Microsoft KB Archive/941018

= How to address daylight saving time by using the Exchange Calendar Update Tool =

Article ID: 941018

Article Last Modified on 10/26/2007

-

APPLIES TO


 * Microsoft Exchange Server 2007 Enterprise Edition
 * Microsoft Exchange Server 2007 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Exchange 2000 Server Standard Edition

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



INTRODUCTION
Daylight saving time is a system to set clocks ahead so that both sunrise and sunset occur at a later hour. The effect is more daylight in the evening. Many countries observe daylight saving time. Most of these countries have their own rules and regulations for when daylight saving time begins and ends.

The dates of daylight saving time (DST) may change from year to year. Microsoft Outlook users have to update their Outlook calendar every time that the DST rules change. The dates between the previous DST rules and the current DST rules are referred to in this article as the &quot;extended DST period.&quot;

This article describes the actions that you can take to address calendar items in Outlook that occur during the extended DST period. This article also describes the actions that you should take to update calendar items that are stored in Microsoft Exchange Server according to the new DST rules. The solution that is presented in this article involves the Microsoft Exchange Calendar Update Tool (“the Exchange tool”).

For more information about how to prepare for changes in daylight saving time in 2007 (DST 2007) for all affected Microsoft products, visit the following Microsoft Web site:

http://support.microsoft.com/gp/cp_dst



About the Exchange tool
After you install the DST updates for Microsoft Windows, all old appointments that occur during the DST change periods will be incorrectly displayed as occurring one hour later. This is true for both recurring and single-instance appointments. You must update these appointments so that they will be displayed correctly in Outlook, in Microsoft Office Outlook Web Access, and in applications that are based on Collaboration Data Objects (CDO).

Outlook provides a tool that is named the Time Zone Data Update Tool for Microsoft Office Outlook (&quot;the Outlook tool&quot;). This tool enables users to update their own calendars.

For more information about the Time Zone Data Update Tool, click the following article number to view the article in the Microsoft Knowledge Base:

931667 How to address the daylight saving time changes in 2007 by using the Time Zone Data Update Tool for Microsoft Office Outlook

The Exchange Calendar Update Tool (&quot;the Exchange tool&quot;) helps you avoid the difficulties that administrators face in deploying the Outlook tool widely to all users and in making sure that each user runs the Outlook tool correctly.

High-level description of the Exchange tool
The Exchange tool consists of two separate executable files. These files are described in the following table.

About the new version of the Exchange tool
Based on customer feedback, a new version of the Exchange tool was released on August 13, 2007. This article refers to the new version of the Exchange tool. If you are running an older version of the Exchange tool, uninstall it, and then install the new version.

The new version of the Exchange tool includes the following improvements:
 * The time zone extraction and calendar update processes are sped up fourfold.
 * The user interface for the configuration tool is more streamlined and intuitive.
 * The ability to update conference rooms and resource mailboxes is now built into the configuration tool.
 * The ability to update user mailboxes is now built into the configuration tool.
 * A troubleshooting document is now included with the Exchange tool, and it is integrated into the configuration tool.
 * The time zone extraction algorithm and error handling capabilities are improved.
 * The logging process is more user-friendly.

Risk of running the Exchange tool
When you run the Exchange tool, there is a risk that single-instance appointments may not be updated correctly. For example, single-instance appointments that a user created after the operating system was updated may be updated incorrectly.

To reduce this risk, use one of the following methods:
 * Reduce the interval between the time that you update client computers and the time that you update mailbox calendars.
 * If computers in the organization were updated a long time ago, use the Only Update Recurring Meetings setting in Advanced settings.

Typically, people do not create single-instance appointments many months in advance. Therefore, if the DST updates were installed many months before, most of the single-instance meetings that fall into the extended DST period will have been created by using the new DST transition rules. These meetings do not have to be updated.
 * If you know the exact date when all the client computers were updated, use the Operating System Patch Date setting in Advanced settings. If a date is specified, single-instance appointments that were created after that date are not updated by the Exchange tool.

Note If you run the Outlook tool or the Exchange tool on a client computer that is running Windows Vista, and you run the tool against mailboxes where the home time zone is New Zealand Standard Time, you must run the tool a second time on or after January 1, 2008. For more information, see the &quot;Known issues&quot; section.

Options to update mailboxes
The following table lists five options that you can use to update user mailboxes to use the DST 2007 time zone rules.

How to install the Exchange tool
The Exchange Calendar Update Tool is available for download in the form of a self-extracting executable file (Msextmz.exe). This tool is available for download from the Microsoft Download Center:

Download the Exchange Calendar Update Tool package now.

A virtual machine is created to help you install and use the Exchange tool. The virtual machine is based on Microsoft Windows Server 2003, Outlook 2007, Microsoft Office Excel 2007, and Microsoft Office Word 2007. The virtual machine works in both Microsoft Virtual PC 2004 and in Microsoft Virtual Server 2005 R2.

For more information about the virtual machine for the Exchange Calendar Update Tool, click the following article number to view the article in the Microsoft Knowledge Base:

933185 A virtual machine is available to help you deploy daylight saving time 2007 calendar updates in an Exchange organization

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Languages that are supported by the Exchange tool
The Exchange tool is available only in English. The tool will run only on an English (US) computer.

