您目前已離線,請等候您的網際網路重新連線

如何在建立信箱時設定 Exchange Server 2000 和 2003 信箱權限

Windows Server 2003 的支援已於 2015 年 7 月 14 日結束

Microsoft 已於 2015 年 7 月 14 日結束對 Windows Server 2003 的支援。此變更已影響您的軟體更新和安全性選項。 瞭解這對您的意義為何且如何持續受保護。

結論
本文將告訴您,如何在 Microsoft Active Directory 目錄服務的使用者物件啟用信箱功能的同時,以程式修改 Microsoft Exchange Server 2000 或 2003 信箱上的信箱權限。

本文包含範例程式碼,告訴您如何在 Exchange 2000 或 2003 資訊儲存庫使用者的實際信箱建立前,但是在使用者物件已在 Active Directory 的啟用信箱之後,設定 Exchange 2000 或 2003 信箱權限。

注意 如果信箱已存在於 Exchange 2000 或 2003 資訊儲存庫,則此程式碼不會發生效用。也就是說,如果使用者信箱已被存取,就不會影響到使用者信箱的實際信箱權限。 如需有關如何在資訊儲存庫建立信箱之前及之後,設定 Exchange 2000 信箱權限的資訊,請按一下下面的文件編號,檢視「Microsoft 知識庫」中的文件:
310866How to set Exchange Server 2003 and Exchange 2000 Server mailbox rights on a mailbox that exists in the information store
其他相關資訊
在 Microsoft Windows 2000 或 Microsoft Windows Server 2003 網域環境中,Exchange 2000 或 2003 組織內的信箱有兩個部分。
  • Active Directory 啟用信箱的使用者:這只是 Active Directory 的一個使用者物件。在這個使用者物件上會設定幾個郵件相關的內容以及信箱相關的內容。
  • 在 Exchange 資訊儲存庫的「信箱資料夾」:這是使用者實際信箱儲存的位置,以及信箱設定的特定內容。
信箱權限是儲存在位於資訊儲存庫信箱的安全性描述元內容上。在 Active Directory 使用者物件上也有此屬性,稱為 msExchMailboxSecurityDescriptor。此屬性只設計為反映使用者信箱的信箱權限。

Exchange 2000 或 2003 中信箱啟用程序的快速概觀

如果要在 Active Directory 中建立 Exchange 2000 或 2003 信箱啟用的使用者,通常採取下列步驟:
  1. 網域管理員會建立 Active Directory 使用者物件,並從「Active Directory 使用者和電腦」(Active Directory Users and Computers,ADUnC) 嵌入式管理單,或是從使用 Microsoft「Active Directory 服務介面」(Active Directory Services Interface,ADSI) 的程式碼中,啟用使用者帳戶。
  2. 然後網域管理員會從 ADUnC ,或是透過 Collaboration Data Objects for Exchange Management (CDOEXM) 的 IMailboxStore 介面,以程式方式讓使用者啟用信箱。本文的<參考>一節中包含到 IMailboxStor 介面說明文件的連結。除了 CDOEXM,任何用程式令使用者物件啟用信箱的方法皆不受支援。

    這兩個方法可以確保在啟用信箱時,msExchMailboxSecurityDescriptor 屬性和其他幾個屬性在使用者物件上是正確設定的。基本上,此步驟會設定郵件屬性的小子集合以及 Active Directory 使用者物件的信箱屬性。此時,使用者信箱尚未存取就緒。
  3. 在 Exchange 2000 或 2003 伺服器上執行的「收件者更新服務」(RUS),會根據排定的執行時間,將其餘所有郵件相關及信箱相關的屬性戳記於使用者物件上。此時,使用者的信箱尚未建立於 Exchange 2000 或 2003 資訊儲存庫中。但是,使用者已完全啟用信箱。現在,信箱已存取就緒。
  4. 當使用者開始存取信箱,或是第一個訊息已路由傳送到信箱時,實際信箱就會在 Exchange 2000 或 2003 資訊儲存庫中建立。此時,當 Exchange 建立使用者的信箱時,信箱權限就會在儲存庫的信箱安全性描述元上做設定。這是以設定在 msExchMailboxSecurityDescriptor 屬性上的存取控制項目 (ACE) 為基礎。

