Article ID: 941018
Article Last Modified on 10/26/2007
APPLIES TO
- Microsoft Exchange Server 2007 Enterprise Edition
- Microsoft Exchange Server 2007 Standard Edition
- Microsoft Exchange Server 2003 Enterprise Edition
- Microsoft Exchange Server 2003 Standard Edition
- Microsoft Exchange 2000 Enterprise Server
- Microsoft Exchange 2000 Server Standard Edition
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
INTRODUCTION
Daylight saving time is a system to set clocks ahead so that both sunrise and sunset occur at a later hour. The effect is more daylight in the evening. Many countries observe daylight saving time. Most of these countries have their own rules and regulations for when daylight saving time begins and ends.
The dates of daylight saving time (DST) may change from year to year. Microsoft Outlook users have to update their Outlook calendar every time that the DST rules change. The dates between the previous DST rules and the current DST rules are referred to in this article as the "extended DST period."
This article describes the actions that you can take to address calendar items in Outlook that occur during the extended DST period. This article also describes the actions that you should take to update calendar items that are stored in Microsoft Exchange Server according to the new DST rules. The solution that is presented in this article involves the Microsoft Exchange Calendar Update Tool (“the Exchange tool”).
For more information about how to prepare for changes in daylight saving time in 2007 (DST 2007) for all affected Microsoft products, visit the following Microsoft Web site:
MORE INFORMATION
About the Exchange tool
After you install the DST updates for Microsoft Windows, all old appointments that occur during the DST change periods will be incorrectly displayed as occurring one hour later. This is true for both recurring and single-instance appointments. You must update these appointments so that they will be displayed correctly in Outlook, in Microsoft Office Outlook Web Access, and in applications that are based on Collaboration Data Objects (CDO).
Outlook provides a tool that is named the Time Zone Data Update Tool for Microsoft Office Outlook ("the Outlook tool"). This tool enables users to update their own calendars.
For more information about the Time Zone Data Update Tool, click the following article number to view the article in the Microsoft Knowledge Base:
931667 How to address the daylight saving time changes in 2007 by using the Time Zone Data Update Tool for Microsoft Office Outlook
The Exchange Calendar Update Tool ("the Exchange tool") helps you avoid the difficulties that administrators face in deploying the Outlook tool widely to all users and in making sure that each user runs the Outlook tool correctly.
High-level description of the Exchange tool
The Exchange tool consists of two separate executable files. These files are described in the following table.
| File name | Description |
|---|---|
| Msextmz.exe | This executable file extracts time zone information from mailboxes on a server that is running Exchange Server. This executable file also updates mailbox calendars for a specified list of users. |
| Msextmzcfg.exe | This executable file is a configuration tool that performs most of the steps that are involved in updating an Exchange Server server. |
About the new version of the Exchange tool
Based on customer feedback, a new version of the Exchange tool was released on August 13, 2007. This article refers to the new version of the Exchange tool. If you are running an older version of the Exchange tool, uninstall it, and then install the new version.
The new version of the Exchange tool includes the following improvements:
- The time zone extraction and calendar update processes are sped up fourfold.
- The user interface for the configuration tool is more streamlined and intuitive.
- The ability to update conference rooms and resource mailboxes is now built into the configuration tool.
- The ability to update user mailboxes is now built into the configuration tool.
- A troubleshooting document is now included with the Exchange tool, and it is integrated into the configuration tool.
- The time zone extraction algorithm and error handling capabilities are improved.
- The logging process is more user-friendly.
Risk of running the Exchange tool
When you run the Exchange tool, there is a risk that single-instance appointments may not be updated correctly. For example, single-instance appointments that a user created after the operating system was updated may be updated incorrectly.
To reduce this risk, use one of the following methods:
- Reduce the interval between the time that you update client computers and the time that you update mailbox calendars.
- If computers in the organization were updated a long time ago, use the Only Update Recurring Meetings setting in Advanced settings.
Typically, people do not create single-instance appointments many months in advance. Therefore, if the DST updates were installed many months before, most of the single-instance meetings that fall into the extended DST period will have been created by using the new DST transition rules. These meetings do not have to be updated.
- If you know the exact date when all the client computers were updated, use the Operating System Patch Date setting in Advanced settings. If a date is specified, single-instance appointments that were created after that date are not updated by the Exchange tool.
Note If you run the Outlook tool or the Exchange tool on a client computer that is running Windows Vista, and you run the tool against mailboxes where the home time zone is New Zealand Standard Time, you must run the tool a second time on or after January 1, 2008. For more information, see the "Known issues" section.
Options to update mailboxes
The following table lists five options that you can use to update user mailboxes to use the DST 2007 time zone rules.
| Option | Pros | Cons |
|---|---|---|
| Distribute the Outlook tool to each user, and then instruct users to update their own mailboxes. | This option avoids the risk that is associated with running the Exchange tool. | It is difficult to guarantee that all users will run the Outlook tool correctly and in a timely manner.
|
| Run the Exchange tool against all affected users and servers. | This option provides a streamlined experience for users. | There is a risk associated with running the Exchange tool, as described in the "Risk of running the Exchange tool" section. |
| Run the Exchange tool to update only recurring appointments. Let users update single-instance appointments in their own mailboxes by using the Outlook tool. | There is less risk of single-instance appointments being incorrectly updated. | The cons of running the Outlook tool are combined with the cons of running the Exchange tool. |
| Run neither the Exchange tool nor the Outlook tool. Ask users to examine their calendars and to re-book appointments as needed. | This option avoids the risk that is associated with running the Exchange tool. | Unless all users re-book all affected appointments, some calendar items will be one hour off during the extended DST period.
|
| Distribute the Outlook tool to each user, and then instruct users to update their own mailboxes. Then, use the Time Zone Extraction mode of the Exchange tool to determine whether users are running the Outlook tool.
|
This option reduces the risk of users not running the tool in a timely manner, and it avoids the risk that is associated with running the Exchange tool. | This is not an option if users are running Microsoft Office Outlook 2007. |
How to install the Exchange tool
The Exchange Calendar Update Tool is available for download in the form of a self-extracting executable file (Msextmz.exe). This tool is available for download from the Microsoft Download Center:
![[GRAPHIC: Download]](/wiki/index.php?title=File:Download.gif){kind=small}
Download the Exchange Calendar Update Tool package now.
