TechGuy83

Thanks for your reply, but still no joy :-/

Thanks for you advice, thats where I thought it would be Here is what I see: Any advice?

Had a good look and can't find the option. Would be nice to do this as I really want to change it.

Sorry for my late reply, we went with the basics as outlook will open only the default folders. Recursive permission audit was to unstable. Really appreciate your help. This sent out an email to the users which worked well on the whole, however it did identify accounts that simply couldn't be seen by any other method over than scripting. However if anyone does have a great permission auditing script they use please share, I was less than satisfied with the results from the script I used, nothing terrible but just a few people with accounts that wernt. Listed inoutlook or exchange console.

I created a USB bootable task sequence media. To do this you need windows vista/2008 or higher. Run the configuration manager console on that machine and on your task sequence that you have created right click on it. Now click on create bootable media (can't remember exactly), follow the wizard and it will create your task sequence offline and on bootable media. One tip, if it is truly offline then of course you wont be able to join domain or check for updates etc so you may want to create a new task sequence and leave these out. Sorry if its a bit wrong but from memory that's how I did it. I moved jobs and no longer use sccm 2007, in my new job I am migrating from SMS 2003 to 2012! So no longer have a console for reference, however if you do get stuck let me know and I will build up a test rig and give better instruction, always fun.

Just had a thought perhaps I am over complicating things, if they do not have permission on the root its not possible then to access the inbox? Am I right in thinking that? Of course calendar can be directly accessed so not sure if it applies to other folders. If its the case then it maybe worth just running audit on the mailbox root and calendar, this runs with no errors.

Thanks for taking a look, currently running version I have is 1.0.0 running on XP. 1.2.1 needs windows 7 I think which is a shame.

