List public folders where a specific name/id is listed as a contact???

List public folders where a specific name/id is listed as a contact???

Post by Tren » Wed, 30 Nov 2005 23:52:36


Hi All,
We have an employee that moved to another division of the company.
He has access to a great number of public folders under our groups sub
folder and is listed as Owner of many of them.
We have been trying to identify which folders he still has access to so that
his name can be removed from them and which ones he is owner of so that
ownership can be set to someone else.

Is there a way to iterate through the public folders looking for a specific
ID and returning the name of the folder so we have a list to work from?
We have better than a thousand public folders to look through and any given
person that might be involved may not be able to see those folders.
Our security folks will have to make the changes but they will not look
through all of these folders/sub-folders manually to see if a name happens
to exist in them and then they would need a new name in each specific
instance to assign as owner where appropriate.

If it is possible to automate generating the list then the person with
rights to all of the folders can generate the list, we mark up which folders
need changing and then they can make specific changes. Our security group
is not aware of a method to do this on the exchange server.
Any chance someone has a bit of code to do something similar that I can work
with?

Thanks.
Trent
 
 
 

List public folders where a specific name/id is listed as a contact???

Post by Glen Scale » Thu, 01 Dec 2005 14:02:23

There are three ways I could think you could go about this. The first is to
use PFdavadmin to export the permissions on all the folders to a file and
then just parse though the file to look for that user ID (use Tools-Export)

Write a script that crawled the public folders either using CDO 1.2 and the
ACL dll to enumerate the DACL on Each folder and check the ACE's or use
WebDAV and the http://www.yqcomputer.com/
do the same thing I've kind of done something a little simular here
http://www.yqcomputer.com/
Remember folder contact and folder owner are two separate permissions

You might also what to look at a third party app like
http://www.yqcomputer.com/

Cheers
Glen

 
 
 

List public folders where a specific name/id is listed as a contact???

Post by Tren » Thu, 01 Dec 2005 22:11:40

orry, I was not very clear on specifically what I was looking for. When I
view the properties of a folder I do not have rights to other than as a
member of Default or Anonymous then under the Summary tab it displays names
as Folder Contacts. In folders I have rights to I see names under the
Permissions tab with Role assignments.
I assume that names are referenced from the same location and are not two
different sets of properties for the folder?
I am not familiar with the data structures for the exchange server so am not
clear on the proper terms to use and simply viewing from within Outlook can
make things unclear. :)

I have been trying the script you created but without success so far. I get
access denied errors trying to run the script and I suspect that
authentication is required. Do you know what the syntax would be to pass
ID/Password to the server from your script? Do you think that may be the
issue? It is the generic error code 80070005 Source: msxml3.dll.
I am executing the vbs code from my PC, not on the server which I do not
have direct access to.

It sounds as if your script will report the information I am looking for but
I assume it only goes after the folder name specified in the folderurl
variable?

Can you point me toward a script that would crawl through all folders and
return their names/paths starting at a specified level?
I do not know enough about exchange to know where to start and suspect that
reading up on the subject may take a good deal longer to do than I have
available right now. I can understand the scripts well enough though and
modify them to suit my need. If I can come up with a script that returns
each folder name/path I can wrap your code in a function and call it from
the folder crawling code to build a list of all sub-folders and folder
contacts for that folder. I am not too concerned about individual rights as
I am only really looking to identify the existance of a single user ID in a
folder. I can parse out the information later.

Our exchange server is 2000, I am working from a Windows 2000 PC. The web
access server is outside of our firewall which is why I believe I am having
authentication problems. I am searching now to see if we have an internal
server I can access, I know they used to exist but have been unable to find
a server name as of yet.

Thanks for the info, I will play around with the script to see if I can get
it to work.

One more question, if I can get this script working here, will it return all
folder names even if I do not have folder visible rights to see them in
Outlook? Or will I have to get the script working as best I can and then
give it over to someone with higher rights to get a complete list?

Thanks again.
Trent

"Glen Scales [MVP]" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
to
Tools-Export)
the
http://gsexdev.blogspot.com/2005/11/displaying-public-folders-creator-and.ht
ml .
happens
group


 
 
 

List public folders where a specific name/id is listed as a contact???