A virtual machine is created to help you install and use the Exchange tool. The virtual machine is based on Microsoft Windows Server 2003, Outlook 2007, Microsoft Office Excel 2007, and Microsoft Office Word 2007. The virtual machine works in both Microsoft Virtual PC 2004 and in Microsoft Virtual Server 2005 R2.
For more information about the virtual machine for the Exchange Calendar Update Tool, click the following article number to view the article in the Microsoft Knowledge Base:
933185 A virtual machine is available to help you deploy daylight saving time 2007 calendar updates in an Exchange organization
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
Languages that are supported by the Exchange tool
The Exchange tool is available only in English. The tool will run only on an English (US) computer.
Versions of Exchange Server that are compatible with the Exchange tool
The Exchange tool can update mailboxes on the following versions of Exchange Server:
- Microsoft Exchange Server 2007 Enterprise Edition
- Microsoft Exchange Server 2007 Standard Edition
- Microsoft Exchange Server 2003 Enterprise Edition
- Microsoft Exchange Server 2003 Standard Edition
- Microsoft Exchange 2000 Server Enterprise Edition
- Microsoft Exchange 2000 Server Standard Edition
Operating systems that are supported by the Exchange tool
The Exchange tool will run on the 32-bit versions of the following operating systems:
- Microsoft Windows Server 2003
- Microsoft Windows XP
- Windows Vista
What to do before you run the Exchange tool
Install updates
Before you run the Exchange tool, make sure that client and server computers are updated correctly. To do this, install the Windows DST update on clients and on servers. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
933360 August 2007 cumulative time zone update for Microsoft Windows operating systems
If you are running Microsoft Exchange Server 2003 Service Pack 2 (SP2), install one or both of the following updates, as appropriate for your organization:
- Update 911829
- Update 924334
For more information about these updates, click the following article numbers to view the articles in the Microsoft Knowledge Base:
911829 You receive an error message when you try to perform any editing tasks, or you must click to enable the compose frame in Outlook Web Access
924334 The Compose Message form stops responding after you install Internet Explorer 7.0 and the S/MIME control on an Outlook Web Access client in Exchange Server 2003
If users are within the Jerusalem, Central Brazilian, or E. South American time zone, please read the guidance in the following Microsoft Knowledge Base article:
943390 Some Outlook calendar items are rebased incorrectly when you use the Outlook Time Zone Data Update Tool to adjust for daylight saving time changes in certain time zones
Verify the system requirements
You must run the Exchange tool only on a computer for which the following conditions are true:
- The computer has Microsoft Office Outlook 2003 Service Pack 2 (SP2) or Microsoft Office Outlook 2007 installed.
- The computer has the Outlook Time Zone Data Tool installed.
- Microsoft .NET Framework version 2.0 is installed on the client computer.
You cannot run the Exchange tool on a computer that is running Exchange Server or the Exchange System Management tools. If you try to install the Exchange tool on a computer that is running Exchange Server or the Exchange System Management tools, you receive the following error message:
Verify permissions and other user requirements
Verify that the following conditions are true:
- Administer Information Store permissions on each Exchange Server message database (MDB) are updated.
- Send As permissions for all mailboxes are updated.
- Full Mailbox Access permissions for all mailboxes are updated.
- Local administrator permissions are granted on the computer that is running the Exchange tool.
About the "Grant Mailbox Permission" script
You can use the sample GrantMailboxPermission.vbs script to grant a domain user Full Mailbox Access and Send As permissions to all mailboxes.
This script can be run only by an Exchange Server administrator on a computer that is running Exchange 2000 Server or Exchange Server 2003. This script cannot be run on a computer that is running Exchange Server 2007. However, you can use the Exchange Management Shell to grant the required permissions.
The code for the .vbs script is provided in the "References" section. The following table describes the two modes in which this script runs.
| Mode | Command | Description |
|---|---|---|
| Add | CScript GrantMailboxPermission.vbs –add Domain_Name \ User_Name File_Name
|
This command grants the Domain_Name \ User_Name user Full Mailbox Access and Send As permissions to the user mailboxes that are listed in the input file.
|
| Remove | CScript GrantMailboxPermission.vbs –remove | This command removes Full Mailbox Access and Send As permissions to the mailboxes that are listed in the GrantMailboxPermission.log file from the Domain_Name \ User_Name user. The Domain_Name \ User_Name user is specified in the GrantMailboxPermission.log file.
|
Notes
- When you run this script on the computer that is running Exchange Server, the script returns a period character (.) when the script successfully processes a user. The script returns an exclamation point character (!) when the script does not successfully process a user.
- The output file of the Time Zone Extraction mode cannot be used as an input file for this script. To create the input file for this script, paste the contents of the Time Zone Extraction mode output file into Notepad, save the contents as a new document, and then use the new document as the input file.
How to use the Exchange tool
To use the Exchange tool, start the Exchange Calendar Update Configuration Tool (Msextmzcfg.exe). This program will help you with the whole process of updating calendars.