Versions of Exchange Server that are compatible with the Exchange tool
The Exchange tool can update mailboxes on the following versions of Exchange Server:
 * Microsoft Exchange Server 2007 Enterprise Edition
 * Microsoft Exchange Server 2007 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange 2000 Server Enterprise Edition
 * Microsoft Exchange 2000 Server Standard Edition

Operating systems that are supported by the Exchange tool
The Exchange tool will run on the 32-bit versions of the following operating systems:
 * Microsoft Windows Server 2003
 * Microsoft Windows XP
 * Windows Vista

Install updates
Before you run the Exchange tool, make sure that client and server computers are updated correctly. To do this, install the Windows DST update on clients and on servers. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

933360 August 2007 cumulative time zone update for Microsoft Windows operating systems

If you are running Microsoft Exchange Server 2003 Service Pack 2 (SP2), install one or both of the following updates, as appropriate for your organization:
 * Update 911829
 * Update 924334

For more information about these updates, click the following article numbers to view the articles in the Microsoft Knowledge Base:

911829 You receive an error message when you try to perform any editing tasks, or you must click to enable the compose frame in Outlook Web Access

924334 The Compose Message form stops responding after you install Internet Explorer 7.0 and the S/MIME control on an Outlook Web Access client in Exchange Server 2003

If users are within the Jerusalem, Central Brazilian, or E. South American time zone, please read the guidance in the following Microsoft Knowledge Base article:

943390 Some Outlook calendar items are rebased incorrectly when you use the Outlook Time Zone Data Update Tool to adjust for daylight saving time changes in certain time zones

Verify the system requirements
You must run the Exchange tool only on a computer for which the following conditions are true:
 * The computer has Microsoft Office Outlook 2003 Service Pack 2 (SP2) or Microsoft Office Outlook 2007 installed.
 * The computer has the Outlook Time Zone Data Tool installed.
 * Microsoft .NET Framework version 2.0 is installed on the client computer.

You cannot run the Exchange tool on a computer that is running Exchange Server or the Exchange System Management tools. If you try to install the Exchange tool on a computer that is running Exchange Server or the Exchange System Management tools, you receive the following error message:

Microsoft Exchange Calendar Update Tool cannot be installed with Microsoft Exchange.

Verify permissions and other user requirements
Verify that the following conditions are true:
 * Administer Information Store permissions on each Exchange Server message database (MDB) are updated.
 * Send As permissions for all mailboxes are updated.
 * Full Mailbox Access permissions for all mailboxes are updated.
 * Local administrator permissions are granted on the computer that is running the Exchange tool.

About the &quot;Grant Mailbox Permission&quot; script
You can use the sample GrantMailboxPermission.vbs script to grant a domain user Full Mailbox Access and Send As permissions to all mailboxes.

This script can be run only by an Exchange Server administrator on a computer that is running Exchange 2000 Server or Exchange Server 2003. This script cannot be run on a computer that is running Exchange Server 2007. However, you can use the Exchange Management Shell to grant the required permissions.

The code for the .vbs script is provided in the &quot;References&quot; section. The following table describes the two modes in which this script runs.

Notes
 * When you run this script on the computer that is running Exchange Server, the script returns a period character (.) when the script successfully processes a user. The script returns an exclamation point character (!) when the script does not successfully process a user.
 * The output file of the Time Zone Extraction mode cannot be used as an input file for this script. To create the input file for this script, paste the contents of the Time Zone Extraction mode output file into Notepad, save the contents as a new document, and then use the new document as the input file.

How to use the Exchange tool
To use the Exchange tool, start the Exchange Calendar Update Configuration Tool (Msextmzcfg.exe). This program will help you with the whole process of updating calendars.

Run the time zone extraction process
To update mailbox calendars, you must determine the time zone of the calendars. The time zone extraction process examines the properties and the appointments of the mailbox calendars to determine their time zones. To run the time zone extraction process, follow these steps:
 * 1) At the welcome page, click Next.

Note The welcome page introduces you to the configuration tool and discusses the permissions that are required to run the tool. The page also provides a link to this article.
 * 1) Specify the settings for the configuration tool. We recommend that you allocate at least 200 megabytes (MB) of disk space to logging.

If you to want to change the default settings, click Advanced Settings. For more information about the advanced settings, see the table that follows this procedure.
 * 1) Select the Exchange servers in the local Active Directory directory service forest that you want to update. Then, click Next to start the time zone extraction process.

Note If you have already performed time zone extraction, you can skip this step by clicking Skip.

Notice that a status bar, a link to the output log, and a real-time display of the time zone extraction process are displayed. After the time zone extraction process is complete, click Next.

If errors were encountered, a link to the troubleshooting document is displayed.
 * 1) Configure the Mailboxes with No Time Zones page, and then click Next to scan calendar items.

Note If the tool finds users who do not have mailbox level properties that indicate their time zone, the tool scans actual meetings and appointments inside those calendars to determine the time zone. You can specify the number of calendar items through which you want the configuration tool to scan. The larger the number of items that you specify, the longer the scan will take.
 * 1) In the Resolve unknown time zone display names page, the tool prompts you to map time zones that the tool does not recognize to a known operating system time zone. After you do this, click Next
 * 2) If the configuration tool finds users who have multiple time zones, you are prompted to manually resolve the conflict by specifying one time zone with which to update the user’s calendar. After you do this, click Next.
 * 3) In the Save Mailbox DNs with Unresolved Time Zones page, any remaining users who still have no time zone information or who still have conflicting time zone information are recorded in a separate log file. Click Next.

