have to J Regards, Jacqui
RE: [Norton AntiSpam] RE: [ActiveDir] OT: ADSI and Exchange 5.5
I am working on directory cleanup activities for the existing Exchange 5.5 directory. Where accounts are sharing an NT account or using a group I would like to replace the primary NT account with an unique account and update the additional permissions to include the account that was previously the primary NT account (so still allowing access to the mailbox). Most of the cleanup activities have used imports and exports but as you can imagine I can't acheive permissions update using this method. I found some VB code which I beleive is meant to do this but this just doesn't appear to be working. An other methods of achieving the same goals would be appreciated. Cheers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 12 February 2006 09:22To: ActiveDir@mail.activedir.orgSubject: [Norton AntiSpam] RE: [ActiveDir] OT: ADSI and Exchange 5.5 As Al indicates, there may be other methods. One option could be to look at directory export/import to achieve what you want. Header.exe facilitates the creation of an export CSV template with additional fields, including Primary Windows NT Account and Obj-User (which shows those accounts with "User" role on the mailbox). You can also find accounts with delegate permissions on a mailbox by including public-delegates and public-delegates-bl in the CSV template. You can download header.exe here: http://exchange.mvps.org/Headerexe.htm Tony www.activedir.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, 12 February 2006 12:26 p.m.To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: ADSI and Exchange 5.5 This would be a great time to ask: when you say "update Permissions on Exchange 5.5 mailboxes" what are you trying to accomplish exactly? It may be possible that what you want to do is possible with some other method. Al On 2/11/06, joe <[EMAIL PROTECTED]> wrote: I don't think so. Here are the reasons. o Exchange 5.5 ACLing isn't based on SIDs which is what ADSI perm mods work with (including ADsSecurity.dll). o I don't see MS doing ANYTHING to support 5.5, heck it is near impossible to get a change for Exchange Server 2003 at this point. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jacqui HurstSent: Friday, February 10, 2006 6:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: ADSI and Exchange 5.5 Can anyone advise me if there has been a change in the ADSI that now allows the ACL of an Exchange 5.5 mailbox to be manipulated? I have some sample VB code from the ADSI 2.0 SDK that appears to offer the ability but as yet I cannot get this to work. I have found articles on the MS web site that say it is not possible with code other than C or C++ (detailed in the Exchange 5.5 SDK). If it is possible where am I going wrong? I have an XP client with the ADSI resource kit installed (including ADsSecurity.dll) I have installed ADSI 2.5 on my Exchange 5.5 server (not sure if this was required) I have imported the code into Visual Basic 2005 Express edition and complied it (Build Security) The code builds but when I run it against my environment I get an MS error to be sent to Microsoft. Has anyone any advise on code I can use to update Permissions on Exchange 5.5 mailboxes? As you can gather I'm not a born coder, I dabble when I have to J Regards, Jacqui
