如何在创建Exchange邮箱时设置权限

本页

概要

更多信息

Exchange 2000 或 2003 中邮箱启用过程的简要概述

msExchMailboxSecurityDesciptor 属性

使用 msExchMailboxSecurityDescriptor 属性的限制

使用 msExchMailboxSecurityDescriptor 属性的优点

设置 Visual Basic 环境以运行 Visual Basic 示例

Visual Basic 代码

Visual Basic 脚本代码

参考

这篇文章中的信息适用于:

概要本文介绍在 Microsoft Active Directory 目录服务中为用户对象启用邮箱时，如何以编程方式修改 Microsoft Exchange Server 2000 或 2003 邮箱的邮箱权限。

本文包含示例代码，向您显示在已经为 Exchange 2000 或 2003 信息存储区中的用户创建了实际邮箱之前，并且已经在 Active Directory 中为用户对象启用了邮箱之后，如何设置 Exchange 2000 或 2003 邮箱的邮箱权限。

注意：如果 Exchange 2000 或 2003 信息存储区中已经存在邮箱，则此代码不起作用。换句话说，如果用户的邮箱已经被访问，则该代码不会影响用户邮箱的实际邮箱权限。有关在信息存储区中已经创建 Exchange 2000 邮箱前后如何设置该邮箱的邮箱权限的更多信息，请单击下面的文章编号，以查看 Microsoft 知识库中相应的文章： 310866 (http://support.microsoft.com/kb/310866/) 如何设置信息存储区中现有邮箱的 Exchange Server 2003 和 Exchange 2000 Server 邮箱权限

更多信息在 Exchange 2000 或 2003 组织中，邮箱包含两部分（在 Microsoft Windows 2000 或 Microsoft Windows Server 2003 域环境中）。 %26#8226;

Active Directory 启用了邮箱的用户：这只是 Active Directory 中的用户对象。此用户对象上设置了多个相关邮件属性和相关邮箱属性。

%26#8226;

Exchange 信息存储区中的邮箱文件夹：这是用户实际邮件的存储位置，其中设置了多个特定于邮箱的属性。

邮箱权限存储在安全描述符属性中，该属性位于信息存储区的邮箱中。Active Directory 用户对象还有一个名为 msExchMailboxSecurityDescriptor 的属性。此属性设计为仅用于反映用户邮箱的邮箱权限。

Exchange 2000 或 2003 中邮箱启用过程的简要概述下面是在 Active Directory 中创建 Exchange 2000 或 2003 启用了邮箱的用户通常所采取的步骤： 1.

域管理员从“Active Directory 用户和计算机”(ADUnC) 管理单元或从使用 Active Directory Services Interfaces (ADSI) 的代码，创建 Active Directory 用户对象并启用用户帐户。

域管理员然后从 ADUnC 或通过 Collaboration Data Objects for Exchange Management (CDOEXM) 中的 ImailboxStore 接口以编程方式为此用户启用邮箱。本文的“参考”一节中包含一个指向有关 IMailboxStore 接口的文档的链接。不支持除 CDOEXM 之外的任何用于以编程方式为用户对象启用邮箱的方法。

这两种方法可以确保在为用户对象启用邮箱时该用户对象的 msExchMailboxSecurityDescriptor 属性和其他多个属性设置正确。此步骤主要设置 Active Directory 中用户对象的邮件属性和邮箱属性的小子集。此时，用户的邮箱还不能访问。

根据计划运行的时间，Exchange 2000 或 2003 服务器上运行的收件人更新服务 (RUS) 会对此用户对象的其余所有相关邮件属性和相关邮箱属性进行标记。此时，尚未在 Exchange 2000 或 2003 信息存储区中创建用户的邮箱。但是，已经完全为用户启用了邮箱。现在，邮箱已经可以访问。

用户第一次访问邮箱或第一封邮件被路由到邮箱时，将在 Exchange 2000 或 2003 信息存储区中创建实际邮箱。此时，当 Exchange 为用户创建邮箱时，将在存储区中邮箱的安全描述符中设置邮箱权限。这基于 msExchMailboxSecurityDescriptor 属性中设置的访问控制条目 (ACE)。

msExchMailboxSecurityDesciptor 属性此属性存在于 Active Directory 中的用户对象中。它存储用户的邮箱安全描述符的部分副本。此属性不链接回用户的邮箱安全描述符。