The time zone extraction process is now complete. The list of users and of extracted time zones is located in the output file (Output.txt) in the installation directory.

Advanced settings

The following table describes the advanced settings that you can configure in step 2 of the previous procedure.

Update conference rooms and resource mailboxes
You must update conference rooms and resource mailboxes to avoid booking conflicts. To do this, follow these steps:
 * 1) On the Specify Resource and Conference Room Calendars page, type or paste the list of aliases of conference rooms in your organization. Click Resolve to validate the aliases, and then click Next.
 * 2) On the Resolve Time Zones for Resource and Conference Room Calendars page, the tool prompts you to manually specify the time zone for a conference room if the conference room does not have a time zone. Do this, and then click Next.
 * 3) A reminder page is displayed to remind you that the tool is about to update calendars. Click Next.
 * 4) Notice that a status bar, a link to the output log, and a real-time display of the output of the tool are displayed. Click Next.

If errors are encountered, a link to the troubleshooting document is displayed at the bottom of this page.

Update the user mailbox calendar
To do this, follow these steps:
 * 1) On the Settings for Updating User Mailbox Calendars page, configure the settings for the update.

If you have not specified the SuppressExchange or SuppressAll advanced settings, select the time zones that are affected by DST. Otherwise, select all time zones.

Click Next.
 * 1) A reminder page is displayed to remind you that the tool is about to update calendars. Click Next.
 * 2) Notice that a status bar, a link to the output log, and a real-time display of the output of the tool are displayed. After the update is complete, click Next.

If errors are encountered, a link to the troubleshooting document is displayed at the bottom of this page.
 * 1) Click Finish.

Log files
The Exchange tool creates the following log files in the installation directory:
 * Output.txt

This file contains a list of all user mailboxes that were extracted together with their time zone information.
 * TimeZoneExtraction.log

This log contains the combined output of the time zone extraction process for all servers.
 * ResourceUpdate.log

This log contains the output of the update process for the conference rooms and for the resource mailboxes.
 * UserUpdate.log

This log contains the combined output of the user mailbox update process for all servers.
 * CalendarScan.log

This log contains the combined output of the calendar scan process for all servers.
 * ConflictUsers.txt

This log contains a list of users who have conflicting time zones. For example, the users' mailbox properties indicate that they belong to multiple time zones.
 * NonExistent.txt

This log contains a list of users who have no time zone information.

Subdirectories
The Exchange tool creates the following subdirectories in the installation directory:  Resource

This is the working subdirectory for the update process for the conference rooms and for the resource mailboxes. This directory contains the following files:  Msextmz.log

This is the output file of the Exchange tool for the update process. Errors.txt

This file contains the list of mailboxes. Processed.txt

This file contains the list of mailboxes that were successfully updated.

Note All working subdirectories contain these files.

The Resource subdirectory also contains the following subdirectory:  LogFiles

This subdirectory contains update logs for each mailbox that was successfully updated. Each update log should contain a list of meetings that were updated.</ul> </li> 

There is one subdirectory for each server on which the time zone extraction process or a calendar update was performed. These subdirectories contain the following subdirectories:  CalendarScan

This is the working subdirectory for the calendar scan process.</li> Extract

This is the working subdirectory for the time zone extraction process.</li> Update

This is the working subdirectory for the user mailbox update process. It contains the following subdirectory:  LogFiles

This subdirectory contains update logs for each mailbox that was successfully updated. Each update log should contain a list of meetings that were updated.</li></ul> </li></ul> </li></ul>

What to do after you run the Exchange tool
After you finish running the Exchange tool against all Exchange servers in your environment, apply the appropriate Exchange Server DST updates. The following list is organized by Exchange Server version and service pack level. Install the updates for your version of Exchange Server in order.

Exchange 2007

940006 Description of Update Rollup 4 for Exchange 2007

Update rollup 940006 includes the following DST fixes:  

937656 You experience problems in Outlook Web Access for Exchange 2007 after daylight saving time (DST) starts in New Zealand in 2007

</li> 

932561 Appointments that are sent from one Exchange organization to another by using Exchange 2007 may be incorrect by one hour if one organization is in the Western Australia time zone

</li></ul>

Exchange 2003 SP2

926666 Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2

931915 Update for daylight saving time changes in Newfoundland in 2007 for Exchange Server 2003 Service Pack 2

929895 Appointments that are sent between different Exchange Server organizations may be incorrect by one hour when one of the organizations is in the Western Australia time zone

937653 You experience one or more issues in Exchange Server 2003 after the daylight saving time period for New Zealand changes in 2007

Exchange 2003 SP1

940123 You experience problems in Exchange 2003 Service Pack 1 after daylight saving time (DST) starts in New Zealand in 2007

Known issues
 Recurring meetings that are created in Outlook Web Access are not updated by the Exchange tool

If you install the Exchange Server updates on the Exchange server before you update the mailboxes, recurring meetings that are created in Outlook Web Access are not updated by the Exchange tool.

To resolve this problem, remove the Exchange Server updates, run the Exchange tool, and then reinstall the Exchange Server updates on the Exchange server.</li> Exchange 2007 must be restarted after you run the Exchange tool

To correctly display calendar items, you must restart the Exchange services after you run the Exchange tool for Outlook Web Access in Exchange 2007.</li> You cannot install the Exchange tool

The Exchange tool is not installed successfully if either of the following registry keys exists:  HKEY_CLASS_ROOT\Outlook.Application.9</li> <li>HKEY_CLASS_ROOT\Outlook.Application.10</li></ul>

In this scenario, you receive the following error message when you try to install the Exchange tool:

Exchange Server Calendar Rebasing Tool cannot be installed with this version of Microsoft Outlook.