Run the time zone extraction process
To update mailbox calendars, you must determine the time zone of the calendars. The time zone extraction process examines the properties and the appointments of the mailbox calendars to determine their time zones. To run the time zone extraction process, follow these steps:
- At the welcome page, click Next.
Note The welcome page introduces you to the configuration tool and discusses the permissions that are required to run the tool. The page also provides a link to this article.
- Specify the settings for the configuration tool. We recommend that you allocate at least 200 megabytes (MB) of disk space to logging.
If you to want to change the default settings, click Advanced Settings. For more information about the advanced settings, see the table that follows this procedure.
- Select the Exchange servers in the local Active Directory directory service forest that you want to update. Then, click Next to start the time zone extraction process.
Note If you have already performed time zone extraction, you can skip this step by clicking Skip.
Notice that a status bar, a link to the output log, and a real-time display of the time zone extraction process are displayed. After the time zone extraction process is complete, click Next.
If errors were encountered, a link to the troubleshooting document is displayed.
- Configure the Mailboxes with No Time Zones page, and then click Next to scan calendar items.
Note If the tool finds users who do not have mailbox level properties that indicate their time zone, the tool scans actual meetings and appointments inside those calendars to determine the time zone. You can specify the number of calendar items through which you want the configuration tool to scan. The larger the number of items that you specify, the longer the scan will take.
- In the Resolve unknown time zone display names page, the tool prompts you to map time zones that the tool does not recognize to a known operating system time zone. After you do this, click Next
- If the configuration tool finds users who have multiple time zones, you are prompted to manually resolve the conflict by specifying one time zone with which to update the user’s calendar. After you do this, click Next.
- In the Save Mailbox DNs with Unresolved Time Zones page, any remaining users who still have no time zone information or who still have conflicting time zone information are recorded in a separate log file. Click Next.
The time zone extraction process is now complete. The list of users and of extracted time zones is located in the output file (Output.txt) in the installation directory.
Advanced settings
The following table describes the advanced settings that you can configure in step 2 of the previous procedure.
| Setting | Functionality | Scenario | Considerations | Applicability |
|---|---|---|---|---|
| Update Recurring Meetings Only | This setting updates only recurring meetings that are affected by the DST change. Single-instance appointments that fall in the extended DST period are not updated regardless of whether they should be updated. | If computers in the organization were updated a long time ago, use this setting.
|
If a user created a single-instance meeting many months in advance, this meeting is not updated if this setting is specified. | This setting applies to all mailboxes, to all conference rooms, and to all user calendars. |
| Operating System Patch Installation Date | This setting specifies that single-instance appointments that are created or updated after the date that you specify are not updated. | If you know the exact date when all the client computers were updated, use this setting.
|
This setting is effective only when the client computers were all updated within fewer than 24 hours, and when there is high penetration of the update. (There is high penetration when the percentage of computers in the organization that have been updated is in the high 90-percent range.)
|
This setting applies to all mailboxes, to all conference rooms, and to all user calendars. |
| SuppressExchange and MaxDepth | These settings cause all appointments in a user’s calendar that are affected by the DST change to be updated regardless of whether the user is the organizer of those calendar items.
|
Use this setting if you do not want Exchange users to receive meeting updates from organizers for meetings that are affected by the extended DST period.
|
No meeting updates are sent, except to non-Exchange users. Therefore, to make sure that copies of the same meeting are updated for all possible attendees, every mailbox in the organization must be updated.
|
This setting applies only to user mailboxes. |
| SuppressAll | This setting causes all appointments in a user’s calendar that are affected by the DST change to be updated regardless of whether the user is the organizer of those calendar items.
|
Use this setting if you do not want attendees to receive meeting updates from organizers for meetings that are affected the extended DST period. | No meeting updates are sent. Therefore, to make sure that copies of the same meeting are updated for all possible attendees, every mailbox in the organization must be updated.
|
This setting applies only to user mailboxes. |
Update conference rooms and resource mailboxes
You must update conference rooms and resource mailboxes to avoid booking conflicts. To do this, follow these steps:
- On the Specify Resource and Conference Room Calendars page, type or paste the list of aliases of conference rooms in your organization. Click Resolve to validate the aliases, and then click Next.
- On the Resolve Time Zones for Resource and Conference Room Calendars page, the tool prompts you to manually specify the time zone for a conference room if the conference room does not have a time zone. Do this, and then click Next.
- A reminder page is displayed to remind you that the tool is about to update calendars. Click Next.
- Notice that a status bar, a link to the output log, and a real-time display of the output of the tool are displayed. Click Next.
If errors are encountered, a link to the troubleshooting document is displayed at the bottom of this page.
Update the user mailbox calendar
To do this, follow these steps:
- On the Settings for Updating User Mailbox Calendars page, configure the settings for the update.
If you have not specified the SuppressExchange or SuppressAll advanced settings, select the time zones that are affected by DST. Otherwise, select all time zones.
Click Next.
- A reminder page is displayed to remind you that the tool is about to update calendars. Click Next.
- Notice that a status bar, a link to the output log, and a real-time display of the output of the tool are displayed. After the update is complete, click Next.
If errors are encountered, a link to the troubleshooting document is displayed at the bottom of this page.
- Click Finish.
Exchange tool log files and subdirectories
Log files
The Exchange tool creates the following log files in the installation directory:
- Output.txt
This file contains a list of all user mailboxes that were extracted together with their time zone information.
- TimeZoneExtraction.log
This log contains the combined output of the time zone extraction process for all servers.
- ResourceUpdate.log
This log contains the output of the update process for the conference rooms and for the resource mailboxes.
- UserUpdate.log
This log contains the combined output of the user mailbox update process for all servers.
- CalendarScan.log
This log contains the combined output of the calendar scan process for all servers.
