如何在创建邮箱时设置 Exchange Server 2000 和 2003 邮箱权限

文章翻译 文章翻译
文章编号: 304935 - 查看本文应用于的产品
展开全部 | 关闭全部

本文内容

概要

本文介绍在 Microsoft Active Directory 目录服务中为用户对象启用邮箱时,如何以编程方式修改 Microsoft Exchange Server 2000 或 2003 邮箱的邮箱权限。

本文包含一个示例代码,可向您显示在为 Exchange 2000 或 2003 信息存储区中的用户创建实际邮箱之前,但已在 Active Directory 中为用户对象启用了邮箱之后,如何设置 Exchange 2000 或 2003 邮箱的邮箱权限。

注意:如果该邮箱已经存在于 Exchange 2000 或 2003 信息存储区中,则此代码将不起作用。换句话说,如果用户的邮箱已经被访问过,则此代码不会影响用户邮箱的实际邮箱权限。 有关在信息存储区中创建 Exchange 2000 邮箱前后如何设置该邮箱的邮箱权限的更多信息,请单击下面的文章编号,以查看 Microsoft 知识库中相应的文章:
310866 如何设置信息存储区中现有邮箱的 Exchange Server 2003 和 Exchange 2000 Server 邮箱权限

更多信息

在 Microsoft Windows 2000 或 Microsoft Windows Server 2003 域环境中的 Exchange 2000 或 2003 组织内,一个邮箱包括两个部分。
  • Active Directory 中启用了邮箱的用户:这只是 Active Directory 中的用户对象。此用户对象上设置了多个邮件相关属性和邮箱相关属性。
  • Exchange 信息存储区中的邮箱文件夹:这是用户实际邮件的存储位置,其中设置了多个特定于邮箱的属性。
邮箱权限存储在安全描述符属性中,该属性位于信息存储区的邮箱中。该 Active Directory 用户对象还有一个名为“msExchMailboxSecurityDescriptor”的属性。此属性设计为仅用于反映用户邮箱的邮箱权限。

Exchange 2000 或 2003 中邮箱启用过程的简要概述

下面是在 Active Directory 中创建启用了 Exchange 2000 或 2003 邮箱的用户时通常所采取的步骤:
  1. 域管理员从“Active Directory 用户和计算机”(ADUnC) 管理单元或从使用 Active Directory Services Interfaces (ADSI) 的代码,创建 Active Directory 用户对象并启用用户帐户。
  2. 域管理员然后从 ADUnC 或通过 Collaboration Data Objects for Exchange Management (CDOEXM) 中的 ImailboxStore 接口以编程方式为此用户启用邮箱。本文的“参考”部分包含一个指向有关 IMailboxStore 接口的文档的链接。不支持除 CDOEXM 之外的任何用于以编程方式为用户对象启用邮箱的方法。

    这两种方法可以确保,在为用户对象启用邮箱时,该用户对象的“msExchMailboxSecurityDescriptor”属性和其他多个属性得到正确设置。此步骤主要设置 Active Directory 中用户对象的邮件属性和邮箱属性的一个小子集。此时,用户的邮箱还不能访问。
  3. 根据计划运行的时间,Exchange 2000 或 2003 服务器上运行的收件人更新服务 (RUS) 会对此用户对象的其余所有邮件相关属性和邮箱相关属性进行标记。此时,尚未在 Exchange 2000 或 2003 信息存储区中创建用户的邮箱。但是,已经完全为用户启用了邮箱。现在已经可以对邮箱进行访问了。
  4. 用户首次访问邮箱或第一封邮件被路由到邮箱时,将在 Exchange 2000 或 2003 信息存储区中创建实际邮箱。此时,当 Exchange 为用户创建邮箱时,将在存储区中邮箱的安全描述符中设置邮箱权限。这基于“msExchMailboxSecurityDescriptor”属性中设置的访问控制条目 (ACE)。

msExchMailboxSecurityDesciptor 属性

此属性存在于 Active Directory 中的用户对象中。它存储用户邮箱安全描述符的部分副本。此属性不链接回用户的邮箱安全描述符。

换句话说,除非在信息存储区中创建实际邮箱之前设置此属性,否则直接修改此属性将不会更新 Exchange 信息存储区中用户邮箱的实际邮箱安全描述符。

实际上,如果由 Active Directory 中用户对象的“msExchMailboxSecurityDescriptor”属性反映的安全描述符与信息存储区的用户邮箱中所存储的安全描述符之间有冲突,Exchange 会修复“msExchMailboxSecurityDescriptor”属性以反映用户邮箱的安全描述符。如果从 ADUnC 或通过 CDOEXM IExchangeMailbox 接口修改用户邮箱的安全描述符,则“msExchMailboxSecurityDescriptor”属性会自动更新以反映这些更改。