Ok here you go: [void][Reflection.Assembly]::LoadFile("c:\temp\EWSUtil.dll") ####################################################################################### ## FUNCTION enumMailBoxPerms ####################################################################################### function enumMailboxperms() { param ($user) $root = [ADSI]'LDAP://RootDSE' $dfDefaultRootPath = "LDAP://OU=Users," + $root.DefaultNamingContext.tostring() write-host Searching write-host $dfDefaultRootPath write-host for mailboxes $dfRoot = [ADSI]$dfDefaultRootPath If (!$user) { $gfGALQueryFilter = "(&(mailnickname=*)(objectCategory=person)(objectClass=user))" } Else { $gfGALQueryFilter = "(&(mailnickname=$user)(objectCategory=person)(objectClass=user))" } $dfsearcher = new-object System.DirectoryServices.DirectorySearcher($dfRoot) $dfsearcher.PageSize = 10000 $dfsearcher.Filter = $gfGALQueryFilter $dfsearcher.PropertiesToLoad.Add("msExchMailboxSecurityDescriptor") $dfsearcher.PropertiesToLoad.Add("public-delegates") $dfsearcher.PropertiesToLoad.Add("public-delegates-bl") $srSearchResult = $dfsearcher.FindAll() $i = 0 $ec=0 foreach ($emResult in $srSearchResult) { if($i -lt 10000) { $rsTable.clear() $dsEmail="" $uoUserobject = New-Object System.DirectoryServices.directoryentry $uoUserobject = $emResult.GetDirectoryEntry() $emProps = $emResult.Properties [byte[]]$DaclByte = $emProps["msexchmailboxsecuritydescriptor"][0] $adDACL = new-object System.DirectoryServices.ActiveDirectorySecurity $adDACL.SetSecurityDescriptorBinaryForm($DaclByte) $mbRightsacls =$adDACL.GetAccessRules($true, $false, [system.Security.Principal.SecurityIdentifier]) write-host write-host Processing - $uoUserobject.samaccountname.ToString() ($uoUserobject.DisplayName) foreach ($ace in $mbRightsacls){ if($ace.IdentityReference.Value -ne "S-1-5-10" -band $ace.IdentityReference.Value -ne "S-1-5-18" -band $ace.IsInherited -ne $true){ $sidbind = "LDAP://<SID=" + $ace.IdentityReference.Value + ">" $AceName = $ace.IdentityReference.Value $aceuser = [ADSI]$sidbind if ($aceuser.name -ne $null){ $AceName = $aceuser.samaccountname.ToString() $AceDisplayName = $aceuser.DisplayName.ToString() #added extra coloumn email address to show mailbox email and username $mbMailboxEmail = $uoUserobject.mail.ToString() } if ($AceName -ne $uoUserobject.samaccountname.ToString()) { If ($ace.ActiveDirectoryRights -band [system.DirectoryServices.ActiveDirectoryRights]::CreateChild){ [VOID]$rsTable.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Full Mailbox Access",$ace.AccessControlType,$AceDisplayName) [VOID]$rsTableCSV.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Full Mailbox Access",$ace.AccessControlType,$AceDisplayName) } If ($ace.ActiveDirectoryRights -band [system.DirectoryServices.ActiveDirectoryRights]::WriteOwner -ne 0){ [VOID]$rsTable.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Take Ownership",$ace.AccessControlType,$AceDisplayName) [VOID]$rsTableCSV.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Take Ownership",$ace.AccessControlType,$AceDisplayName) } If ($ace.ActiveDirectoryRights -band [system.DirectoryServices.ActiveDirectoryRights]::WriteDacl){ [VOID]$rsTable.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Modify User Attributes",$ace.AccessControlType,$AceDisplayName) [VOID]$rsTableCSV.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Modify User Attributes",$ace.AccessControlType,$AceDisplayName) } If ($ace.ActiveDirectoryRights -band [system.DirectoryServices.ActiveDirectoryRights]::ListChildren){ [VOID]$rsTable.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Is mailbox primary owner of this object",$aceuser.AccessControlType,$AceDisplayName) [VOID]$rsTableCSV.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Is mailbox primary owner of this object",$aceuser.AccessControlType,$AceDisplayName) } If ($ace.ActiveDirectoryRights -band [system.DirectoryServices.ActiveDirectoryRights]::Delete){ [VOID]$rsTable.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Delete mailbox storage",$ace.AccessControlType,$AceDisplayName) [VOID]$rsTableCSV.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Delete mailbox storage",$ace.AccessControlType,$AceDisplayName) } If ($ace.ActiveDirectoryRights -band [system.DirectoryServices.ActiveDirectoryRights]::ReadControl){ [VOID]$rsTable.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Read permissions",$ace.AccessControlType,$AceDisplayName) [VOID]$rsTableCSV.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$aceName,"Read permissions",$ace.AccessControlType,$AceDisplayName) } } } } $Sendasacls = $uoUserobject.psbase.get_objectSecurity().getAccessRules($true, $false, [system.Security.Principal.SecurityIdentifier])|? {$_.ObjectType -eq 'ab721a54-1e2f-11d0-9819-00aa0040529b'} $Recieveasacls = $uoUserobject.psbase.get_objectSecurity().getAccessRules($true, $false, [system.Security.Principal.SecurityIdentifier])|? {$_.ObjectType -eq 'ab721a56-1e2f-11d0-9819-00aa0040529b'} if ($Sendasacls -ne $null){ foreach ($ace in $Sendasacls) { if($ace.IdentityReference.Value -ne "S-1-5-10" -band $ace.IdentityReference.Value -ne "S-1-5-18" -band $ace.IsInherited -ne $true){ $sidbind = "LDAP://<SID=" + $ace.IdentityReference.Value + ">" $AceName = $ace.IdentityReference.Value $aceuser = [ADSI]$sidbind if ($aceuser.name -ne $null){ $AceName = $aceuser.samaccountname.ToString() $AceDisplayName = $aceuser.DisplayName.ToString() } if ($AceName -ne $uoUserobject.samaccountname.ToString()) { [VOID]$rsTable.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$AceName,"Send As",$ace.AccessControlType,$AceDisplayName) [VOID]$rsTableCSV.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$AceName,"Send As",$ace.AccessControlType,$AceDisplayName) if ($rvSendRecieve.Containskey($AceName)){ $rvSendRecieve[$AceName] = [int]$rvSendRecieve[$AceName] +1 } else { $rvSendRecieve.add($AceName,1) } } } } } if ($Recieveasacls -ne $null){ foreach ($ace in $Recieveasacls) { if($ace.IdentityReference.Value -ne "S-1-5-10" -band $ace.IdentityReference.Value -ne "S-1-5-18" -band $ace.IsInherited -ne $true){ $sidbind = "LDAP://<SID=" + $ace.IdentityReference.Value + ">" $AceName = $ace.IdentityReference.Value $aceuser = [ADSI]$sidbind if ($aceuser.name -ne $null){ $AceName = $aceuser.samaccountname.ToString() $AceDisplayName = $aceuser.DisplayName.ToString() } if ($AceName -ne $uoUserobject.samaccountname.ToString()) { [VOID]$rsTable.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$AceName,"Recieve As",$ace.AccessControlType,$AceDisplayName) [VOID]$rsTableCSV.