换句话说，如果直接修改此属性，将不会更新 Exchange 信息存储区中用户的邮箱中的实际邮箱安全描述符，除非在信息存储区中创建实际邮箱之前设置此属性。

实际上，如果由 Active Directory 中用户对象的 msExchMailboxSecurityDescriptor 属性反映的安全描述符和信息存储区中用户邮箱中存储的安全描述符之间有冲突，Exchange 会修复 msExchMailboxSecurityDescriptor 属性以反映用户邮箱中的安全描述符。如果从 ADUnC 或通过 CDOEXM IExchangeMailbox 接口修改用户邮箱的安全描述符，则 msExchMailboxSecurityDescriptor 属性会自动更新以反映这些更改。

使用 msExchMailboxSecurityDescriptor 属性的限制%26#8226;

仅当在信息存储区中创建邮箱之前设置此属性时，对此属性进行的更改才会反映在用户邮箱的安全描述符中。注意，当 Active Directory 中启用了邮箱的用户第一次访问邮箱或所有邮件都发送到此用户时，将在 Exchange 存储区中创建此用户的 Exchang 2000 和 2003 邮箱。

%26#8226;

此属性的另一个限制是该属性不反映实际邮箱的安全描述符中任何继承的 ACE。因此，读取此目录属性不是读取用户的邮箱权限的最准确的方法。

使用 msExchMailboxSecurityDescriptor 属性的优点%26#8226;

此属性在 Active Directory 中的用户对象上定义。因此，可以使用任何与轻型目录访问协议 (LDAP) 兼容的 API（如 ADSI API 或 LDAP API）访问该属性。

%26#8226;

因为此代码不需要 CDOEXM，所以您可以从未安装 Microsoft Exchange 2000 和 2003 系统管理工具的服务器运行该代码。但是同样必须在信息存储区中创建用户邮箱之前设置邮箱权限。另外，您可以随时读取此用户邮箱的邮箱权限。但是请记住本文中提到的限制。（请参阅“使用 msExchMailboxSecurityDescriptor 属性的限制”一节。）

如果未在信息存储区中创建实际邮箱之前设置启用了邮箱的用户的 msExchMailboxSecurityDescriptor 属性，则信息存储区中邮箱的实际安全描述符属性将不包含具有下列内容的 ACE： %26#8226;

受信者属性设置为本人

%26#8226;

访问掩码属性设置为邮箱完全控制权限

%26#8226;

读取权限设置为允许

%26#8226;

ACE 类型设置为允许

如果是这种情况，则当用户尝试访问公用文件夹或本地 Exchange 服务器之外的任何资源时，可能会遇到问题。CDOEXM 库中的 IMailboxStore 接口之所以是唯一受支持的以编程方式针对 Exchange 2000 或 2003 存储区为 Active Directory 用户启用邮箱的机制，这是其中一个原因。下面的示例向您显示如何使用 ADSI 和 CDOEXM 在 Active Directory 中创建启用了邮箱的用户对象。然后，手动设置 msExchMailboxSecurityDescriptor 接口以包含具有代码中指定的受信者的 ACE。此示例的唯一目的就是向您显示如何在访问用户邮箱以及在信息存储区中创建用户邮箱之前设置此属性（如果该属性以前未正确设置）。

设置 Visual Basic 环境以运行 Visual Basic 示例1.

在 Exchange 2000 或 2003 服务器上启动 Microsoft Visual Basic 6.0。

创建一个新的标准 EXE 项目。为此，请单击文件菜单上的新建，然后双击标准 EXE。

在项目菜单上，单击引用，然后选择“活动 DS 类型库”和“Microsoft CDO for Exchange Management”。

在窗体的源视图中，键入或粘贴以下代码以替换 Form_Load() 子例程。

将变量 sUserADsPath 中设置的值更改为您要查看或修改其邮箱权限的 Active Directory 用户对象的 LDAP 路径。

注意：此示例向您显示了如何读取 msExchMailboxSecurityDescriptor 属性中存储的邮箱权限的副本。它还显示了如何修改邮箱权限以及向作为受信者的本人 ACE 添加邮箱完全控制权限的 ACE。