Post by Tren » Thu, 01 Dec 2005 22:37:16

ell, I feel silly. It took a while to occur to me that the webdav server
would be the same as the exchange server, not a seperate box so I am now
able to get to the server internally and authentication is not a problem.

I also found that particular folder groups are on different servers so had
to determine where our divisional folders started and the script is now
working. If I can get it to iterate through folders and sub folders it
should do exactly what I need it to do but so far I have not been able to
find any sample code that will iterate through folders.
Once I can set a starting path and let it return all information for sub
folders under that path I will set it to either export to a file or submit
as an email. I have no experience working with XML but should be able to
modify the code to filter for a specific ID and if not I can always parse it
out with another program later on.

Thanks again.

"Glen Scales [MVP]" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
to
Tools-Export)
the
http://gsexdev.blogspot.com/2005/11/displaying-public-folders-creator-and.ht
ml .
happens
group


 
 
 

List public folders where a specific name/id is listed as a contact???

Post by Glen Scale » Fri, 02 Dec 2005 09:05:42

he code I usually use to do a public folder crawl is the webdav code from
http://support.microsoft.com/?id=320071 . Although this is meant to interate
through the folders of a mailbox and get the size of each folder it can be
easly adaptered to do whatever you want on a folder. Getting it to do a
public folder tree is just a matter of changing a few lines

Change

sUrl = "http://" & obArgs.Item(0) & "/exchange/" & obArgs.Item(1) &
"/NON_IPM_SUBTREE"

to

sUrl = "http://" & obArgs.Item(0) & "ExAdmin/Admin/youdomain.com/public
folders/"

Cheers
Glen



"Trent" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

List public folders where a specific name/id is listed as a contact???

Post by Michae » Fri, 02 Dec 2005 16:13:05

suggest to you to use WebDAV and SEARCH method to search inside public folders.
With search you can easy get folder structure and also you can specify which properties to return to you.

Do you want to also get permission property of folders to find out who has permissions on the folders?

Michael
-------------------------------
If you need WebDAV API for Exchange server,
use our component WebDAV .NET for Exchange.
Check out http://www.independentsoft.com


"Trent" < XXXX@XXXXX.COM > wrote in message news: XXXX@XXXXX.COM ...
 
 
 

List public folders where a specific name/id is listed as a contact???

Post by Tren » Fri, 02 Dec 2005 21:12:20

ermissions would be a bonus.
My current goal is to identify all of the folders with a specific ID
assigned rights in that folder so that it can be removed.
Adding the ability to report specific rights would be useful in the future.
If this is successful I will set the app up to allow conditional filtering
as far as I can go and give it to our Information Security group so they can
perform this work in the future.
Without being able to provide them a list of folders to remove the ID from,
it is unlikely that they would put much effort into finding and removing
that ID. The person still works for the company and so still has access to
many many folders containing sensitive information that he should no longer
be able to access and that makes me uneasy, hence the effort to identify
what needs to be changed.

It really seems to me like this would be a common need and should be part of
Info Sec's standard procedures.

"Michael" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
folders.
which properties to return to you.
permissions on the folders?
news: XXXX@XXXXX.COM ...
server
problem.
had

to
submit
to
parse it
is
and
and
use
namespace to
http://gsexdev.blogspot.com/2005/11/displaying-public-folders-creator-and.ht
sub
so
that
from?
any
look
specific
with
can


 
 
 

List public folders where a specific name/id is listed as a contact???

Post by Tren » Fri, 02 Dec 2005 22:50:36

gave the code a try with your modification below. I assume that I needed
the forward slash before ExAdmin to separate it from the server name.
Unfortunately, it appears that to use this script I have to have an admin
account on the server???

I tried using the below URL to hit the server directly just to make certain
the path was good. It prompts me with the login box which is a good sign
but something interesting occurs.
If I use my domain ID to attempt a login it fails and when I hit cancel on
the login box I get the large bold lettered HTTP/1.1 401 Unauthorized
message.
But if I use the left portion of my SMTP address before the @ I still do not
get into the system but when I hit cancel I get what appears to be a server
generated Access Denied error rather than the browser 401 Unauthorized.
Does this mean I need my SMTP ID for the login credentials? I do not know
how it could resolve that ID to a valid password if that is what it needs.

If it truly requires an Admin account all of the above is moot as there is
no way I would be able to work on and test the code.