- ConflictUsers.txt
This log contains a list of users who have conflicting time zones. For example, the users' mailbox properties indicate that they belong to multiple time zones.
- NonExistent.txt
This log contains a list of users who have no time zone information.
Subdirectories
The Exchange tool creates the following subdirectories in the installation directory:
- Resource
This is the working subdirectory for the update process for the conference rooms and for the resource mailboxes. This directory contains the following files:- Msextmz.log
This is the output file of the Exchange tool for the update process. - Errors.txt
This file contains the list of mailboxes. - Processed.txt
This file contains the list of mailboxes that were successfully updated.
Note All working subdirectories contain these files.
The Resource subdirectory also contains the following subdirectory:- LogFiles
This subdirectory contains update logs for each mailbox that was successfully updated. Each update log should contain a list of meetings that were updated.
- Msextmz.log
Server_Name
There is one subdirectory for each server on which the time zone extraction process or a calendar update was performed. These subdirectories contain the following subdirectories:- CalendarScan
This is the working subdirectory for the calendar scan process. - Extract
This is the working subdirectory for the time zone extraction process. - Update
This is the working subdirectory for the user mailbox update process. It contains the following subdirectory:- LogFiles
This subdirectory contains update logs for each mailbox that was successfully updated. Each update log should contain a list of meetings that were updated.
- LogFiles
- CalendarScan
What to do after you run the Exchange tool
After you finish running the Exchange tool against all Exchange servers in your environment, apply the appropriate Exchange Server DST updates. The following list is organized by Exchange Server version and service pack level. Install the updates for your version of Exchange Server in order.
Exchange 2007
940006 Description of Update Rollup 4 for Exchange 2007
Update rollup 940006 includes the following DST fixes:
937656 You experience problems in Outlook Web Access for Exchange 2007 after daylight saving time (DST) starts in New Zealand in 2007
932561 Appointments that are sent from one Exchange organization to another by using Exchange 2007 may be incorrect by one hour if one organization is in the Western Australia time zone
Exchange 2003 SP2
926666 Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2
931915 Update for daylight saving time changes in Newfoundland in 2007 for Exchange Server 2003 Service Pack 2
929895 Appointments that are sent between different Exchange Server organizations may be incorrect by one hour when one of the organizations is in the Western Australia time zone
937653 You experience one or more issues in Exchange Server 2003 after the daylight saving time period for New Zealand changes in 2007
Exchange 2003 SP1
940123 You experience problems in Exchange 2003 Service Pack 1 after daylight saving time (DST) starts in New Zealand in 2007
Known issues
- Recurring meetings that are created in Outlook Web Access are not updated by the Exchange tool
If you install the Exchange Server updates on the Exchange server before you update the mailboxes, recurring meetings that are created in Outlook Web Access are not updated by the Exchange tool.
To resolve this problem, remove the Exchange Server updates, run the Exchange tool, and then reinstall the Exchange Server updates on the Exchange server. - Exchange 2007 must be restarted after you run the Exchange tool
To correctly display calendar items, you must restart the Exchange services after you run the Exchange tool for Outlook Web Access in Exchange 2007. - You cannot install the Exchange tool
The Exchange tool is not installed successfully if either of the following registry keys exists:- HKEY_CLASS_ROOT\Outlook.Application.9
- HKEY_CLASS_ROOT\Outlook.Application.10
In this scenario, you receive the following error message when you try to install the Exchange tool:
To work around this issue, delete these registry keys, install the Exchange tool, and then restore the registry keys.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
- There is a limit on the number of mailboxes that can be processed per server
In User List mode and in Time Zone Extraction mode, Msextmz.exe can process only 65,535 mailboxes on a server. If the server has more than 65,535 mailboxes, some mailboxes are not processed. - Public Folder calendars are not updated
The Exchange tool does not update Public Folder calendars. For information about how to update a Public Folder calendar, see the documentation for the Outlook tool. - You can run the Outlook tool and the Exchange tool in the same environment
If you run the Exchange tool on a mailbox that has already been updated by the Outlook tool, or vice versa, you experience no side effects. However, if you run the Exchange tool, there is no need for users to run the Outlook tool separately. - Non-meeting reminders appear later than expected
Non-meeting reminders for mailboxes that are updated by the Exchange tool are not updated if Outlook has never connected to the mailbox in Online mode. In this situation, reminders appear one hour later than expected.
If Outlook has never connected in Online mode, you must adjust the incorrect reminders for calendar appointments that the Outlook tool finds. Additionally, the reminders search folder does not exist in the mailbox. Therefore, the tool does not update e-mail items, contacts, or other reminders.
For example, the tool does not update the reminder on an e-mail item to follow up at a time in the future. The tool also does not update the reminder on a task item that has a reminder. - You receive an error message: “Unable to install because previous versions of 'Microsoft Exchange Calendar Update Tool' were detected. Please uninstall them and run this setup again”
If you previously installed Exchange Calendar Update Tool version 1.0, you must uninstall this version before you install Exchange Calendar Update Tool version 2.0.
Exchange Calendar Update Tool version 1.0 was distributed as a self-extracting executable file that contained two .msi packages (Msextmz.msi and Msextmzcfg.msi). You must uninstall both packages before you install version 2.0 of the Exchange tool.
If you still experience problems when you install version 2.0 of the Exchange tool, try reinstalling and then uninstalling version 1.0 of the Exchange tool. Do this by using the .msi packages instead of by using the Add or Remove Programs feature in Control Panel. Then, restart your computer, and then install version 2.0 of the Exchange tool.
