Script Action: Modify Exchange mailbox permissions (2000/2003)

Function

Modifies the permissions of an existing Exchange 2003/2000 mailbox. The mailbox and user account must exist.

Deployment

This action is typically used in a script that is intended to manage existing user accounts and mailboxes. With this action permissions of the mailbox can be added and removed. For this action, the user account is identified by a variable (default: %UserObject%). To execute this action successfully, the variable must have a valid value. The variable is an output variable of the

Script Action: Get user (AD) on page 16. The Get User action supports several ways to find the user and fill the variable. With this action you can perform the following functions:

1. Add permissions for another account to the mailbox.

2. Delete permission for a specific account from a mailbox

3. Set specific mailbox permissions

Properties

Property Name Description Typical setting Remarks

User Object An data structure representing the user account. The property is used to identify the user account for the mailbox and is normally generated as a variable by a previous script action ('Creating user (AD)').

%UserObject% This property specifies the mailbox that must exist. The mailbox can be created with other actions. (see Script Action: Create Exchange Mailbox (2003/2000) on page 93) for more information.

Permission: Delete mailbox storage

Set this property to 'Yes' if you want to add the permission 'Delete mailbox storage'.

One of the standard permissions you can add to the mailbox.

Permission: Read

permissions Set this property to 'Yes' if you want to add the permission 'Read permissions'. One of the standard permissions you can add to the mailbox. Permission:

Change permissions

Set this property to 'Yes' if you want to add the permission 'Change

permissions'.

One of the standard permissions you can add to the mailbox.

Permission: Take

ownership Set this property to 'Yes' if you want to add the permission 'Take ownership'. One of the standard permissions you can add to the mailbox. Permission: Full

mailbox access Set this property to 'Yes' if you want to add the permission 'Full mailbox access'.

One of the standard permissions you can add to the mailbox.

Permission: Associated external account

Set this property to 'Yes' if you want to add the permission 'Associated external account'.

One of the standard permissions you can add to the mailbox. If you specify this permission, you must also specify permission Full mailbox access.

98

Use special

permissions Set this property to 'Yes' if you want to add a permission entry specified with the properties 'Special permission access mask', 'Special permission inheritance' and 'Special permission deny'.

Only use the special permissions if you cannot use the standard

permissions. When you add a special permission, you also need to specify the properties: Special permission access mask and Special permission inheritance.

Special

permission access mask

The access mask used for the access control entry that is added to the access control list of the mailbox. If you want to use special permissions, set property 'Use special permissions' to 'Yes'.

See Use special permissions.

Special permission inheritance

The inheritance settings used for the access control entry that is added to the access control list of the mailbox. If you want to use special permissions, set property 'Use special permissions' to 'Yes'.

See Use special permissions.

Permission deny

flag A flag indicating if the specified permission is granted or denied. Set to 'Yes' to deny access. When not

specified or set to 'No', access is granted.

Set this flag to 'Yes' if the permission should be denied instead of

granted. Normally you only specify permissions for a mailbox to grant access. You do not need to explicitly deny access to the mailbox.

Permission account is other account flag

A flag indicating if the permissions are updated for the account of the mailbox or another account. If set to 'Yes' a permission entry is added or removed for another account then the account of the mailbox. In this case you must also specify property 'Permission account name' or 'Permission account SID'.

You can add or remove permissions for the user account of the mailbox or another account. If you don't set this property to 'Yes', the specified permissions are updated for the account of the mailbox. If you want to update permissions for another account, you need to set this property to Yes and specify one of the following properties: Permission account name or Permission account SID to identify the other user account.

Permission

account name The name of an account for which an permission is added or permission are removed. If you want to use this property, you must also set the property 'Permission account is other account flag'.

See Permission account is other account flag.

99

Permission

account SID The security identifier (SID) of an account for which an permission is added or permission are removed. If you want to use this property, you must also set the property 'Permission account is other account flag'.

See Permission account is other account flag.

Remove account permission entries

A flag indicating if the permissions must be added or removed. If set to 'Yes', the permissions for the specified account (properties: 'Permission account is other account flag' and 'Permission account name' or

'Permission account SID') are removed from the mailbox access control list.

To remove permissions from the mailbox, set this flag to Yes. If another account is specified, the permissions for this account are removed from the mailbox. If no other account is specified, the explicit permissions for the account of the mailbox are removed.

100