Reputation: 2018
Active Directory Shared Mailbox user permissions
I need to write a C# app that queries Active Directory and returns a list of users that have permission to use a certain Shared Mailbox.
I've spoken to our Support department and they say that each Shared Mailbox has an associated Security Group. And to grant a user access to a Shared Mailbox, they make the user a member of the associated Security Group.
My question is what is the link between a Shared Mailbox and a Security Group in AD? How can I work out which Security Group is associated to which Shared Mailbox?
Upvotes: 3
Views: 2984
Answers (2)
Reputation: 573
I had a similar requirement. The AD field on the mailbox account that I ended up using was publicDelegates:
mailboxDirectoryEntry.publicDelegates
This contains a list of distinguishedNames of userids or groups that have been granted access via Outlook delegation capabilities.
For this specific question, you could then list the members of the group(s) you obtain from publicDelegates.
Transitive membership can be obtained with the
member:1.2.840.113556.1.4.1941:=
selector on your query. (Very handy if your organization uses nested groups)
Upvotes: 0
Reputation: 22032
You can use the msExchMailboxSecurityDescriptor attribute of the Shared Mailbox object in Active Directory which will give you the DACL of the Mailbox. eg How to read msExchMailboxSecurityDescriptor attribute in C#
How can I work out which Security Group is associated to which Shared Mailbox?
There is no direct way other then enumerated each DACL on each Shared Mailbox. Autodiscover will return all the Mailboxes a particular user has access to if the are automapped via the AlternativeMailbox element https://msdn.microsoft.com/en-us/library/ee237925(v=EXCHG.80).aspx.
Cheers Glen
Edit See the Full assembly names you should be able to work the rest out yourself
byte[] DaclByte = (Byte[])DirectoryEntry.Properties["msExchMailBoxSecurityDescriptor"][0];
System.DirectoryServices.ActiveDirectorySecurity adDACL = new ActiveDirectorySecurity();
adDACL.SetSecurityDescriptorBinaryForm(DaclByte);
System.Security.AccessControl.AuthorizationRuleCollection aclCollection = adDACL.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));
foreach (System.Security.AccessControl.AuthorizationRule ace in aclCollection)
{
Upvotes: 1
Related Questions
- How to prevent a user from sending emails from a shared mailbox in the web version of Outlook
- C# EWS Managed API: How to access shared mailboxes but not my own inbox
- Exchange 2010: How can I check what permissions a user/mailbox has towards other mailboxes?
- Access other user's mailbox to get his folder structure
- How can I use ExchangeService to access a shared mailbox (Outlook 2013)
- Get Mailbox Permissions using EWS
- Find out which users have Full Access on a mailbox
- How to tell what permissions a user has to an additional Outlook mailbox
- Creating an Exchange Mailbox for a User in C#
- Exchange Server 2003 - Set Full Mailbox Access permission for every new user