If this procedure does not work, extract the binaries directly from the .msi packages. - When you run the Outlook or Exchange update tools, appointments are off by one hour on mailboxes where the home time zone is New Zealand Standard Time
This behavior occurs when the following scenarios are true:- You run the Outlook or Exchange update tools on a computer that is running Windows Vista.
- The home time zone of the mailboxes that are being updated is New Zealand Standard Time.
To work around this issue, you must run the Outlook or Exchange update tools against the mailboxes a second time on or after January 1, 2008.
This behavior occurs because Windows Vista handles time zone information differently than other versions of Windows. If you do not run the Outlook or Exchange update tools again on or after January 1, 2008, all appointments in the second DST event will be off by one hour. The second DST event includes dates from March 16, 2008 through April 6, 2008. If you do not want to wait until January 1, 2008 to update appointments in the second DST event, you can run the Outlook or Exchange update tools from a computer that is running Windows XP or Windows Server 2003.
REFERENCES
The "Grant Mailbox Permission" script
Option Explicit
' For FileSystemObject
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Const TristateTrue = -1
Const TristateUseDefault = -2
Const TristateFalse = 0
'Permission Type: Allow or Deny
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_INHERIT_ACE = &H2
Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1f
Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
Const ADS_ACEFLAG_FAILED_ACCESS = &H80
'Declare ADSI constants
Const ADS_SCOPE_SUBTREE = 2
Const ADS_OPTION_SECURITY_MASK = 3
Const ADS_OPTION_REFERRALS = 1
Const ADS_SECURITY_INFO_DACL = 4
Const ADS_CHASE_REFERRALS_NEVER = &h00
Const ADS_CHASE_REFERRALS_SUBORDINATE = &h20
Const ADS_CHASE_REFERRALS_EXTERNAL = &h40
'Microsoft Exchange Server
Const EX_MB_SEND_AS_ACCESSMASK = &H00100
Const EX_FULLMAILBOX_ACCESSMASK = 1
Const EX_MB_SEND_AS_GUID = "{AB721A54-1E2F-11D0-9819-00AA0040529B}"
'Application Parameter Index
Const ARG_INDEX_MODE = 0
Const ARG_INDEX_USERNAME = 1
Const ARG_INDEX_FILENAME = 2
Const MIN_ARG = 1
Const MODE_INVALID = -1
Const MODE_ADD = 0
Const MODE_REMOVE = 1
Const ADD = "-ADD"
Const REMOVE = "-REMOVE"
'Application Const String
Const EMPTYSTRING = ""
Const ERROR_FILENAME = "GrantMailboxPermission.err"
Const OUTPUT_FILENAME = "GrantMailboxPermission.log"
Dim OUTPUT_DELIMITER
OUTPUT_DELIMITER = vbTab
'Logging file
Dim objFSO
Dim objfileError
Dim objfileOutput
Dim objfileImport
Dim objconn
Dim objCommand
Dim rootDSE
Dim sDomainContainer
Dim sUserLDAPPath
Dim objUser
Dim objSDNTsecurity
Dim objDACLNT
Dim objDACLEX
Dim objSDMailbox
Dim fFMA
Dim fSendAs
Dim AccessTypeForFMA
Dim AccessTypeForSendAS
Dim fAddedFMA
Dim fAddedSendAs
Dim fRemovedFMA
Dim fRemovedSendAs
Dim sArraySplit
Dim sOneRow
Dim sGrantedUser
Dim dArgCount
Dim cScriptMode
Dim dArgExpected
Dim fOneError
On Error Resume Next
'Parameter Verification
dArgCount = Wscript.Arguments.Count
If (dArgCount < MIN_ARG) Then
DisplaySyntax
End If
cScriptMode = MODE_INVALID
Select Case UCase(WScript.Arguments(ARG_INDEX_MODE))
Case ADD
cScriptMode = MODE_ADD
dArgExpected = ARG_INDEX_FILENAME + 1
Case REMOVE
cScriptMode = MODE_REMOVE
dArgExpected = ARG_INDEX_MODE + 1
Case Else
cScriptMode = MODE_INVALID
End Select
If (cScriptMode = MODE_INVALID Or dArgCount <> dArgExpected) Then
DisplaySyntax
End If
If (cScriptMode = MODE_ADD) Then
sGrantedUser = WScript.Arguments(ARG_INDEX_USERNAME)
If (IsValidUserName(sGrantedUser) = False) Then
DisplaySyntax
End If
End If
CreateImportExportFiles
If (cScriptMode = MODE_ADD) Then
err.Clear
'Prepare LDAP connection.
Set objconn = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objconn.Provider = "ADSDSOObject"
objconn.Open "ADs Provider"
If (err.number <> 0) Then
WScript.StdOut.WriteLine("Failed to bind to Active Directory server, error:" & err.Description)
objfileError.WriteLine("Failed to bind to Active Directory server, error:" & err.Description)
WScript.Quit
End If
Set rootDSE = GetObject("LDAP://rootDSE")
sDomainContainer = rootDSE.Get("defaultNamingContext")
If (err.number <> 0) Then
WScript.StdOut.WriteLine("Failed to find a Domain Container:" & err.Description)
objfileError.WriteLine("Failed to find a Domain Container:" & err.Description)
WScript.Quit
End If
Set objCommand.ActiveConnection = objconn
Do While objfileImport.AtEndOfStream <> True
fOneError = False
sUserLDAPPath = EMPTYSTRING
err.Clear
sOneRow = Trim(objfileImport.ReadLine)
If sOneRow <> EMPTYSTRING Then
sUserLDAPPath = GetLDAPPathFromLegacyDN(sOneRow)
If (err.number <> 0) Then
objfileError.WriteLine("Failed to get user's LDAP path from " & sOneRow)
fOneError = True
err.Clear
End If
If (fOneError = False) Then
Set objUser = GetObject(sUserLDAPPath)
If (err.number <> 0) Then
objfileError.WriteLine("Failed to get user object from " & sUserLDAPPath)
objfileError.WriteLine("Error: " & err.Description)
fOneError = True
err.Clear
End If
End If
If (fOneError = False) Then
Set objSDMailBox = objUser.MailboxRights
Set objDACLEX = objSDMailbox.DiscretionaryAcl
Set objSDNTsecurity = objUser.ntSecurityDescriptor
Set objDACLNT = objSDNTsecurity.DiscretionaryAcl
If (err.number <> 0) Then
objfileError.WriteLine("Failed to get DACL of " & sUserLDAPPath)
objfileError.WriteLine("Error: " & err.Description)
fOneError = True
err.Clear
End If
End If
' Verify Full Mailbox Access and Send As permissions.