回到顶端

Visual Basic 代码'********************************************************************'*'* Function AddAce(dacl, TrusteeName, gaccessMask, gAceType,'* gAceFlags, gFlags, gObjectType, gInheritedObjectType)'*'* Purpose: Adds an ACE to a DACL'* Input: dacl Object's Discretionary Access Control List'* TrusteeName SID or Name of the trustee user account'* gAccessMask Access Permissions'* gAceType ACE Types'* gAceFlags Inherit ACEs from the owner of the ACL'* gFlags ACE has an object type or inherited object type'* gObjectType Used for Extended Rights'* gInheritedObjectType'*'* Output: Object - New DACL with the ACE added'*'********************************************************************Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType) Dim Ace1 ' Create a new ACE object Set Ace1 = CreateObject("AccessControlEntry") Ace1.AccessMask = gAccessMask Ace1.AceType = gAceType Ace1.AceFlags = gAceFlags Ace1.Flags = gFlags Ace1.Trustee = TrusteeName 'Check to see if ObjectType needs to be set If CStr(gObjectType) "0" Then Ace1.ObjectType = gObjectType End If 'Check to see if InheritedObjectType needs to be set If CStr(gInheritedObjectType) "0" Then Ace1.InheritedObjectType = gInheritedObjectType End If dacl.AddAce Ace1 ' Destroy objects Set Ace1 = NothingEnd FunctionPRivate Sub Form_Load()Dim objContainer As IADsContainerDim objUser As IADsUserDim objmailbox As CDOEXM.IMailboxStoreDim oSecurityDescriptor As SecurityDescriptorDim dacl As AccessControlListDim ace As AccessControlEntry' ********************************************************************' You must change this variable according to your environment'sContainerADsPath = "LDAP://domain.com/cn=Users,DC=domain,DC=com"sUserLoginName = "testUser"sUserFirstName = "Test"sUserLastName = "User"sMBXStoreDN = "CN=Mailbox Store (ExServer),CN=First Storage Group," %26amp; _ "CN=InformationStore,CN=ExServer,CN=Servers,CN=AdminGP," %26amp; _ "CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange," %26amp; _ "CN=Services,CN=Configuration,DC=domain,DC=com"sTrustee = "domainName\userName"' ********************************************************************' Get directory container object objectSet objContainer = GetObject(sContainerADsPath)' Create the user object in the target container in Active DirectorySet objUser = objContainer.Create("User", "CN=" %26amp; sUserFirstName %26amp; " " %26amp; _ sUserLastName)objUser.Put "samAccountName", sUserLoginNameobjUser.Put "givenName", sUserFirstNameobjUser.Put "sn", sUserLastNameobjUser.SetInfoobjUser.SetPassWord "password"objUser.SetInfo' Mailbox-enable the user object by using the CDOEXM::IMailboxStore' interface' This also sets the msExchMailboxSecurityDescriptor appropriatelySet objMailbox = objUserobjMailbox.CreateMailbox sMBXStoreDNobjUser.SetInfo'**************************************************************************' The msExchMailboxSecurityDescriptor attribute is a backlink attribute' from the Exchange Mailbox in the Web store to the directory. What this' implies is that the mailbox rights are stored on the actual mailbox in' the Web store and this directory attribute reflects these mailbox' rights.' By default, changing this attribute does not affect the mailbox rights' in the store. This attribute can only be modified before the actual' mailbox in the store is created. If it is set before the mailbox in' the Web store is created, Exchange will use the DACL set on this' attribute as the DACL for mailbox rights on the mailbox in the store.' Therefore, it can only be set before the mailbox-creation time.' On installing Exchange 2000 SP2 on the Exchange Server where this code' is being run, that would enable modifying the actual mailbox rights' even after mailbox creation.'**************************************************************************' Get the copy Mailbox Security Descriptor (SD) stored on the' msExchMailboxSecurityDescriptor attributeobjUser.GetInfoEx Array("msExchMailboxSecurityDescriptor"), 0Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")' Extract the Discretionary Access Control List (ACL) using the' IADsSecurityDescriptor interfaceSet dacl = oSecurityDescriptor.DiscretionaryAcl'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' The following block of code demonstrates reading all the ACEs on a' DACL for the Exchange 2000 mailbox.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''Debug.Print "Here are the existing ACEs the mailbox's DACL - "' Enumerate all the access control entries (ACEs) in the ACL using' the IADsAccessControlList interface, thus displaying the current' mailbox rightsDebug.Print "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"Debug.Print "------- ---------- ------- -------- ----- ----------" %26amp; _ " -------------------"Debug.PrintFor Each ace In dacl' Display all the ACEs' properties by using the IADsAccessControlEntry' interface Debug.Print ace.Trustee %26amp; ", " %26amp; ace.AccessMask %26amp; ", " %26amp; _ ace.AceType %26amp; ", " %26amp; ace.AceFlags %26amp; ", " %26amp; ace.Flags %26amp; ", " %26amp; _ ace.ObjectType %26amp; ", " %26amp; ace.InheritedObjectTypeNext'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' The following block of code demonstrates adding a new ACE to the DACL' for the Exchange 2000 mailbox with the Trustee specified in sTrustee,' giving allow "Full Control" over this mailbox.' This is the same task that is performed by ADUnC when selecting Add,' specifying the Trustee, and checking the "Full Mailbox Access" Rights' checkbox under the Mailbox Rights in the Exchange Advanced tab on the' properties of a user.' Similarly, you could remove ACEs from this ACL as well using the' IADsAccessControlEntry interfaces.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)' Setting the Access Mask to 131075 enables "full mailbox access" and' "read" privilegesAddAce dacl, sTrustee, 131075, _ ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0' Add the modified DACL back onto the Security DescriptoroSecurityDescriptor.DiscretionaryAcl = dacl' Save New SD onto the userobjUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor' Commit changes from the property cache to the Information StoreobjUser.SetInfoMsgBox "Done viewing and modifying the copy of the Mailbox Security Descriptor"End Sub

