That's got a lot of what's required, but it doesn't add the new ACL back into objSD and it doesn't properly sort the ACEs. As shown, the new ACE will be the last ACE in the ACL, which is non-canonical, and will cause it to not be used.
You can get working code from my blog, you'll just need to specify the new ACE properly. See ReorderDACL here: <http://theessentialexchange.com/blogs/michael/archive/2007/11/13/displaying-security-on-active-directory-exchange-and-registry-objects.aspx> And AddAce here: <http://theessentialexchange.com/blogs/michael/archive/2007/11/13/adding-a-hosted-exchange-user-with-vbscript.aspx> Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Al Rose [mailto:[email protected]] Sent: Friday, January 21, 2011 8:34 AM To: MS-Exchange Admin Issues Subject: GRANT Associate external account permission to NT-AUTHORITY\SELF Hi everyone, I need to GRANT Associate external account permission to NT-AUTHORITY\SELF to disabled AD users (Functional mailboxes) with a vbs script. Does anyone have one i can use? I am trying the following without success: Function SetmsExchMasterAccountSid Dim objSD Dim objACL Dim objACE Dim found 'Set the primary Account to SELF objUser.Put "msExchMasterAccountSid", objUser.Get("objectSID") 'Get the mailbox security descriptor set objSD = objUser.Get("msExchMailboxSecurityDescriptor") set objACL = objSD.DiscretionaryAcl found = false for each objACE in objACL 'Iterate through the ACL to find the SELF-Account if objACE.Trustee = "NT AUTHORITY\SELF" Then found = true wscript.echo "exists" Exit For end if next if not found then 'If no SELF-Account is present, create it set objACE = CreateObject("AccessControlEntry") objACE.Trustee = "NT AUTHORITY\SELF" wscript.echo "created" objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACL.AddAce objACE end if 'Give the SELF-Account the External-Account right objACE.AccessMask = objACE.AccessMask OR E2K_MB_READ_PERMISSIONS OR E2K_MB_FULL_MB_ACCESS OR E2K_MB_EXTERNAL_ACCOUNT 'Save the changes objUser.Put "msExchMailboxSecurityDescriptor", objSD objUser.setInfo Set objSD = Nothing Set objACL = Nothing Set objACE = Nothing End Function --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe exchangelist