fFMA = False
fSendAs = False
AccessTypeForFMA = ADS_ACETYPE_ACCESS_ALLOWED
AccessTypeForSendAS = ADS_ACETYPE_ACCESS_ALLOWED
If (fOneError = False) Then
CheckFullMailboxAccess objDACLEX, sGrantedUser, fFMA, AccessTypeForFMA
CheckSendAs objDACLNT, sGrantedUser, fSendAs, AccessTypeForSendAS
If (err.number <> 0) Then
objfileError.WriteLine("Failed to Check permission of " & sUserLDAPPath)
objfileError.WriteLine("Error: " & err.Description)
fOneError = True
err.Clear
End If
End If
'If Send As or Full Mailbox Access permissions do not exist, add these permissions.
If ( (AccessTypeForFMA = ADS_ACETYPE_ACCESS_DENIED) Or (AccessTypeForSendAs = ADS_ACETYPE_ACCESS_DENIED_OBJECT) ) Then
'If Deny access is already granted, do not add permissions for this user.
objfileError.WriteLine("Deny permission already added: " & sUserLDAPPath)
fOneError = True
End If
If ( fOneError = False And ((fFMA = False) Or (fSendAs = False)) ) Then
fAddedFMA = False
fAddedSendAs = False
If (fFMA = False) Then
'Add Full Mailbox Access permissions.
err.Clear
AddAce objDACLEX, sGrantedUser, EX_FULLMAILBOX_ACCESSMASK, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0,0,0
objSDMailbox.DiscretionaryAcl = objDACLEX
objUser.MailboxRights = Array(objSDMailbox)
If ( err.number <> 0 ) Then
objfileError.WriteLine("Failed to add FullMailbox Access: " & sUserLDAPPath)
objfileError.WriteLine("Error: " & err.Description)
fOneError = True
fAddedFMA = False
err.Clear
Else
fAddedFMA = True
End If
End If
If (fSendAs = False) Then
'Add Send As permissions.
err.Clear
AddAce objDACLNT, sGrantedUser, EX_MB_SEND_AS_ACCESSMASK, ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, 0,1, EX_MB_SEND_AS_GUID, 0
objSDNTsecurity.DiscretionaryAcl = objDACLNT
objUser.Put "ntSecurityDescriptor", Array( objSDNTsecurity )
objUser.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL
If ( err.number <> 0 ) Then
objfileError.WriteLine("Failed to add SendAs permission: " & sUserLDAPPath)
objfileError.WriteLine("Error: " & err.Description)
fOneError = True
fAddedSendAs = False
err.Clear
Else
fAddedSendAs = True
End If
End If
If (fOneError = False ) Then
objUser.SetInfo
If (err.number <> 0) Then
objfileError.WriteLine("Failed to update user: " & sUserLDAPPath)
objfileError.WriteLine("Error: " & err.Description)
fOneError = True
err.Clear
Else
'Update logging.
objfileOutput.WriteLine(sUserLDAPPath & OUTPUT_DELIMITER & fAddedFMA & OUTPUT_DELIMITER & fAddedSendAs)
End If
End If
End If
Set objUser = Nothing
Set objSDNTsecurity = Nothing
Set objDACLNT = Nothing
Set objDACLEX = Nothing
Set objSDMailBox = Nothing
If (fOneError = True) Then
WScript.StdOut.Write("!")
Else
WScript.StdOut.Write(".")
End If
End If
Loop
Set rootDSE = Nothing
Set objCommand = Nothing
Set objconn = Nothing
End If
If (cScriptMode = MODE_REMOVE) Then
'Retrieve the granted user from the first line of the import file.
sGrantedUser = objfileImport.ReadLine
If (IsValidUserName(sGrantedUser) = False) Then
WScript.StdOut.WriteLine("Invalid User in import file. please check import file..")
objfileError.WriteLine("Invalid User in import file. please check import file..")
WScript.Quit
End If
Do While objfileImport.AtEndOfStream <> True
fOneError = False
sUserLDAPPath = EMPTYSTRING
fAddedFMA = False
fAddedSendAs = False
fRemovedFMA = False
fRemovedSendAs = False
err.Clear
sOneRow = objfileImport.ReadLine
sArraySplit = Split(sOneRow, OUTPUT_DELIMITER)
'The first column is the LDAP path.
sUserLDAPPath = sArraySplit(0)
'The second column is Full Mailbox Access permissions.
fAddedFMA = sArraySplit(1)
'The third column is Send As permissions.