回到顶端

Visual Basic 脚本代码Dim objContainerDim objUserDim objMailboxDim oSecurityDescriptorDim daclDim ace' ********************************************************************' You must change this variable according to your environment'sContainerADsPath = "LDAP://domain.com/cn=Users,DC=domain,DC=com"sUserLoginName = "testUser"sUserFirstName = "Test"sUserLastName = "User"sMBXStoreDN = "CN=Mailbox Store (ExServer),CN=First Storage Group," %26amp; _ "CN=InformationStore,CN=ExServer,CN=Servers,CN=AdminGP," %26amp; _ "CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange," %26amp; _ "CN=Services,CN=Configuration,DC=domain,DC=com"sTrustee = "domainName\userName"' ********************************************************************' Get directory container object objectSet objContainer = GetObject(sContainerADsPath)' Create the user object in the target container in Active DirectorySet objUser = objContainer.Create("User", "CN=" %26amp; sUserFirstName %26amp; " " %26amp; _ sUserLastName)objUser.Put "samAccountName", sUserLoginNameobjUser.Put "givenName", sUserFirstNameobjUser.Put "sn", sUserLastNameobjUser.SetInfoobjUser.SetPassword "password"objUser.SetInfo' Mailbox enable the user object by using the CDOEXM::IMailboxStore' interface' This also sets the msExchMailboxSecurityDescriptor appropriatelySet objMailbox = objUserobjMailbox.CreateMailbox sMBXStoreDNobjUser.SetInfo'**************************************************************************' The msExchMailboxSecurityDescriptor attribute is a backlink attribute' from the Exchange Mailbox in the Web Store to the directory. What this' implies is that the mailbox rights are stored on the actual mailbox in' the Web store and this directory attribute reflects these mailbox' rights.' By default, changing this attribute does not affect the mailbox rights' in the store. This attribute can only be modified before the actual' mailbox in the store is created. If it is set before the mailbox in' the Web store is created, Exchange will use the DACL set on this' attribute as the DACL for mailbox rights on the mailbox in the store.' Therefore, it can only be set before the mailbox creation time.' On installing Exchange 2000 SP2 on the Exchange Server where this code' is being run, that would enable modifying the actual mailbox rights' even after mailbox creation.'**************************************************************************' Get the copy Mailbox Security Descriptor (SD) stored on the' msExchMailboxSecurityDescriptor attributeobjUser.GetInfoEx Array("msExchMailboxSecurityDescriptor"), 0Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")' Extract the Discretionary Access Control List (ACL) using the' IADsSecurityDescriptor interfaceSet dacl = oSecurityDescriptor.DiscretionaryAcl'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' The following block of code demonstrates reading all the ACEs on a' DACL for the Exchange 2000 mailbox.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''Wscript.echo "Here are the existing ACEs the mailbox's DACL - "' Enumerate all the access control entries (ACEs) in the ACL using' the IADsAccessControlList interface, thus displaying the current' mailbox rightsWscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"Wscript.echo "------- ---------- ------- -------- ----- ----------" %26amp; _ " -------------------"Wscript.echoFor Each ace In dacl' Display all the ACEs' properties using the IADsAccessControlEntry' interface Wscript.echo ace.Trustee %26amp; ", " %26amp; ace.AccessMask %26amp; ", " %26amp; _ ace.AceType %26amp; ", " %26amp; ace.AceFlags %26amp; ", " %26amp; ace.Flags %26amp; ", " %26amp; _ ace.ObjectType %26amp; ", " %26amp; ace.InheritedObjectTypeNext'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' The following block of code demonstrates adding a new ACE to the DACL' for the Exchange 2000 mailbox with the Trustee specified in sTrustee,' giving allow "Full Control" over this mailbox.' This is the same task that is performed by ADUnC when selecting Add,' specifying the Trustee, and checking the "Full Mailbox Access" Rights' checkbox under the Mailbox Rights in the Exchange Advanced tab on the' properties of a user.' Similarly, you could remove ACEs from this ACL as well using the' IADsAccessControlEntry interfaces.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)' Setting the Access Mask to 131075 enables "full mailbox access" and' "read" priviledgesAddAce dacl, sTrustee, 131075, _ ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0' Add the modified DACL back onto the Security DescriptoroSecurityDescriptor.DiscretionaryAcl = dacl' Save New SD onto the userobjUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor' Commit changes from the property cache to the information storeobjUser.SetInfoMsgBox "Done viewing and modifying the copy of the Mailbox Security Descriptor"'********************************************************************'*'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,'* gAceFlags, gFlags, gObjectType, gInheritedObjectType)'*'* Purpose: Adds an ACE to a DACL'* Input: dacl Object's Discretionary Access Control List'* TrusteeName SID or Name of the trustee user account'* gAccessMask Access Permissions'* gAceType ACE Types'* gAceFlags Inherit ACEs from the owner of the ACL'* gFlags ACE has an object type or inherited object type'* gObjectType Used for Extended Rights'* gInheritedObjectType'*'* Output: Object - New DACL with the ACE added'*'********************************************************************Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType) Dim Ace1 ' Create a new ACE object Set Ace1 = CreateObject("AccessControlEntry") Ace1.AccessMask = gAccessMask Ace1.AceType = gAceType Ace1.AceFlags = gAceFlags Ace1.Flags = gFlags Ace1.Trustee = TrusteeName 'Check to see if ObjectType needs to be set If CStr(gObjectType) "0" Then Ace1.ObjectType = gObjectType End If 'Check to see if InheritedObjectType needs to be set If CStr(gInheritedObjectType) "0" Then Ace1.InheritedObjectType = gInheritedObjectType End If dacl.AddAce Ace1 ' Destroy objects Set Ace1 = NothingEnd Function