使用 msExchMailboxSecurityDescriptor 属性的限制

  • 仅当在信息存储区中创建邮箱之前设置此属性时,对此属性进行的更改才会反映在用户邮箱的安全描述符中。注意,对于 Active Directory 中启用了邮箱的用户,当他/她第一次访问邮箱或有任何邮件发送给此用户时,将在 Exchange 存储区中为该用户创建 Exchang 2000 和 2003 邮箱。
  • 此属性的另一个限制是,它不反映实际邮箱安全描述符中任何继承的 ACE。因此,读取此目录属性不是读取用户邮箱权限的最准确方法。

使用 msExchMailboxSecurityDescriptor 属性的优点

  • 此属性在 Active Directory 中的用户对象上定义。因此,可以使用任何与轻型目录访问协议 (LDAP) 兼容的 API(如 ADSI API 或 LDAP API)访问此属性。
  • 由于此代码不需要 CDOEXM,所以您可以从未安装 Microsoft Exchange 2000 和 2003 系统管理工具的服务器上运行此代码。但是同样必须在信息存储区中创建用户邮箱之前设置邮箱权限。另外,您可以随时读取此用户邮箱的邮箱权限。但是请记住本文中提到的各种限制。(请参见“使用‘msExchMailboxSecurityDescriptor’属性的限制”一节。)
如果您在信息存储区中创建实际邮箱之前,未对启用了邮箱的用户设置“msExchMailboxSecurityDescriptor”属性,则信息存储区中邮箱的实际安全描述符属性将不包含具有下列设置的 ACE:
  • “受信者”属性设置为“本人”
  • “访问掩码”属性设置为“邮箱完全控制权限”
  • “读取”权限设置为“允许”
  • “ACE 类型”设置为“允许”
如果是这种情况,则当用户尝试访问公用文件夹或本地 Exchange 服务器之外的任何资源时,可能会遇到问题。CDOEXM 库中的 IMailboxStore 接口之所以是唯一受支持的以编程方式针对 Exchange 2000 或 2003 存储区为 Active Directory 用户启用邮箱的机制,这是其中一个原因。 下面的示例向您显示如何使用 ADSI 和 CDOEXM 在 Active Directory 中创建启用了邮箱的用户对象。然后,请您手动将“msExchMailboxSecurityDescriptor”接口设置为包含具有代码中指定受信者的 ACE。此示例的唯一目的就是向您显示,如果以前未正确设置此属性,如何在访问用户邮箱以及在信息存储区中创建用户邮箱之前设置此属性。

设置 Visual Basic 环境以运行 Visual Basic 示例

  1. 在 Exchange 2000 或 2003 服务器上启动 Microsoft Visual Basic 6.0。
  2. 创建一个新的标准 EXE 项目。为此,请单击“文件”菜单上的“新建”,然后双击“标准 EXE”。
  3. 在“项目”菜单上,单击“引用”,然后选择“活动 DS 类型库”和“Microsoft CDO for Exchange Management”。
  4. 在窗体的源视图中,键入或粘贴以下代码以替换“Form_Load()”子例程。
  5. 将变量“sUserADsPath”中设置的值更改为您要查看或修改其邮箱权限的 Active Directory 用户对象的 LDAP 路径。
注意:此示例向您显示了如何读取“msExchMailboxSecurityDescriptor”属性中存储的邮箱权限的副本,如何修改邮箱权限并向“本人”ACE 的受信者中添加具有邮箱完全控制权限的 ACE。

Visual Basic 代码

'********************************************************************
'*
'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
'*            gAceFlags, gFlags, gObjectType, gInheritedObjectType)
'*
'* Purpose: Adds an ACE to a DACL
'* Input:       dacl            Object's Discretionary Access Control List
'*              TrusteeName     SID or Name of the trustee user account
'*              gAccessMask     Access Permissions
'*              gAceType        ACE Types
'*              gAceFlags       Inherit ACEs from the owner of the ACL
'*              gFlags          ACE has an object type or inherited object type
'*              gObjectType     Used for Extended Rights
'*              gInheritedObjectType
'*
'* Output:  Object - New DACL with the ACE added
'*
'********************************************************************

Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
    Dim Ace1
    ' Create a new ACE object
    Set Ace1 = CreateObject("AccessControlEntry")
    Ace1.AccessMask = gAccessMask
    Ace1.AceType = gAceType
    Ace1.AceFlags = gAceFlags
    Ace1.Flags = gFlags
    Ace1.Trustee = TrusteeName
    'Check to see if ObjectType needs to be set
    If CStr(gObjectType) <> "0" Then
       Ace1.ObjectType = gObjectType
    End If

    'Check to see if InheritedObjectType needs to be set
    If CStr(gInheritedObjectType) <> "0" Then
        Ace1.InheritedObjectType = gInheritedObjectType
    End If
    dacl.AddAce Ace1

    ' Destroy objects
    Set Ace1 = Nothing
End Function


Private Sub Form_Load()
Dim objContainer As IADsContainer
Dim objUser As IADsUser
Dim objMailbox As CDOEXM.IMailboxStore
Dim oSecurityDescriptor As SecurityDescriptor
Dim dacl As AccessControlList
Dim ace As AccessControlEntry

' ********************************************************************
' You must change this variable according to your environment
'

sContainerADsPath = "LDAP://domain.com/cn=Users,DC=domain,DC=com"
sUserLoginName = "testUser"
sUserFirstName = "Test"
sUserLastName = "User"
sMBXStoreDN = "CN=Mailbox Store (ExServer),CN=First Storage Group," & _
   "CN=InformationStore,CN=ExServer,CN=Servers,CN=AdminGP," & _
   "CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange," & _
   "CN=Services,CN=Configuration,DC=domain,DC=com"
sTrustee = "domainName\userName"
' ********************************************************************

' Get directory container object object
Set objContainer = GetObject(sContainerADsPath)

' Create the user object in the target container in Active Directory
Set objUser = objContainer.Create("User", "CN=" & sUserFirstName & " " & _
              sUserLastName)
objUser.Put "samAccountName", sUserLoginName
objUser.Put "givenName", sUserFirstName
objUser.Put "sn", sUserLastName
objUser.SetInfo
objUser.SetPassword "password"
objUser.SetInfo

' Mailbox-enable the user object by using the CDOEXM::IMailboxStore 
' interface
' This also sets the msExchMailboxSecurityDescriptor appropriately
Set objMailbox = objUser
objMailbox.CreateMailbox sMBXStoreDN
objUser.SetInfo

'**************************************************************************
'  The msExchMailboxSecurityDescriptor attribute is a backlink attribute 
'   from the Exchange Mailbox in the Web store to the directory. What this
'   implies is that the mailbox rights are stored on the actual mailbox in
'   the Web store and this directory attribute reflects these mailbox 
'   rights.
'  By default, changing this attribute does not affect the mailbox rights 
'   in the store. This attribute can only be modified before the actual 
'   mailbox in the store is created. If it is set before the mailbox in 
'   the Web store is created, Exchange will use the DACL set on this 
'   attribute as the DACL for mailbox rights on the mailbox in the store.
'   Therefore, it can only be set before the mailbox-creation time.
'  On installing Exchange 2000 SP2 on the Exchange Server where this code
'   is being run, that would enable modifying the actual mailbox rights 
'   even after mailbox creation.
'**************************************************************************

' Get the copy Mailbox Security Descriptor (SD) stored on the
' msExchMailboxSecurityDescriptor attribute
objUser.GetInfoEx Array("msExchMailboxSecurityDescriptor"), 0
Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")

' Extract the Discretionary Access Control List (ACL) using the 
' IADsSecurityDescriptor interface
Set dacl = oSecurityDescriptor.DiscretionaryAcl

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'  The following block of code demonstrates reading all the ACEs on a 
'  DACL for the Exchange 2000 mailbox.
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''Debug.Print "Here are the existing ACEs the mailbox's DACL - "

' Enumerate all the access control entries (ACEs) in the ACL using 
' the IADsAccessControlList interface, thus displaying the current 
' mailbox rights
Debug.Print "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
Debug.Print "-------  ----------  -------  --------  -----  ----------" & _
            " -------------------"
Debug.Print

For Each ace In dacl
' Display all the ACEs' properties by using the IADsAccessControlEntry 
' interface
    Debug.Print ace.Trustee & ", " & ace.AccessMask & ", " & _ 
      ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & _
      ace.ObjectType & ", " & ace.InheritedObjectType
Next

