Ant Drewery » Active Directory

VBScript to remove specific SMTP proxy addresses

Anthony Drewery — Fri, 03 Nov 2006 09:42:37 +0000

This script will remove proxy addresses for a specific SMTP domain from a specified list of users. You can change the domain by editing the strSMTPDomain value in the script. The input file called users.txt is a list of display names. For my needs I reformatted the output from my previous script. By specifying the domain and the list of users it reduces the chances of any mistakes.

The script takes the input file and processes each listed user. It checks all the proxy addresses for the user and deletes any that match the specified domain. Two output files are produced. The first is a processing log which lists whether each user was found and how many addresses were removed for that user. The second file is a log of all addresses removed which can be used as a reference in the event of a mistake.

You can download the script here: StripLegacyProxyAddresses.vbs.txt

VBScript to export SMTP proxy addresses

Anthony Drewery — Fri, 27 Oct 2006 12:21:40 +0000

Part of the way my current employer has grown is through acquisitions and mergers. Consequently we’ve been supporting more than 10 legacy SMTP domains from various shipping lines. Now that we’re decommissioning our systems it’s time to do some housekeeping and discontinue these domains.

The first step was to check that all objects had their primary SMTP address set to the main domain name. This was done more than a year ago but needed to be reconfirmed. A custom LDAP query that included the syntax (!mail=*@our_main_domain.com) sufficed.

Next I wrote a script that exported all SMTP proxy addresses for user objects. This was to be used as a reference in the unlikely event that problems arose down the line. The LDAP query can easily be modified for groups, contacts and public folders. It’s not the most exciting of scripts but it does the job. You can download it here: AllSMTPProxies.vbs.txt

As I wanted to be very specific and meticulous in the removal of legacy proxy addresses I wrote another script that targets a specific SMTP domain. In this script you can specify the domain by changing the strSMTPDomain value. The script will then only export the names and addresses for proxies that match the SMTP domain. You can download the script here: SpecificSMTPProxies.vbs.txt

In my next post I’ll be using PutEx in a script to remove proxy addresses from AD objects.

VBScript to output the logon script assigned to each user

Anthony Drewery — Tue, 24 Oct 2006 08:25:33 +0000

With some guidance from my colleague Ben Christian I’ve been working on several VBScripts to assist with the decommissioning of our systems. The scripts range from simple reporting to modifying objects. By posting them in this blog someone else may get some use out of them. They are posted "as is" and I accept no liability arising from the use of them.

This script simply creates a tab delimited text file showing all users with their logon script and object’s distinguished name. You’ll be notified by a prompt when the script has finished processing. Simply open the resulting text file with Excel to see the information formatted into columns. You could modify the script to output to a CSV file if you don’t use commas in your display names. Download the script here: WhichLoginScript.vbs.txt

Updating BlackBerry Enterprise Server permissions to support store.exe changes

Anthony Drewery — Fri, 25 Aug 2006 13:48:30 +0000

This is fairly old news now but something I thought worth documenting as it affected our two BES installations.

Microsoft have changed the Full Mailbox Access permissions in Exchange so that it no longer implies Send As rights. Recent fixes for store.exe include this change. When applied it affects 3rd party applications like BlackBerry Enterprise Server which previously only used Full Mailbox Access rights for the application account.

You can avoid disruption by a small amount of preparation before applying the latest Exchange fixes. You’ll need to grant the BES admin account Send As rights on the Active Directory user accounts of your BB users. You could do this individually but it would be easier to do it at OU level. You’ll need to take into account the inheritance configuration on your OUs to decide the best location(s) to set the permissions. To see the Security tab on your OU properties you’ll need to enable the Advanced Features in Active Directory Users & Computers. This is done via the View menu:

When viewing the Security tab click the Advanced button. Now click the Add button to add your BES service account. You’ll be presented with a list of permissions. Change the drop down box to User Objects then tick Allow Send As. Once you’ve Ok’d back to ADUC your permissions will be set.

Any administrative users will need to be addressed separately. Administrative users include anyone who is a member of the following groups:

Enterprise Admins
Schema Admins
Domain Admins
Administrators
Cert Publishers
Backup Operators
Replicator Server Operators
Account Operators
Print Operators

It should be noted that it is good security practice not to have admin rights on your everyday mail-enabled account.

To handle the administrative users the appropriate permissions need to be set on the AdminSDHolder container. The easiest way to do this is with the dsacls command. To use it you’ll need the Windows Server 2003 Support Tools installed. The syntax of the command is as follows:

dsacls "cn=AdminSDHolder,cn=System,dc=domain,dc=com" /G "domain.com\BESAdmin:CA;Send As"

Once all your permissions are set and verified you can go ahead and install the Exchange patches knowing that your BlackBerry users will continue to function as before.

[tags]BlackBerry, BES[/tags]

Correcting user account and mailbox associations

Anthony Drewery — Fri, 06 Jan 2006 15:57:08 +0000

We’ve been running in mixed-mode for some time and occasionally come across a user that was migrated from NT4 with two accounts in Active Directory. This is often flagged because they cannot log in to Outlook Web Access. On inspection only one of the user accounts has a mailbox associated with it. A closer look shows that the account without the mailbox has the correct user ID (the one they log in with), whereas the account with the mailbox has a garbage user ID that has been auto-created by the Active Directory Connector. We therefore need to swap the mailbox association and delete the incorrect account. Here’s the process that we use:

In Active Directory Users & Computers note SMTP addresses, group memberships, address and phone details of the account currently associated to the mailbox.
Note the current mailbox store.
Remove the Exchange attributes from the account.
Rename the account to have a prefix of ‘Disabled –‘. Disable the account and move to the Disabled Accounts OU (this is an OU we have created in our AD).
Connect Exchange Admin to the Exchange 5.5 server at the other end of the relevant connection agreement.
Delete the mailbox entry in Exchange Admin.
In ESM find the correct mailbox store. Expand and right click on the Mailboxes folder and select ‘Run Cleanup Agent’.
Refresh the view and the mailbox should now have a red cross on it.
Right click on the mailbox and select ‘Reconnect’. Select the correct account when prompted.
In ADUC add the necessary SMTP addresses, groups, address and phone information.
Update Custom Attribute 15 with you initials, date and comment saying corrected account/mailbox mapping (this is part of our process for any changes made to mail-enabled objects).
Create a new Outlook profile for the user.