Suffering from a lack of inspiration I decided to rework a previous script.
I had a request on my previous messagerestriction script.
Added to the script is the option to enter the smtp address of
the user or group object for which the messagerestrictions are set.
I have done that by re-using code from this script.
Another question was the option to output to a file,
this can be done easily by running the script like this:
cscript enumeratesendtorights.vbs > thefilenameofyourchoice.txt.
Follow the next steps to run the script (no admin rights needed):
* find the distinguished name of the nested group (adsiedit.msc)
* open your favorite text editor
* copy and paste the script into the editor
* change the distinguished name
* save the script (for example c:tempenumeratesendtorights.vbs)
* open a command prompt
* go to “c:temp”
* give “cscript enumeratesendtorights.vbs” (without quotes) and enter
The script:
' Name : enumeratesendtorights.vbs
' Description : script to enumerate the message restrictions (send to rights) of a distributionlist
' Author : dirk adamsky - deludi bv
' Version : 2.00 added smtp input option based on input from M (see comments on previous script)
' Date : 20-08-2010 (v.1.00 date 08-02-2010)
' Level: advanced
strObject = InputBox("Please enter the smtp address")
Set objSource = GetObject("LDAP://" & GetDN(strObject))
If TypeName(objSource.authOrig) = "String" Then
GetSendToRights ("LDAP://" & objSource.authOrig)
Else
For Each User In objSource.authOrig
GetSendToRights ("LDAP://" & User)
Next
End If
If TypeName(objSource.dLMemSubmitPerms) = "String" Then
EnumNestedgroup objSource.dLMemSubmitPerms
Else
For Each Group in objSource.dLMemSubmitPerms
EnumNestedgroup Group
Next
End If
Set objSource = Nothing
Function GetDN(strMail)
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
Set objRootDSE = GetObject("LDAP://RootDSE")
strBase = "<LDAP://" & objRootDSE.Get("defaultNamingContext") & ">"
' Filter on user objects.
strFilter = "(mail=" & strMail & ")"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
wscript.echo adoRecordset.Fields("distinguishedName").Value
GetDN = adoRecordset.Fields("distinguishedName").Value
adoRecordset.Close
adoConnection.Close
Set adoRecordset = Nothing
Set objRootDSE = Nothing
Set adoConnection = Nothing
Set adoCommand = Nothing
End Function
Function GetSendToRights(strUserDN)
On Error Resume Next
Set objAccount = GetObject(strUserDN)
Wscript.Echo objAccount.Mail & " ; " & objAccount.DisplayName & " ; direct send to rights"
Set objSecurityDescriptor = objAccount.Get("ntSecurityDescriptor")
Set objDacl = objSecurityDescriptor.DiscretionaryAcl
Set objAce = CreateObject("AccessControlEntry")
For Each objAce In objDacl
If objAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
If (Left(objAce.Trustee,3) <> "S-1" And objAce.Trustee <> "NT AUTHORITYSELF") Then
GetUserDetails Mid(objAce.Trustee,9)
End If
End If
Next
End Function
Function GetUserDetails(strPreW2K)
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & strPreW2K & "))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "mail, displayname"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
Wscript.Echo adoRecordset.Fields("mail").Value & " ; " & adoRecordset.Fields("displayname").Value & " ; indirect send to rights"
' Clean up.
adoRecordset.Close
adoConnection.Close
Set adoRecordset = Nothing
Set objRootDSE = Nothing
Set adoConnection = Nothing
Set adoCommand = Nothing
End Function
Sub EnumNestedgroup(strGroupDN)
Set objGroup = GetObject("LDAP://" & strGroupDN)
For Each objMember in objGroup.Members
If (LCase(objMember.Class) = "group") Then
Call EnumNestedgroup(objMember.AdsPath)
Else
GetSendToRights objMember.AdsPath
End If
Next
Set objGroup = Nothing
End Sub
When you have problems/questions with the script please post a reply.
Happy scripting.
Best regards,
Dirk Adamsky
Hi Dirk,
Great script, can you include the texttbox also for the user input the DN name?
Hi Pol,
I made a new version in which you can enter the Distinguished Name in the textbox.
It can be found here:
http://deludi.nl/blog/vbscript/active-directory/messagerestrictions/active-directory-vbscript-to-enumerate-the-message-restrictions-send-to-rights-of-a-user-or-distributiongroup-v3/
Best regards,
Dirk Adamsky
Awesome script, I think it would be really helpful if I could input the SMTP address/addresses via CSV and output to CSV any thoughts as to the mods needed to do this? really appreciate your help
-Dave