To work around this issue, delete these registry keys, install the Exchange tool, and then restore the registry keys.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.</li> <li>There is a limit on the number of mailboxes that can be processed per server

In User List mode and in Time Zone Extraction mode, Msextmz.exe can process only 65,535 mailboxes on a server. If the server has more than 65,535 mailboxes, some mailboxes are not processed.</li> <li>Public Folder calendars are not updated

The Exchange tool does not update Public Folder calendars. For information about how to update a Public Folder calendar, see the documentation for the Outlook tool.</li> <li>You can run the Outlook tool and the Exchange tool in the same environment

If you run the Exchange tool on a mailbox that has already been updated by the Outlook tool, or vice versa, you experience no side effects. However, if you run the Exchange tool, there is no need for users to run the Outlook tool separately.</li> <li>Non-meeting reminders appear later than expected

Non-meeting reminders for mailboxes that are updated by the Exchange tool are not updated if Outlook has never connected to the mailbox in Online mode. In this situation, reminders appear one hour later than expected.

If Outlook has never connected in Online mode, you must adjust the incorrect reminders for calendar appointments that the Outlook tool finds. Additionally, the reminders search folder does not exist in the mailbox. Therefore, the tool does not update e-mail items, contacts, or other reminders.

For example, the tool does not update the reminder on an e-mail item to follow up at a time in the future. The tool also does not update the reminder on a task item that has a reminder.</li> <li>'''You receive an error message: “Unable to install because previous versions of 'Microsoft Exchange Calendar Update Tool' were detected. Please uninstall them and run this setup again”'''

If you previously installed Exchange Calendar Update Tool version 1.0, you must uninstall this version before you install Exchange Calendar Update Tool version 2.0.

Exchange Calendar Update Tool version 1.0 was distributed as a self-extracting executable file that contained two .msi packages (Msextmz.msi and Msextmzcfg.msi). You must uninstall both packages before you install version 2.0 of the Exchange tool.

If you still experience problems when you install version 2.0 of the Exchange tool, try reinstalling and then uninstalling version 1.0 of the Exchange tool. Do this by using the .msi packages instead of by using the Add or Remove Programs feature in Control Panel. Then, restart your computer, and then install version 2.0 of the Exchange tool.

If this procedure does not work, extract the binaries directly from the .msi packages.</li> <li>When you run the Outlook or Exchange update tools, appointments are off by one hour on mailboxes where the home time zone is New Zealand Standard Time

This behavior occurs when the following scenarios are true: <ul> <li>You run the Outlook or Exchange update tools on a computer that is running Windows Vista.</li> <li>The home time zone of the mailboxes that are being updated is New Zealand Standard Time.</li></ul>

To work around this issue, you must run the Outlook or Exchange update tools against the mailboxes a second time on or after January 1, 2008.

This behavior occurs because Windows Vista handles time zone information differently than other versions of Windows. If you do not run the Outlook or Exchange update tools again on or after January 1, 2008, all appointments in the second DST event will be off by one hour. The second DST event includes dates from March 16, 2008 through April 6, 2008. If you do not want to wait until January 1, 2008 to update appointments in the second DST event, you can run the Outlook or Exchange update tools from a computer that is running Windows XP or Windows Server 2003.</li></ul>

<div class="references_section">

The &quot;Grant Mailbox Permission&quot; script
Option Explicit ' For FileSystemObject Const ForReading = 1 Const ForWriting = 2 Const ForAppending = 8 Const TristateTrue = -1 Const TristateUseDefault = -2 Const TristateFalse = 0

'Permission Type: Allow or Deny Const ADS_ACETYPE_ACCESS_ALLOWED = &H0 Const ADS_ACETYPE_ACCESS_DENIED = &H1 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6

Const ADS_ACEFLAG_INHERIT_ACE = &H2 Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4 Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8 Const ADS_ACEFLAG_INHERITED_ACE = &H10 Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1f Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40 Const ADS_ACEFLAG_FAILED_ACCESS = &H80

'Declare ADSI constants Const ADS_SCOPE_SUBTREE = 2 Const ADS_OPTION_SECURITY_MASK = 3 Const ADS_OPTION_REFERRALS = 1 Const ADS_SECURITY_INFO_DACL = 4 Const ADS_CHASE_REFERRALS_NEVER = &h00 Const ADS_CHASE_REFERRALS_SUBORDINATE = &h20 Const ADS_CHASE_REFERRALS_EXTERNAL = &h40

'Microsoft Exchange Server Const EX_MB_SEND_AS_ACCESSMASK = &H00100 Const EX_FULLMAILBOX_ACCESSMASK = 1 Const EX_MB_SEND_AS_GUID = &quot;{AB721A54-1E2F-11D0-9819-00AA0040529B}&quot;

'Application Parameter Index Const ARG_INDEX_MODE = 0 Const ARG_INDEX_USERNAME = 1 Const ARG_INDEX_FILENAME = 2 Const MIN_ARG = 1

