Peña said:
ps: Clifford, if by any chance you know how to query a msexchange:
I'd like to query all exchange mailboxes and for each mailbox,
list all the users who have rights to access it.
(since many of us share mailboxes).
Pardon the nubiness on windows/exchange..
On the contrary, this is *not* a nuby question.
I do know how to do it, it is *not* simple,
and there's not a supported method AFAIK.
Apologies for the non-Ruby-ness of the following...
You need to enumerate the Access Control Entries for
the mailbox (and potentially the mbox's ancestors)
and for each relevant ACE that pertains to a group,
establish the transitive closure of the group's
membership. Do this separately across all ACEs for
both the allowed members and the denied members, then
subtract the denied set from the allowed set. Either
set may be a wild-card (like World, or Authenticated
Users), so you must handle that.
This is thousands of lines of code, and cannot be done
efficiently using ADSI (or ADO/ADSI) because the ADSI
ACE's hide the SID, exposing only the SAM name of the
ACE, which is obtained by a remote directory lookup.
LDAP is the way to go. Even that's not easy, since you
can't get the ACL via LDAP unless you send a special
custom LDAP control with the query, saying you don't
want the sACL when you fetch the ntSecurityDescriptor.
As you can tell, I've actually done this, but it was
for a former employer and I'm not at liberty to share
the code. It was close to being their prize jewel
.
Clifford Heath.