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,"Mailbox Root",$AceName,"Recieve As",$ace.AccessControlType,$AceDisplayName) if ($rvSendRecieve.Containskey($AceName)){ $rvSendRecieve[$AceName] = [int]$rvSendRecieve[$AceName] +1 } else { $rvSendRecieve.add($AceName,1) } } } } } $mbMailboxEmail = $uoUserobject.mail.ToString() #write-host "Doing Mailbox Permissions with EWS" $useImp = $false $ewc = new-object EWSUtil.EWSConnection($mbMailboxEmail,$useImp, "", "", "",$casUrl) # $fldarry = new-object EWSUtil.EWS.BaseFolderIdType[] 6 # for ($fcint=0;$fcint -lt 6;$fcint++){ # $dTypeFld = new-object EWSUtil.EWS.DistinguishedFolderIdType # switch ($fcint){ # 0 {$dTypeFld.Id = [EWSUtil.EWS.DistinguishedFolderIdNameType]::inbox} # 1 {$dTypeFld.Id = [EWSUtil.EWS.DistinguishedFolderIdNameType]::calendar} # 2 {$dTypeFld.Id = [EWSUtil.EWS.DistinguishedFolderIdNameType]::contacts} # 3 {$dTypeFld.Id = [EWSUtil.EWS.DistinguishedFolderIdNameType]::tasks} # 4 {$dTypeFld.Id = [EWSUtil.EWS.DistinguishedFolderIdNameType]::journal} # 5 {$dTypeFld.Id = [EWSUtil.EWS.DistinguishedFolderIdNameType]::msgfolderroot} # } # $mbMailbox = new-object EWSUtil.EWS.EmailAddressType # $mbMailbox.EmailAddress = $mbMailboxEmail # $dTypeFld.Mailbox = $mbMailbox # $fldarry[$fcint] = $dTypeFld # } $fldarry = new-object EWSUtil.EWS.BaseFolderIdType[] 1 $dTypeFld = new-object EWSUtil.EWS.DistinguishedFolderIdType $dTypeFld.Id = [EWSUtil.EWS.DistinguishedFolderIdNameType]::msgfolderroot $mbMailbox = new-object EWSUtil.EWS.EmailAddressType $mbMailbox.EmailAddress = $mbMailboxEmail $dTypeFld.Mailbox = $mbMailbox $fldarry[0] = $dTypeFld $FolderList = $ewc.GetAllMailboxFolders($fldarry) $fldarry1 = new-object EWSUtil.EWS.BaseFolderIdType[] $FolderList.Count for ($fcint=0;$fcint -lt $FolderList.Count;$fcint++){ $fldarry1[$fcint] = $FolderList[$fcint].FolderId } $Folders = $ewc.GetFolder($fldarry1) If ($Folders.Count -ne 0) { ForEach ($Folder in $Folders) { if ($Folder.GetType() -eq [EWSUtil.EWS.CalendarFolderType]){ #write-host "Checking calendar permissions" ForEach ($Permissions in $Folder.PermissionSet.CalendarPermissions){ if ($Permissions.UserId.DistinguishedUserSpecified -eq $false){ $sidbind = "LDAP://<SID=" + $Permissions.UserId.SID.ToString() + ">" $AceName = $ace.IdentityReference.Value $aceuser = [ADSI]$sidbind if (!((($Folder.DisplayName -eq 'Calendar') -and ($aceuser.samaccountname -eq 'distu All')) -or ($aceuser.samaccountname -eq 'Default') -or ($aceuser.samaccountname -eq $uoUserobject.samaccountname.ToString()))) { [VOID]$rsTable.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,$Folder.DisplayName,$aceuser.samaccountname.ToString(),$ewc.enumOutlookRole($Permissions),"Allow",$aceuser.displayname.ToString()) [VOID]$rsTableCSV.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,$Folder.DisplayName,$aceuser.samaccountname.ToString(),$ewc.enumOutlookRole($Permissions),"Allow",$aceuser.displayname.ToString()) if ($rvFolderPerms.Containskey($aceuser.samaccountname.ToString())){ $rvFolderPerms[$aceuser.samaccountname.ToString()] = [int]$rvFolderPerms[$aceuser.samaccountname.ToString()] +1 } else { $rvFolderPerms.add($aceuser.samaccountname.ToString(),1) } } } #else{ #if ($Permissions.UserId.DistinguishedUser -eq [EWSUtil.EWS.DistinguishedUserType]::Default){ #if ($Permissions.CalendarPermissionLevel -ne [EWSUtil.EWS.CalendarPermissionLevelType]::None){ # Adding some logic here to try to filter out unwanted data #if (!($ewc.enumOutlookRole($Permissions) -eq 'Default')) { #[VOID]$rsTable3.rows.add($Folder.DisplayName,"Default",$ewc.enumOutlookRole($Permissions),"Allow") #} #} #} #} } } else { ForEach ($Permissions in $Folder.PermissionSet.Permissions){ #write-host "Checking folder permissions" #List any folders here you do not want to be listed on the CSV or Email #if ($Folder.DisplayName -ne "Top of Information Store"){ if ($Permissions.UserId.DistinguishedUserSpecified -eq $false){ $sidbind = "LDAP://<SID=" + $Permissions.UserId.SID.ToString() + ">" $AceName = $ace.IdentityReference.Value $aceuser = [ADSI]$sidbind $test = $aceuser.samaccountname.ToString() if (!(($aceuser.samaccountname -eq 'nothim') -or ($aceuser.samaccountname -eq 'nother') -or ($aceuser.samaccountname -eq $uoUserobject.samaccountname.ToString()) -or ($Permissions.PermissionLevel -eq 'None'))) { [VOID]$rsTable.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,$Folder.DisplayName,$aceuser.samaccountname.ToString(),$Permissions.PermissionLevel.ToString(),"Allow",$aceuser.displayname.ToString()) [VOID]$rsTableCSV.rows.add($uoUserobject.samaccountname.ToString(),$mbMailboxEmail,$Folder.DisplayName,$aceuser.samaccountname.ToString(),$Permissions.PermissionLevel.ToString(),"Allow",$aceuser.displayname.ToString()) if ($rvFolderPerms.Containskey($aceuser.samaccountname.ToString())){ $rvFolderPerms[$aceuser.samaccountname.ToString()] = [int]$rvFolderPerms[$aceuser.samaccountname.ToString()] +1 } else { $rvFolderPerms.add($aceuser.samaccountname.ToString(),1) } } } #} #else{ #if ($Permissions.UserId.DistinguishedUser -eq [EWSUtil.EWS.DistinguishedUserType]::Default){ #if ($Permissions.PermissionLevel -ne [EWSUtil.EWS.PermissionLevelType]::None){ #[VOID]$rsTable3.rows.add($Folder.DisplayName,"Default",$Permissions.PermissionLevel.ToString(),"Allow") #} #} #} } } } } } $i++ #write-host $i #emailResults $ec++ } } ####################################################################################### ## END FUNCTION enumMailBoxPerms ####################################################################################### $Dataset = New-Object System.Data.DataSet $rsTable = New-Object System.Data.DataTable [void]$rsTable.TableName = "Mailbox Rights" [void]$rsTable.Columns.Add("MailboxUsername") [void]$rsTable.Columns.Add("MailboxEmail") [void]$rsTable.Columns.Add("FolderName") [void]$rsTable.Columns.Add("UserName") [void]$rsTable.Columns.Add("Rights") [void]$rsTable.Columns.Add("Status") [void]$rsTable.Columns.Add("DisplayName") [void]$Dataset.tables.add($rsTable) $rsTableCSV = New-Object System.Data.DataTable [void]$rsTableCSV.TableName = "Mailbox Rights" [void]$rsTableCSV.Columns.Add("MailboxUsername") [void]$rsTableCSV.Columns.Add("MailboxEmail") [void]$rsTableCSV.Columns.Add("FolderName") [void]$rsTableCSV.Columns.Add("UserName") [void]$rsTableCSV.Columns.Add("Rights") [void]$rsTableCSV.Columns.Add("Status") [void]$rsTableCSV.Columns.Add("DisplayName") [void]$Dataset.tables.add($rsTableCSV) $process = read-host "Enter a users username [Enter] to report on all" $nmMailboxPerms = @{ } $nmSendRecieve = @{ } $fpFolderPerms = @{ } $duFolderPerms = @{ } $rvMailboxPerms = @{ } $rvSendRecieve = @{ } $rvFolderPerms = @{ } $nmDelegatePerms = @{ } $rvDelegatePerms = @{ } $nmDefualtPerms = @{ } enumMailboxperms $process if($rsTableCSV.Rows.Count -gt 0) { $rsTableCSV | export-csv c:\rsTableCSV.csv -notypeinformation }