fAddedSendAs = sArraySplit(2)
Set objUser = GetObject(sUserLDAPPath)
If (err.number <> 0) Then
objfileError.WriteLine("Failed to get user object from " & sUserLDAPPath)
objfileError.WriteLine("Error: " & err.Description)
fOneError = True
err.Clear
End If
If ((fOneError = False) And (fAddedFMA = "True")) Then
Set objSDMailBox = objUser.MailboxRights
Set objDACLEX = objSDMailbox.DiscretionaryAcl
fRemovedFMA = RemoveFullMailboxAccess(objDACLEX, sGrantedUser)
If (err.number <> 0) Then
objfileError.WriteLine("Failed to Remove Full MailboxAccess from " & sUserLDAPPath)
objfileError.WriteLine("Error: " & err.Description)
fOneError = True
err.Clear
End If
If (fRemovedFMA = False) Then
objfileError.WriteLine("Couldn't find Full mailbox access permission on " & sUserLDAPPath)
End If
If ((fOneError = False) And (fRemovedFMA = True)) Then
objSDMailbox.DiscretionaryAcl = objDACLEX
objUser.MailboxRights = Array(objSDMailbox)
End If
End If
If ((fOneError = False) And (fAddedSendAs = "True")) Then
Set objSDNTsecurity = objUser.ntSecurityDescriptor
Set objDACLNT = objSDNTsecurity.DiscretionaryAcl
fRemovedSendAs = RemoveSendAs(objDACLNT, sGrantedUser)
If (err.number <> 0) Then
objfileError.WriteLine("Failed to Remove SendAs from " & sUserLDAPPath)
objfileError.WriteLine("Error: " & err.Description)
fOneError = True
err.Clear
End If
If (fRemovedSendAs = False) Then
objfileError.WriteLine("Couldn't find SendAs permission on " & sUserLDAPPath)
End If
If ((fOneError = False) And (fRemovedSendAs = True)) Then
objSDNTsecurity.DiscretionaryAcl = objDACLNT
objUser.Put "ntSecurityDescriptor", Array( objSDNTsecurity )
objUser.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL
End If
End If
If ((fOneError = False) And (fRemovedFMA Or fRemovedSendAs)) Then
objUser.SetInfo
If (err.number <> 0) Then
objfileError.WriteLine("Failed to update ADSI for user: " & sUserLDAPPath)
objfileError.WriteLine("Error: " & err.Description)
fOneError = True
err.Clear
Else
If ( fRemovedFMA Or fRemovedSendAs ) Then
'Update logging.
objfileError.WriteLine("Removed Permission from " & sUserLDAPPath & OUTPUT_DELIMITER & fRemovedFMA & OUTPUT_DELIMITER & fRemovedSendAs)
End If
End If
End If
If (fOneError = True) Then
WScript.StdOut.Write("!")
Else
WScript.StdOut.Write(".")
End If
Loop
End If
CloseImportexportFiles
Function IsValidUserName (sUserName)
Dim dPosition
dPosition = InStr(1, sUserName, "\")
If (dPosition = 0 ) Then
IsValidUserName = False
objfileError.WriteLine("Invalid User:" & sUserName)
Else
IsValidUserName = True
End If
End Function
Function CheckSendAs (objNTSD, sUser, fSendAs, AccessType)
Dim intACECount
Dim objACE
err.Clear
fSendAs = False
AccessType = ADS_ACETYPE_ACCESS_ALLOWED
intACECount = objNTSD.AceCount
If intACECount Then
For Each objACE In objNTSD
err.Clear
If ( (UCase(objACE.Trustee) = UCase(sUser)) And (objACE.ObjectType = EX_MB_SEND_AS_GUID) ) Then
fSendAs = True
AccessType = objACE.AceType
End If
Next
End If
If (err.number <> 0) Then
objfileError.WriteLine("Check SendAs permissions Failed : " & sUser)
objfileError.WriteLine("Error: " & err.Description)
err.Clear
fOneError = True
End If
Set objACE = Nothing
End Function
Function CheckFullMailboxAccess (objACL, sUser, fFoundFMA, AccessType)
Dim intACECount
Dim objACE
err.Clear
fFoundFMA = False
AccessType = ADS_ACETYPE_ACCESS_ALLOWED
intACECount = objACL.AceCount
If intACECount Then
For Each objACE In objACL
If ( (UCase(objACE.Trustee) = UCase(sUser)) And ((objACE.AccessMask And EX_FULLMAILBOX_ACCESSMASK) <> 0)) Then
fFoundFMA = True
AccessType = objACE.AceType
End If
Next
End If
If (err.number <> 0) Then
objfileError.WriteLine("Check FullMailbox permissions Failed : " & sUser)
objfileError.WriteLine("Error: " & err.Description)
err.Clear
fOneError = True
End If
Set ObjACE = Nothing
End Function
Function RemoveSendAs (objNTSD, sUser)
Dim intACECount
Dim objACE
Dim fFound
fFound = False
intACECount = objNTSD.AceCount
If intACECount Then
For Each objACE In objNTSD
If ((UCase(objACE.Trustee) = UCase(sUser)) And (objACE.ObjectType = EX_MB_SEND_AS_GUID) ) Then
objNTSD.RemoveAce objACE
fFound = True
End If
Next
End If
RemoveSendAs = fFound
End Function
Function RemoveFullMailboxAccess (objACL, sUser)
Dim intACECount
Dim objACE
Dim fFound
fFound = False
intACECount = objACL.AceCount
If intACECount Then
For Each objACE In objACL
If((0 <> Instr(UCase(objACE.Trustee), UCase(sUser))) And (objACE.AccessMask And EX_FULLMAILBOX_ACCESSMASK) <> 0) Then
objACE.AccessMask = (objACE.AccessMask Xor EX_FULLMAILBOX_ACCESSMASK)
fFound = True
End If
Next
End If
RemoveFullMailboxAccess = fFound
End Function
Function GetLDAPPathFromLegacyDN (sLegacyDN)
Dim rsUsers
Dim sLdapPath
objCommand.CommandText = "<GC://" & sDomainContainer & ">;(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(legacyExchangeDN=" & sLegacyDN & ")) ))));adspath;subtree"
objCommand.Properties("searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Page Size") = 10
objCommand.Properties("Timeout") = 30
objCommand.Properties("Chase referrals") = (ADS_CHASE_REFERRALS_SUBORDINATE Or ADS_CHASE_REFERRALS_EXTERNAL)
err.Clear
Set rsUsers = objCommand.Execute
If (err.number <> 0) Then
objfileError.WriteLine("Search for mailbox owners failed, error:" & err.Description)
fOneError = True
End If
If (rsUsers.RecordCount = 0) Then
objfileError.WriteLine("No mailbox owner user accounts found for " & sLegacyDN & " in " & sDomainContainer & ".")