参考有关 CDOEXM IMailboxStore::CreateMailbox 的更多信息，请访问下面的 Microsoft 网站： http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/_cdo_imailboxstore_createmailbox.asp (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/_cdo_imailboxstore_createmailbox.asp)

有关 ADSI 中相关安全接口的更多信息，请访问下面的 Microsoft 网站： http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/security_interfaces.asp (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/security_interfaces.asp)

Adssecurity.dll 是 Active Directory Service Interfaces (ADSI) 2.5 资源工具包的一部分。要下载 ADSI 2.5 资源工具包，请访问下面的 Microsoft 网站。使用 Regsvr32 注册 ADsSecurity.dll。 http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/default.asp (http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/default.asp)

有关关联的外部帐户的更多信息，请单击下面的文章编号，以查看 Microsoft 知识库中相应的文章： 278888 (http://support.microsoft.com/kb/278888/) 如何将 Exchange 2000 邮箱或 Exchange 2003 邮箱与 Windows NT 4.0 帐户关联

这篇文章中的信息适用于:%26#8226;

Microsoft Exchange Server 2003 Standard Edition

%26#8226;

Microsoft Exchange 2000 Server 标准版

%26#8226;

Microsoft Windows Server 2003 Standard Edition

%26#8226;

Microsoft Windows 2000 Server

%26#8226;

Microsoft Active Directory Service Interfaces 2.5

%26#8226;

Microsoft Collaboration Data Objects for Exchange Management 1.1

关键字：

kbdswadsi2003swept kbhowto KB304935