I have the code for the permission audit nearly working. I am using powershell with ewsutil.dll. The code drags user objects from AD and then looks at their mailbox, recursive search through all folders and outputs to a csv file anything non default, for example inbox read rights etc. However the code is failing on one chunk of code for some mailboxes and not others. $fldarry = new-object EWSUtil.EWS.BaseFolderIdType[] 1 $dTypeFld = new-object EWSUtil.EWS.DistinguishedFolderIdType $dTypeFld.Id = [EWSUtil.EWS.DistinguishedFolderIdNameType]::msgfolderroot $mbMailbox = new-object EWSUtil.EWS.EmailAddressType $mbMailbox.EmailAddress = $mbMailboxEmail $dTypeFld.Mailbox = $mbMailbox $fldarry[0] = $dTypeFld $FolderList = $ewc.GetAllMailboxFolders($fldarry) $fldarry1 = new-object EWSUtil.EWS.BaseFolderIdType[] $FolderList.Count for ($fcint=0;$fcint -lt $FolderList.Count;$fcint++){ $fldarry1[$fcint] = $FolderList[$fcint].FolderId } $Folders = $ewc.GetFolder($fldarry1) If ($Folders.Count -ne 0) { ForEach ($Folder in $Folders) { Above is the section of code that fails, on the line where $fldarry1 is created below the for, I get on some mailboxes the following error. Exception calling "GetFolder" with "1" argument(s): "The request failed schema validation: The element 'FolderIds' in namespace 'http://schemas.microsoft.com/ exchange/services/2006/messages' has incomplete content. List of possible eleme nts expected: 'FolderId, DistinguishedFolderId' in namespace 'http://schemas.mi crosoft.com/exchange/services/2006/types'." At #############:175 char:26 + $Folders = $ewc.GetFolder <<<< ($fldarry1) + CategoryInfo : NotSpecified: ( [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException Any help would be appreciated. Thanks.