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'  The following block of code demonstrates adding a new ACE to the DACL 
'  for the Exchange 2000 mailbox with the Trustee specified in sTrustee, 
'  giving allow "Full Control" over this mailbox.
'  This is the same task that is performed by ADUnC when selecting Add, 
'  specifying the Trustee, and checking the "Full Mailbox Access" Rights 
'  checkbox under the Mailbox Rights in the Exchange Advanced tab on the 
'  properties of a user.
'  Similarly, you could remove ACEs from this ACL as well using the 
'  IADsAccessControlEntry interfaces.
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
' Setting the Access Mask to 131075 enables "full mailbox access" and 
' "read" privileges
AddAce dacl, sTrustee, 131075, _
       ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0

' Add the modified DACL back onto the Security Descriptor
oSecurityDescriptor.DiscretionaryAcl = dacl

' Save New SD onto the user
objUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor

' Commit changes from the property cache to the Information Store
objUser.SetInfo

MsgBox "Done viewing and modifying the copy of the Mailbox Security Descriptor"

End Sub
				

Visual Basic 脚本代码

Dim objContainer
Dim objUser
Dim objMailbox
Dim oSecurityDescriptor
Dim dacl
Dim ace

' ********************************************************************
' You must change this variable according to your environment
'

sContainerADsPath = "LDAP://domain.com/cn=Users,DC=domain,DC=com"
sUserLoginName = "testUser"
sUserFirstName = "Test"
sUserLastName = "User"
sMBXStoreDN = "CN=Mailbox Store (ExServer),CN=First Storage Group," & _
   "CN=InformationStore,CN=ExServer,CN=Servers,CN=AdminGP," & _
   "CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange," & _
   "CN=Services,CN=Configuration,DC=domain,DC=com"
sTrustee = "domainName\userName"
' ********************************************************************

' Get directory container object object
Set objContainer = GetObject(sContainerADsPath)

' Create the user object in the target container in Active Directory
Set objUser = objContainer.Create("User", "CN=" & sUserFirstName & " " & _
              sUserLastName)
objUser.Put "samAccountName", sUserLoginName
objUser.Put "givenName", sUserFirstName
objUser.Put "sn", sUserLastName
objUser.SetInfo
objUser.SetPassword "password"
objUser.SetInfo

' Mailbox enable the user object by using the CDOEXM::IMailboxStore 
' interface
' This also sets the msExchMailboxSecurityDescriptor appropriately
Set objMailbox = objUser
objMailbox.CreateMailbox sMBXStoreDN
objUser.SetInfo

'**************************************************************************
'  The msExchMailboxSecurityDescriptor attribute is a backlink attribute 
'   from the Exchange Mailbox in the Web Store to the directory. What this
'   implies is that the mailbox rights are stored on the actual mailbox in
'   the Web store and this directory attribute reflects these mailbox 
'   rights.
'  By default, changing this attribute does not affect the mailbox rights 
'   in the store. This attribute can only be modified before the actual 
'   mailbox in the store is created. If it is set before the mailbox in 
'   the Web store is created, Exchange will use the DACL set on this 
'   attribute as the DACL for mailbox rights on the mailbox in the store.
'   Therefore, it can only be set before the mailbox creation time.
'  On installing Exchange 2000 SP2 on the Exchange Server where this code
'   is being run, that would enable modifying the actual mailbox rights 
'   even after mailbox creation.
'**************************************************************************

' Get the copy Mailbox Security Descriptor (SD) stored on the
' msExchMailboxSecurityDescriptor attribute
objUser.GetInfoEx Array("msExchMailboxSecurityDescriptor"), 0
Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")

' Extract the Discretionary Access Control List (ACL) using the 
' IADsSecurityDescriptor interface
Set dacl = oSecurityDescriptor.DiscretionaryAcl

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'  The following block of code demonstrates reading all the ACEs on a 
'  DACL for the Exchange 2000 mailbox.
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''Wscript.echo "Here are the existing ACEs the mailbox's DACL - "

' Enumerate all the access control entries (ACEs) in the ACL using 
' the IADsAccessControlList interface, thus displaying the current 
' mailbox rights
Wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
Wscript.echo "-------  ----------  -------  --------  -----  ----------" & _
            " -------------------"
Wscript.echo

For Each ace In dacl
' Display all the ACEs' properties using the IADsAccessControlEntry 
' interface
    Wscript.echo ace.Trustee & ", " & ace.AccessMask & ", " & _ 
      ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & _
      ace.ObjectType & ", " & ace.InheritedObjectType
Next