As for your other suggestions about using some of the available tools for
doing this type of lookup, the corporate environment we are in will not
allow us to obtain or install any software without significant effort and I
assume that those tools would require use by someone at an administrative
level anyway. The area that would need to install and use the tools would
not be easily convinced that the need we are stating offsets the amount of
effort required to get approval to acquire and install the tools and it
would involve a lot of corporate politics to push the issue which I doubt
that we could win at this time.
If I were able to provide them with a tool I put together that specifically
addresses the problem I am asking them to correct then the reception would
be a lot warmer and possibly even open their eyes to the larger need for
actuib on this type of security issue. At the very least if I were able to
personally generate the list of changes needed and give it to them I would
at least manage to get my own issues resolved.

I end up doing all the legwork for something they should take care of for us
but there is little hope of getting it taken care of otherwise.

If I can find a way to crawl the Public Folders only, even if it only
reveals folders the current ID has rights to see then I can turn the app
over to our Help Desk folks who have administrative rights to all of our
exchange folders and they could generate the report for me.

Thank you for all the assistance you have given so far. I am further along
than I was anyway. Once I find a way to iterate through the folders or to
at least generate a list of folder paths/names I can write a function that
will loop through the list calling your function for retrieving the XML page
with each folders info.


"Glen Scales [MVP]" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
interate
server
problem.
had
to
submit
to
parse
is
and
http://gsexdev.blogspot.com/2005/11/displaying-public-folders-creator-and.ht
sub
so
that
from?
look
with
can


 
 
 

List public folders where a specific name/id is listed as a contact???

Post by Glen Scale » Sat, 03 Dec 2005 09:03:35

sing the Administrative Virtual Root will require some level of Delegated
Exchange Administrative rights "view only admin" should work okay .The
advantage of using the Administrative virtual root is that it allows you to
still be able to view and set the security setting on a folder even if that
user is not listed on the DACL and also it should work if there is no local
replica's of that folder on the server you are querying. You could also try
just using the normal public folder root http://servername/public this
should work with a normal user ID okay you may run into problems if there is
no folder replica on the server you are querying.

With logons are you using Form Based authentication on your Exchange server
(this is only available on Exchange 2003) ? if so you need to add some extra
code to deal with the FBA logon and cookies. Otherwise using domain/userid
should work (a normal user id wont work on the admin virtual root needs
delegated Exchange rights).

PfDavadmin is a pretty small app can be installed on any pc its only
requires that you have the .NET framework installed it does require that you
have at least View Only Exchange admin rights. Its a pretty useful little
app for a lot things you might find your admin department already use it if
not you might be able to turn them on to a good thing. Its also free
http://www.microsoft.com/downloads/details.aspx?FamilyID=635BE792-D8AD-49E3-ADA4-E2422C0AB424&displaylang=en

Cheers
Glen



"Trent" < XXXX@XXXXX.COM > wrote in message
news:% XXXX@XXXXX.COM ...


 
 
 

List public folders where a specific name/id is listed as a contact???

Post by Tren » Sat, 03 Dec 2005 22:30:04

xcellent, it is working.
It had not occured to me to substitute the path with one similar to what I
was using in your script to return contact info.
I was running under the false assumption that to get to the object I had to
go through ExAdmin.
The current Microsoft script is already pulling the folder path/name so it
is nothing at all to modify it to suit my own needs.
I can use that value to call your function to look up contacts and write the
path and contact info to a global value that I can deal with later.

Thank you very much for your help. I can figure out code but when it comes
to accessing any objects on the exchange server I am lost as I have no idea
of the structure or methods to access. Once I get something close to what I
need I can generally figure out what to do though.

Thanks again.

"Glen Scales [MVP]" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
to
that
local
try
is
server
extra
you
if
http://www.microsoft.com/downloads/details.aspx?FamilyID=635BE792-D8AD-49E3-
ADA4-E2422C0AB424&displaylang=en
needed
admin
sign
on
know
needs.
is
for
and
administrative
would
of
doubt
would
would
for
to
that
"ExAdmin/Admin/youdomain.com/public
so
now
it
able
able
first
file
http://gsexdev.blogspot.com/2005/11/displaying-public-folders-creator-and.ht
permissions
to
folders.
which
security
I