Sorry, I didn't make it clear. I use wsname to the computer name and then reboot. I don't reboot into winpe at all. Add any config extras after the join domain step. Hope that helps.

The way I do ours is as follows: -wsname (using csv file to check serial and assign machine name) -reboot (allow name change to take place) -Join Domain or Workgroup -any other software/steps here etc Is this what you are after?

We had the same issue, after ringing Panasonic they said that they are working on a BIOS update. That was nearly year ago... We gave up and went to USB boot each deployment engineer had a USB thumb drive, worked out that it added about 5 mins or so to the process not to bad. Just got to weigh up the time spent looking into a solution vs the time spent getting them out there... In the end we voted for getting them out and being used.

Ok not sure if someone will beat me to it, hardlink is always a good option as its quick as no data is copied however if you have full device encryption like us you will have to first remove the encryption. And in our case then chain it to a desk in a locked room... You need setup 3 TS variables with the following values, as follows: OSDStateStorePath - %_SMSTSUserStatePath% OSDMigrateAdditionalCaptureOptions - /hardlink /nocompress OSDMigrateAdditionalRestoreOptions - /Hardlink /nocompress After those 3 variables place a Capture User State step and select your USMT package (if you don't have use MDT to create one) and then select the 'radio button customize how user profiles are captured' and add the following files: migapp.xml migdocs.xml miguser.xml Now for capturing your MIF file, I have not tested this but it should work in theory as always test before going live. Add additional step of run command line and enter copy "c:\windows\system32\ccm\inventory\a.mif" "%OSDStateStorePath%\a.mif" /v /y this should then copy the file to the same as the hardlinked files. Now restart in PE, do the normal for applying the windows 7 image but don't use the format and partition disk as the disk has a partition everything will be wiped apart from the hardlinked folder. At the end a step Restore User State again add the USMT package, restore all captured user profiles with standard options. And of course copy back your a.mif file to the directory of choice. That is how to do it with hardlinking. This information has been taken from the example file attached at the beginning of the post. We have 1 additional step, I have created a VB script that resets the machine account on AD before restarting in PE so that the same machine account can be used to save having to re-add the machine to all the groups it once belonged to again. I hope that helps you.

I have been trying to find documentation on setting up a mobile device management client on the smartphone. We run the site in mixed mode and the smart phones will connect to the companies wireless points so not worried about native mode and setting up certificates. The test phone I have is a Toshiba TG01 and it is running 6.5 professional (CE OS 5.2.21876). I have read many tech net articles but can't seem to find instructions on how to configure the ini file for mixed mode and how to run the installer on the device. Anyone know of sites or can give advice I would very much appreciate it. Thanks.

I am migrating some machines to Windows 7 and I am currently using a task sequence variable with a query, the query checks the MSI (in this case office 2007) and the sets a variable to Yes if it finds office installed. After the OS has been applied I then perform a query on the software to see if the task sequence variable is set to Yes, if it is not set to Yes skip installing the software. My question is, is this the best way of building a list of installed software to re-install after the upgrade or is there a smarter way of doing this that I am missing?