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'  The following block of code demonstrates adding a new ACE to the DACL 
'  for the Exchange 2000 mailbox with the Trustee specified in sTrustee, 
'  giving allow "Full Control" over this mailbox.
'  This is the same task that is performed by ADUnC when selecting Add, 
'  specifying the Trustee, and checking the "Full Mailbox Access" Rights 
'  checkbox under the Mailbox Rights in the Exchange Advanced tab on the 
'  properties of a user.
'  Similarly, you could remove ACEs from this ACL as well using the 
'  IADsAccessControlEntry interfaces.
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
' Setting the Access Mask to 131075 enables "full mailbox access" and 
' "read" priviledges
AddAce dacl, sTrustee, 131075, _
       ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0

' Add the modified DACL back onto the Security Descriptor
oSecurityDescriptor.DiscretionaryAcl = dacl

' Save New SD onto the user
objUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor

' Commit changes from the property cache to the information store
objUser.SetInfo

MsgBox "Done viewing and modifying the copy of the Mailbox Security Descriptor"


'********************************************************************
'*
'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
'*            gAceFlags, gFlags, gObjectType, gInheritedObjectType)
'*
'* Purpose: Adds an ACE to a DACL
'* Input:       dacl            Object's Discretionary Access Control List
'*              TrusteeName     SID or Name of the trustee user account
'*              gAccessMask     Access Permissions
'*              gAceType        ACE Types
'*              gAceFlags       Inherit ACEs from the owner of the ACL
'*              gFlags          ACE has an object type or inherited object type
'*              gObjectType     Used for Extended Rights
'*              gInheritedObjectType
'*
'* Output:  Object - New DACL with the ACE added
'*
'********************************************************************

Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
    Dim Ace1
    ' Create a new ACE object
    Set Ace1 = CreateObject("AccessControlEntry")
    Ace1.AccessMask = gAccessMask
    Ace1.AceType = gAceType
    Ace1.AceFlags = gAceFlags
    Ace1.Flags = gFlags
    Ace1.Trustee = TrusteeName
    'Check to see if ObjectType needs to be set
    If CStr(gObjectType) <> "0" Then
       Ace1.ObjectType = gObjectType
    End If

    'Check to see if InheritedObjectType needs to be set
    If CStr(gInheritedObjectType) <> "0" Then
        Ace1.InheritedObjectType = gInheritedObjectType
    End If
    dacl.AddAce Ace1

    ' Destroy objects
    Set Ace1 = Nothing
End Function
				

参考

有关“CDOEXM IMailboxStore::CreateMailbox”的更多信息,请访问下面的 Microsoft Developer Network (MSDN) 网站:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/_cdo_imailboxstore_createmailbox.asp
有关 ADSI 中与安全相关的接口的更多信息,请访问下面的 MSDN 网站:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/security_interfaces.asp
Adssecurity.dll 是 Active Directory Service Interfaces (ADSI) 2.5 资源工具包的一部分。若要下载 ADSI 2.5 资源工具包,请访问下面的 Microsoft 网站。 使用 Regsvr32 注册 ADsSecurity.dll。
http://www.microsoft.com/technet/archive/winntas/downloads/adsi25.mspx?mfr=true
有关关联的外部帐户的更多信息,请单击下面的文章编号,以查看 Microsoft 知识库中相应的文章:
278888 如何将 Exchange 2000 邮箱或 Exchange 2003 邮箱与 Windows NT 4.0 帐户关联

属性

文章编号: 304935 - 最后修改: 2007年1月15日 - 修订: 7.2
这篇文章中的信息适用于:
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange 2000 Server 标准版
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows 2000 Server
  • Microsoft Active Directory Service Interfaces 2.5
  • Microsoft Collaboration Data Objects for Exchange Management 1.1
关键字:?
kbhowto kbdswadsi2003swept KB304935
Microsoft和/或其各供应商对于为任何目的而在本服务器上发布的文件及有关图形所含信息的适用性,不作任何声明。 所有该等文件及有关图形均"依样"提供,而不带任何性质的保证。Microsoft和/或其各供应商特此声明,对所有与该等信息有关的保证和条件不负任何责任,该等保证和条件包括关于适销性、符合特定用途、所有权和非侵权的所有默示保证和条件。在任何情况下,在由于使用或运行本服务器上的信息所引起的或与该等使用或运行有关的诉讼中,Microsoft和/或其各供应商就因丧失使用、数据或利润所导致的任何特别的、间接的、衍生性的损害或任何因使用而丧失所导致的之损害、数据或利润不负任何责任。

提供反馈

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com