Const MODE_INVALID = -1 Const MODE_ADD = 0 Const MODE_REMOVE = 1

Const ADD = &quot;-ADD&quot; Const REMOVE = &quot;-REMOVE&quot;

'Application Const String Const EMPTYSTRING = &quot;&quot; Const ERROR_FILENAME = &quot;GrantMailboxPermission.err&quot; Const OUTPUT_FILENAME = &quot;GrantMailboxPermission.log&quot; Dim OUTPUT_DELIMITER OUTPUT_DELIMITER = vbTab

'Logging file Dim objFSO Dim objfileError Dim objfileOutput Dim objfileImport Dim objconn Dim objCommand Dim rootDSE Dim sDomainContainer Dim sUserLDAPPath Dim objUser Dim objSDNTsecurity Dim objDACLNT Dim objDACLEX Dim objSDMailbox Dim fFMA Dim fSendAs Dim AccessTypeForFMA Dim AccessTypeForSendAS Dim fAddedFMA Dim fAddedSendAs Dim fRemovedFMA Dim fRemovedSendAs Dim sArraySplit Dim sOneRow Dim sGrantedUser Dim dArgCount Dim cScriptMode Dim dArgExpected Dim fOneError

On Error Resume Next 'Parameter Verification dArgCount = Wscript.Arguments.Count If (dArgCount < MIN_ARG) Then DisplaySyntax End If

cScriptMode = MODE_INVALID Select Case UCase(WScript.Arguments(ARG_INDEX_MODE)) Case ADD cScriptMode = MODE_ADD dArgExpected = ARG_INDEX_FILENAME + 1 Case REMOVE cScriptMode = MODE_REMOVE dArgExpected = ARG_INDEX_MODE + 1 Case Else cScriptMode = MODE_INVALID End Select

If (cScriptMode = MODE_INVALID Or dArgCount <> dArgExpected) Then DisplaySyntax End If

If (cScriptMode = MODE_ADD) Then sGrantedUser = WScript.Arguments(ARG_INDEX_USERNAME) If (IsValidUserName(sGrantedUser) = False) Then DisplaySyntax End If End If

CreateImportExportFiles

If (cScriptMode = MODE_ADD) Then err.Clear 'Prepare LDAP connection. Set objconn = CreateObject(&quot;ADODB.Connection&quot;) Set objCommand = CreateObject(&quot;ADODB.Command&quot;) objconn.Provider = &quot;ADSDSOObject&quot; objconn.Open &quot;ADs Provider&quot; If (err.number <> 0) Then WScript.StdOut.WriteLine(&quot;Failed to bind to Active Directory server, error:&quot; & err.Description) objfileError.WriteLine(&quot;Failed to bind to Active Directory server, error:&quot; & err.Description) WScript.Quit End If   Set rootDSE = GetObject(&quot;LDAP://rootDSE&quot;) sDomainContainer = rootDSE.Get(&quot;defaultNamingContext&quot;) If (err.number <> 0) Then WScript.StdOut.WriteLine(&quot;Failed to find a Domain Container:&quot; & err.Description) objfileError.WriteLine(&quot;Failed to find a Domain Container:&quot; & err.Description) WScript.Quit End If   Set objCommand.ActiveConnection = objconn

Do While objfileImport.AtEndOfStream <> True fOneError = False sUserLDAPPath = EMPTYSTRING err.Clear

sOneRow = Trim(objfileImport.ReadLine) If sOneRow <> EMPTYSTRING Then sUserLDAPPath = GetLDAPPathFromLegacyDN(sOneRow) If (err.number <> 0) Then objfileError.WriteLine(&quot;Failed to get user's LDAP path from &quot; & sOneRow) fOneError = True err.Clear End If

If (fOneError = False) Then Set objUser = GetObject(sUserLDAPPath) If (err.number <> 0) Then objfileError.WriteLine(&quot;Failed to get user object from &quot; & sUserLDAPPath) objfileError.WriteLine(&quot;Error: &quot; & err.Description) fOneError = True err.Clear End If           End If            If (fOneError = False) Then Set objSDMailBox = objUser.MailboxRights Set objDACLEX = objSDMailbox.DiscretionaryAcl Set objSDNTsecurity = objUser.ntSecurityDescriptor Set objDACLNT = objSDNTsecurity.DiscretionaryAcl If (err.number <> 0) Then objfileError.WriteLine(&quot;Failed to get DACL of &quot; & sUserLDAPPath) objfileError.WriteLine(&quot;Error: &quot; & err.Description) fOneError = True err.Clear End If           End If

' Verify Full Mailbox Access and Send As permissions. fFMA = False fSendAs = False AccessTypeForFMA = ADS_ACETYPE_ACCESS_ALLOWED AccessTypeForSendAS = ADS_ACETYPE_ACCESS_ALLOWED

If (fOneError = False) Then CheckFullMailboxAccess objDACLEX, sGrantedUser, fFMA, AccessTypeForFMA CheckSendAs objDACLNT, sGrantedUser, fSendAs, AccessTypeForSendAS If (err.number <> 0) Then objfileError.WriteLine(&quot;Failed to Check permission of &quot; & sUserLDAPPath) objfileError.WriteLine(&quot;Error: &quot; & err.Description) fOneError = True err.Clear End If           End If

