RE: [ActiveDir] MailBox permissioning

[Rick Kingslan]

O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);   In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language)    O:sid is the SID of the owner G:sid is the SID of the group D: is a DACL   I’ll let you look over the rest and determine what you have in your strings…..   http://msdn.microsoft.com/library/default.asp?url="">   Rick   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning   Using a newer version of ldp I could gather the following things:   The mailbox users have the following attribute set. usert -  O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);   ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372);   ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368);   ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369);   O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) – This part was common for all entries.   S-1-5-21-3308934242-2785796821-2776977491-xxxx is the objectSID for the object in the other domain to whom I want to give permissions. Also the attribute msExchMasterAccountSid is set to the value of object sid.   But this part *** (A;CI;CCLCRC;;; *** before the objectsid, differs in some entries. What are all these fields? How can I find out these values programmatically and make a single attribute value which I can then give to the meta directory for setting?   Regards, Mayuresh   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning   Yes. But I want to do it using scripting + Meta directory server.   The steps I understand until now is that: give appropriate permissions in the security tab to the user in different domain. give appropriate permissions in the Mailbox right.   Since my Meta directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there be other ways? I understand that I would have to set the msexchmailboxsecuritydescriptor attribute. How can I generate a binary value for this using a perl script, so that I can give this value to the meta dir to process and set in the exchange entry.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryon Barkley Sent: Thursday, August 11, 2005 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning   Mayuresh,   You should be able to just give Full Permissions to the user on the mailbox rights tab located under the Exchange Advanced Tab of the user's properties.    BB -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 4:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MailBox permissioning Hi Gurus,   I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it.   Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this?   I’ll be doing this permissioning using a meta directory server.   Thanks, Mayuresh.