Forwarding of email is a very common practice.
In active directory this is an easy task.
Unfortunately aduc is not very good at reporting which accounts have forwarding enabled.
This script enumerates all accounts with forwarding enabled and the smtp addresses where the mails are sent.

Follow the next steps (no admin rights needed):

• open your favorite text editor
• copy and paste the script into the editor
• save the script (for example c:tempforwarding.vbs)
• open a command prompt
• go to “c:temp”
• give “cscript forwarding.vbs” (without quotes) and enter

The script:

' Name : forwarding.vbs
' Description : script to find all accounts with forwarding enabled
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 25-01-2010

Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
strFilter = "(&(objectCategory=*)(altRecipient=*))"
strAttributes = "displayname, altRecipient"

strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

Set objRecordset = adoCommand.Execute

objRecordSet.MoveFirst
i = 0
Do Until objRecordSet.EOF
	On Error Resume Next
	i = i + 1
	Set objContact = GetObject("LDAP://" & objRecordSet.Fields("altRecipient").Value)
	Wscript.Echo i & " " & objRecordSet.Fields("displayname").Value & " ; forwarded to ; " & objContact.mail
	Set objContact = Nothing
	objRecordSet.MoveNext
Loop

Set objRecordset = Nothing
Set objRootDSE = Nothing
Set adoConnection = Nothing
Set adoCommand = Nothing