'If Send As or Full Mailbox Access permissions do not exist, add these permissions. If ( (AccessTypeForFMA = ADS_ACETYPE_ACCESS_DENIED) Or (AccessTypeForSendAs = ADS_ACETYPE_ACCESS_DENIED_OBJECT) ) Then 'If Deny access is already granted, do not add permissions for this user. objfileError.WriteLine(&quot;Deny permission already added: &quot; & sUserLDAPPath) fOneError = True End If           If ( fOneError = False And ((fFMA = False) Or (fSendAs = False)) ) Then fAddedFMA = False fAddedSendAs = False If (fFMA = False) Then 'Add Full Mailbox Access permissions. err.Clear AddAce objDACLEX, sGrantedUser, EX_FULLMAILBOX_ACCESSMASK, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0,0,0 objSDMailbox.DiscretionaryAcl = objDACLEX objUser.MailboxRights = Array(objSDMailbox) If ( err.number <> 0 ) Then objfileError.WriteLine(&quot;Failed to add FullMailbox Access: &quot; & sUserLDAPPath) objfileError.WriteLine(&quot;Error: &quot; & err.Description) fOneError = True fAddedFMA = False err.Clear Else fAddedFMA = True End If               End If                If (fSendAs = False) Then 'Add Send As permissions. err.Clear AddAce objDACLNT, sGrantedUser, EX_MB_SEND_AS_ACCESSMASK, ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, 0,1, EX_MB_SEND_AS_GUID, 0 objSDNTsecurity.DiscretionaryAcl = objDACLNT objUser.Put &quot;ntSecurityDescriptor&quot;, Array( objSDNTsecurity ) objUser.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL If ( err.number <> 0 ) Then objfileError.WriteLine(&quot;Failed to add SendAs permission: &quot; & sUserLDAPPath) objfileError.WriteLine(&quot;Error: &quot; & err.Description) fOneError = True fAddedSendAs = False err.Clear Else fAddedSendAs = True End If               End If

If (fOneError = False ) Then objUser.SetInfo If (err.number <> 0) Then objfileError.WriteLine(&quot;Failed to update user: &quot; & sUserLDAPPath) objfileError.WriteLine(&quot;Error: &quot; & err.Description) fOneError = True err.Clear Else 'Update logging. objfileOutput.WriteLine(sUserLDAPPath & OUTPUT_DELIMITER & fAddedFMA & OUTPUT_DELIMITER & fAddedSendAs) End If               End If            End If

Set objUser = Nothing Set objSDNTsecurity = Nothing Set objDACLNT = Nothing Set objDACLEX = Nothing Set objSDMailBox = Nothing

If (fOneError = True) Then WScript.StdOut.Write(&quot;!&quot;) Else WScript.StdOut.Write(&quot;.&quot;) End If       End If    Loop

Set rootDSE = Nothing Set objCommand = Nothing Set objconn = Nothing

End If

If (cScriptMode = MODE_REMOVE) Then 'Retrieve the granted user from the first line of the import file. sGrantedUser = objfileImport.ReadLine If (IsValidUserName(sGrantedUser) = False) Then WScript.StdOut.WriteLine(&quot;Invalid User in import file. please check import file..&quot;) objfileError.WriteLine(&quot;Invalid User in import file. please check import file..&quot;) WScript.Quit End If   Do While objfileImport.AtEndOfStream <> True fOneError = False sUserLDAPPath = EMPTYSTRING fAddedFMA = False fAddedSendAs = False fRemovedFMA = False fRemovedSendAs = False err.Clear

sOneRow = objfileImport.ReadLine sArraySplit = Split(sOneRow, OUTPUT_DELIMITER)

'The first column is the LDAP path. sUserLDAPPath = sArraySplit(0) 'The second column is Full Mailbox Access permissions. fAddedFMA = sArraySplit(1) 'The third column is Send As permissions. fAddedSendAs = sArraySplit(2)

Set objUser = GetObject(sUserLDAPPath) If (err.number <> 0) Then objfileError.WriteLine(&quot;Failed to get user object from &quot; & sUserLDAPPath) objfileError.WriteLine(&quot;Error: &quot; & err.Description) fOneError = True err.Clear End If       If ((fOneError = False) And (fAddedFMA = &quot;True&quot;)) Then Set objSDMailBox = objUser.MailboxRights Set objDACLEX = objSDMailbox.DiscretionaryAcl fRemovedFMA = RemoveFullMailboxAccess(objDACLEX, sGrantedUser) If (err.number <> 0) Then objfileError.WriteLine(&quot;Failed to Remove Full MailboxAccess from &quot; & sUserLDAPPath) objfileError.WriteLine(&quot;Error: &quot; & err.Description) fOneError = True err.Clear End If           If (fRemovedFMA = False) Then objfileError.WriteLine(&quot;Couldn't find Full mailbox access permission on &quot; & sUserLDAPPath) End If           If ((fOneError = False) And (fRemovedFMA = True)) Then objSDMailbox.DiscretionaryAcl = objDACLEX objUser.MailboxRights = Array(objSDMailbox) End If       End If

If ((fOneError = False) And (fAddedSendAs = &quot;True&quot;)) Then Set objSDNTsecurity = objUser.ntSecurityDescriptor Set objDACLNT = objSDNTsecurity.DiscretionaryAcl

fRemovedSendAs = RemoveSendAs(objDACLNT, sGrantedUser) If (err.number <> 0) Then objfileError.WriteLine(&quot;Failed to Remove SendAs from &quot; & sUserLDAPPath) objfileError.WriteLine(&quot;Error: &quot; & err.Description) fOneError = True err.Clear End If