fOneError = True
End If
If (rsUsers.RecordCount > 1) Then
objfileError.WriteLine("Multiple mailboxs owner user accounts found for " & sLegacyDN & " in " & sDomainContainer & ".")
fOneError = True
End If
sLdapPath = Replace(rsUsers.Fields(0).Value, "GC://", "LDAP://")
GetLDAPPathFromLegacyDN = sLdapPath
Set rsUsers = Nothing
End Function
Function CloseImportexportFiles
objfileError.WriteLine("*******************************************************")
objfileError.WriteLine("End at " & Date & " " & Time)
objfileError.WriteLine("*******************************************************")
objFSO.Close
objfileError.Close
objfileOutput.Close
objfileImport.Close
Set objFSO = Nothing
Set objfileError = Nothing
Set objfileOutput = Nothing
Set objfileImport = Nothing
End Function
Function CreateImportExportFiles
Dim sErrorsFileName
Dim sImportFileName
Dim sOutputFileName
err.Clear
Set objFSO = CreateObject("Scripting.FileSystemObject")
sErrorsFileName = ERROR_FILENAME
sImportFileName = EMPTYSTRING
sOutputFileName = EMPTYSTRING
Select Case cScriptMode
Case MODE_ADD
sImportFileName = WScript.Arguments(ARG_INDEX_FILENAME)
sOutputFileName = OUTPUT_FILENAME
Case MODE_REMOVE
sImportFileName = OUTPUT_FILENAME 'Use the output file name as the import file.
sOutputFileName = EMPTYSTRING
Case Else
DisplaySyntax
End Select
Set objfileError = objFSO.OpenTextFile(sErrorsFileName, ForAppending, True, TristateTrue)
objfileError.WriteLine("*******************************************************")
objfileError.WriteLine("Start at " & Date & " " & Time)
objfileError.WriteLine("*******************************************************")
If (cScriptMode = MODE_REMOVE) Then
Set objfileImport = objFSO.OpenTextFile(sImportFileName, ForReading, False, TristateTrue)
Else
Set objfileImport = objFSO.OpenTextFile(sImportFileName, ForReading, False, TristateFalse)
End If
If (sOutputFileName <> EMPTYSTRING) Then
'Determine whether the output file already exists.
If (objFSO.FileExists(sOutputFileName)) Then
Set objfileOutput = objFSO.OpenTextFile(sOutputFileName, ForReading, False, TristateTrue)
sOneRow = objfileOutput.ReadLine
'If the user name in the file differs from the parameter, the process cannot continue.
If ( sOneRow <> sGrantedUser ) Then
WScript.StdOut.WriteLine("The Domain\User must be the same as " & sOneRow )
WScript.Quit
End If
Set objfileOutput = objFSO.OpenTextFile(sOutputFileName, ForAppending, True, TristateTrue)
Else
Set objfileOutput = objFSO.OpenTextFile(sOutputFileName, ForWriting, True, TristateTrue)
'The first line of the log file is the user who is granted the permissions.
objfileOutput.WriteLine(sGrantedUser)
End If
End If
If (err.number <> 0) Then
WScript.StdOut.WriteLine("Failed to open Log file, error:" & err.Description)
WScript.Quit
End If
End Function
Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
Dim Ace1
Set Ace1 = CreateObject("AccessControlEntry")
Ace1.AccessMask = gAccessMask
Ace1.AceType = gAceType
Ace1.AceFlags = gAceFlags
Ace1.Flags = gFlags
Ace1.Trustee = TrusteeName
'Determine whether ObjectType has to be set.
If CStr(gObjectType) <> "0" Then
Ace1.ObjectType = gObjectType
End If
'Determine whether InheritedObjectType has to be set.
If CStr(gInheritedObjectType) <> "0" Then
Ace1.InheritedObjectType = gInheritedObjectType
End If
dacl.AddAce Ace1
Set Ace1 = Nothing
End Function
Function DisplaySyntax
WScript.StdOut.WriteLine("Syntax:")
WScript.StdOut.WriteLine()
WScript.StdOut.WriteLine("Grant Full mailbox access and SendAs permission to USER based on IMPORT_FILE:")
WScript.StdOut.WriteLine(" CSCRIPT " & WScript.ScriptName & " -Add DOMAIN\USER IMPORT_FILE")
WScript.StdOut.WriteLine(" NOTE: """ & OUTPUT_FILENAME & """ will be created for -Remove option ")
WScript.StdOut.WriteLine()
WScript.StdOut.WriteLine("Remove Full mailbox access and SendAs permission based on " & OUTPUT_FILENAME & ":")
WScript.StdOut.WriteLine(" CSCRIPT """ & WScript.ScriptName & """ -Remove ")
WScript.StdOut.WriteLine()
WScript.StdOut.WriteLine("For all modes, errors are saved to " & ERROR_FILENAME )
WScript.Quit
End Function
Keywords: kbhowto kbinfo KB941018