If (fRemovedSendAs = False) Then objfileError.WriteLine(&quot;Couldn't find SendAs permission on &quot; & sUserLDAPPath) End If           If ((fOneError = False) And (fRemovedSendAs = True)) Then objSDNTsecurity.DiscretionaryAcl = objDACLNT objUser.Put &quot;ntSecurityDescriptor&quot;, Array( objSDNTsecurity ) objUser.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL End If       End If

If ((fOneError = False) And (fRemovedFMA Or fRemovedSendAs)) Then objUser.SetInfo If (err.number <> 0) Then objfileError.WriteLine(&quot;Failed to update ADSI for user: &quot; & sUserLDAPPath) objfileError.WriteLine(&quot;Error: &quot; & err.Description) fOneError = True err.Clear Else If ( fRemovedFMA Or fRemovedSendAs ) Then 'Update logging. objfileError.WriteLine(&quot;Removed Permission from &quot; & sUserLDAPPath & OUTPUT_DELIMITER & fRemovedFMA & OUTPUT_DELIMITER & fRemovedSendAs) End If           End If        End If

If (fOneError = True) Then WScript.StdOut.Write(&quot;!&quot;) Else WScript.StdOut.Write(&quot;.&quot;) End If   Loop End If

CloseImportexportFiles

Function IsValidUserName (sUserName) Dim dPosition dPosition = InStr(1, sUserName, &quot;\&quot;) If (dPosition = 0 ) Then IsValidUserName = False objfileError.WriteLine(&quot;Invalid User:&quot; & sUserName) Else IsValidUserName = True End If End Function

Function CheckSendAs (objNTSD, sUser, fSendAs, AccessType) Dim intACECount Dim objACE err.Clear fSendAs = False AccessType = ADS_ACETYPE_ACCESS_ALLOWED intACECount = objNTSD.AceCount

If intACECount Then For Each objACE In objNTSD err.Clear If ( (UCase(objACE.Trustee) = UCase(sUser)) And (objACE.ObjectType = EX_MB_SEND_AS_GUID) ) Then fSendAs = True AccessType = objACE.AceType End If       Next End If

If (err.number <> 0) Then objfileError.WriteLine(&quot;Check SendAs permissions Failed : &quot; & sUser) objfileError.WriteLine(&quot;Error: &quot; & err.Description) err.Clear fOneError = True End If   Set objACE = Nothing End Function

Function CheckFullMailboxAccess (objACL, sUser, fFoundFMA, AccessType) Dim intACECount Dim objACE

err.Clear fFoundFMA = False AccessType = ADS_ACETYPE_ACCESS_ALLOWED intACECount = objACL.AceCount If intACECount Then For Each objACE In objACL If ( (UCase(objACE.Trustee) = UCase(sUser)) And ((objACE.AccessMask And EX_FULLMAILBOX_ACCESSMASK) <> 0)) Then fFoundFMA = True AccessType = objACE.AceType End If       Next End If

If (err.number <> 0) Then objfileError.WriteLine(&quot;Check FullMailbox permissions Failed : &quot; & sUser) objfileError.WriteLine(&quot;Error: &quot; & err.Description) err.Clear fOneError = True End If   Set ObjACE = Nothing End Function

Function RemoveSendAs (objNTSD, sUser) Dim intACECount Dim objACE Dim fFound fFound = False intACECount = objNTSD.AceCount If intACECount Then For Each objACE In objNTSD If ((UCase(objACE.Trustee) = UCase(sUser)) And (objACE.ObjectType = EX_MB_SEND_AS_GUID) ) Then objNTSD.RemoveAce objACE fFound = True End If       Next End If

RemoveSendAs = fFound End Function

Function RemoveFullMailboxAccess (objACL, sUser) Dim intACECount Dim objACE Dim fFound fFound = False intACECount = objACL.AceCount If intACECount Then For Each objACE In objACL If((0 <> Instr(UCase(objACE.Trustee), UCase(sUser))) And (objACE.AccessMask And EX_FULLMAILBOX_ACCESSMASK) <> 0) Then objACE.AccessMask = (objACE.AccessMask Xor EX_FULLMAILBOX_ACCESSMASK) fFound = True End If       Next End If

RemoveFullMailboxAccess = fFound End Function

Function GetLDAPPathFromLegacyDN (sLegacyDN) Dim rsUsers Dim sLdapPath objCommand.CommandText = &quot;<GC://&quot; & sDomainContainer & &quot;>;(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(legacyExchangeDN=&quot; & sLegacyDN & &quot;)) ))));adspath;subtree&quot; objCommand.Properties(&quot;searchscope&quot;) = ADS_SCOPE_SUBTREE objCommand.Properties(&quot;Page Size&quot;) = 10 objCommand.Properties(&quot;Timeout&quot;) = 30 objCommand.Properties(&quot;Chase referrals&quot;) = (ADS_CHASE_REFERRALS_SUBORDINATE Or ADS_CHASE_REFERRALS_EXTERNAL)

err.Clear Set rsUsers = objCommand.Execute If (err.number <> 0) Then objfileError.WriteLine(&quot;Search for mailbox owners failed, error:&quot; & err.Description) fOneError = True End If   If (rsUsers.RecordCount = 0) Then objfileError.WriteLine(&quot;No mailbox owner user accounts found for &quot; & sLegacyDN & &quot; in &quot; & sDomainContainer & &quot;.&quot;) fOneError = True End If

If (rsUsers.RecordCount > 1) Then objfileError.WriteLine(&quot;Multiple mailboxs owner user accounts found for &quot; & sLegacyDN & &quot; in &quot; & sDomainContainer & &quot;.&quot;) fOneError = True End If

sLdapPath = Replace(rsUsers.Fields(0).Value, &quot;GC://&quot;, &quot;LDAP://&quot;) GetLDAPPathFromLegacyDN = sLdapPath Set rsUsers = Nothing End Function

Function CloseImportexportFiles

objfileError.WriteLine(&quot;*******************************************************&quot;) objfileError.WriteLine(&quot;End at &quot; & Date & &quot; &quot; & Time) objfileError.WriteLine(&quot;*******************************************************&quot;)

objFSO.Close objfileError.Close objfileOutput.Close objfileImport.Close Set objFSO = Nothing Set objfileError = Nothing Set objfileOutput = Nothing Set objfileImport = Nothing End Function

Function CreateImportExportFiles Dim sErrorsFileName Dim sImportFileName Dim sOutputFileName

err.Clear Set objFSO = CreateObject(&quot;Scripting.FileSystemObject&quot;) sErrorsFileName = ERROR_FILENAME sImportFileName = EMPTYSTRING sOutputFileName = EMPTYSTRING

Select Case cScriptMode Case MODE_ADD sImportFileName = WScript.Arguments(ARG_INDEX_FILENAME) sOutputFileName = OUTPUT_FILENAME Case MODE_REMOVE sImportFileName = OUTPUT_FILENAME 'Use the output file name as the import file. sOutputFileName = EMPTYSTRING Case Else DisplaySyntax End Select

Set objfileError = objFSO.OpenTextFile(sErrorsFileName, ForAppending, True, TristateTrue) objfileError.WriteLine(&quot;*******************************************************&quot;) objfileError.WriteLine(&quot;Start at &quot; & Date & &quot; &quot; & Time) objfileError.WriteLine(&quot;*******************************************************&quot;)

If (cScriptMode = MODE_REMOVE) Then Set objfileImport = objFSO.OpenTextFile(sImportFileName, ForReading, False, TristateTrue) Else Set objfileImport = objFSO.OpenTextFile(sImportFileName, ForReading, False, TristateFalse) End If

If (sOutputFileName <> EMPTYSTRING) Then 'Determine whether the output file already exists. If (objFSO.FileExists(sOutputFileName)) Then Set objfileOutput = objFSO.OpenTextFile(sOutputFileName, ForReading, False, TristateTrue) sOneRow = objfileOutput.ReadLine 'If the user name in the file differs from the parameter, the process cannot continue. If ( sOneRow <> sGrantedUser ) Then WScript.StdOut.WriteLine(&quot;The Domain\User must be the same as &quot; & sOneRow ) WScript.Quit End If           Set objfileOutput = objFSO.OpenTextFile(sOutputFileName, ForAppending, True, TristateTrue) Else Set objfileOutput = objFSO.OpenTextFile(sOutputFileName, ForWriting, True, TristateTrue) 'The first line of the log file is the user who is granted the permissions. objfileOutput.WriteLine(sGrantedUser) End If   End If    If (err.number <> 0) Then WScript.StdOut.WriteLine(&quot;Failed to open Log file, error:&quot; & err.Description) WScript.Quit End If End Function

Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType) Dim Ace1 Set Ace1 = CreateObject(&quot;AccessControlEntry&quot;) Ace1.AccessMask = gAccessMask Ace1.AceType = gAceType Ace1.AceFlags = gAceFlags Ace1.Flags = gFlags Ace1.Trustee = TrusteeName 'Determine whether ObjectType has to be set. If CStr(gObjectType) <> &quot;0&quot; Then Ace1.ObjectType = gObjectType End If

'Determine whether InheritedObjectType has to be set. If CStr(gInheritedObjectType) <> &quot;0&quot; Then Ace1.InheritedObjectType = gInheritedObjectType End If   dacl.AddAce Ace1

Set Ace1 = Nothing End Function

Function DisplaySyntax WScript.StdOut.WriteLine(&quot;Syntax:&quot;) WScript.StdOut.WriteLine WScript.StdOut.WriteLine(&quot;Grant Full mailbox access and SendAs permission to USER based on IMPORT_FILE:&quot;) WScript.StdOut.WriteLine(&quot;   CSCRIPT &quot; & WScript.ScriptName & &quot; -Add DOMAIN\USER IMPORT_FILE&quot;) WScript.StdOut.WriteLine(&quot;   NOTE: &quot;&quot;&quot; & OUTPUT_FILENAME & &quot;&quot;&quot; will be created for -Remove option &quot;) WScript.StdOut.WriteLine WScript.StdOut.WriteLine(&quot;Remove Full mailbox access and SendAs permission based on &quot; & OUTPUT_FILENAME & &quot;:&quot;) WScript.StdOut.WriteLine(&quot;   CSCRIPT &quot;&quot;&quot; & WScript.ScriptName & &quot;&quot;&quot; -Remove &quot;) WScript.StdOut.WriteLine WScript.StdOut.WriteLine(&quot;For all modes, errors are saved to &quot; & ERROR_FILENAME )

WScript.Quit End Function

Keywords: kbhowto kbinfo KB941018

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.