msExchMailboxSecurityDesciptor 屬性

此屬性存在於 Active Directory 的使用者物件。它會儲存使用者信箱安全性描述元的部分複本。此屬性並不會有返回使用者信箱安全性描述元的連結。

也就是說,如果您直接修改屬性,並不會更新 Exchange 資訊儲存庫的使用者信箱上的實際信箱安全性描述元,除非您在資訊儲存庫建立實際信箱前,已設定了此屬性。

事實上,如果 Active Director 中使用者物件的 msExchMailboxSecurityDescriptor 所反映的安全性描述元與儲存於資訊儲存庫的使用者信箱上的安裝性描述元之間發生衝突,Exchange 會修正 msExchMailboxSecurityDescriptor 屬性,以反映使用者信箱的安全性描述元。如果您從 ADUnC 或是透過 CDOEXM IExchangeMailbox 介面修改安全性描述元,則 msExchMailboxSecurityDescriptor 屬性會自動更新以反映這些變更。

使用 msExchMailboxSecurityDescriptor 屬性的限制

  • 只有在資訊儲存庫的信箱之前就設定此屬性的情況下,您對此屬性所做的變更才會反映在使用者信箱的安全性描述元上。請注意,在使用者一開始存取信箱,或是有任何郵件傳送給此使用者時,Active Directory 啟用信箱之使用者的 Exchange 2000 與 2003 信箱是建立在 Exchange 儲存庫中。
  • 另一項的屬性限制即屬性不會反映任何在實際信箱的安全性描述元上所繼承的 ACE。因此,讀取此目錄屬性並不是讀取使用者信箱權限最正確的方法。

使用 msExchMailboxSecurityDescriptor 屬性的優點

  • 此屬性是在 Active Directory 的使用者物件上定義。因此,可以使用任何與「輕量型目錄存取協定」(Lightweight Directory Access Protocol,LDAP) 相符的 API 存取此屬性,例如 ADSI API 或 LDAP API。
  • 因為此程式碼並不需要 CDOEXM,您可以在沒有安裝 Microsoft Exchange 2000 與 2003 「系統管理工具」的伺服器上執行它。但是,您必須再次在資訊儲存庫建立使用者信箱之前,設定信箱權限。您也可以在此使用者信箱隨時讀取信箱權限。但是要記住本文所提及的限制。(請參閱<使用 msExchMailboxSecurityDescriptor 屬性的限制>一節。)
如果您沒有在資訊儲存庫建立實際信箱之前,設定啟用信箱使用者的 msExchMailboxSecurityDescriptor 屬性,則資訊儲存庫信箱上的實際安全性描述元內容就不會包含下列的 ACE:
  • [Trustee] 內容設定為 [自我]
  • [存取遮罩] 內容設定為 [完整信箱存取]
  • [讀取] 權限設定為 [允許]
  • [ACE 類型] 設定為 [允許]
如果是這種情形,使用者可能會在嘗試存取公用資料夾或任何本機 Exchange 伺服器外的資源時,遇到問題。這是 CDOEXM 程式庫中 IMailboxStore 介面只支援 Active Directory 使用者對 Exchange 2000 或 2003 儲存庫,以程式啟用信箱的原因之一。 下列的範例告訴您如何使用 ADSI 與 CDOEXM 在 Active Directory 建立啟用信箱的使用者物件。然後您就可以手動將 msExchMailboxSecurityDescriptor 介面設定為包含程式碼中指定 trustee 的 ACE。本範例的唯一目的就是告訴您如果屬性沒有正確地設定時,如何在資訊儲存庫的使用者信箱存取與建立前,設定此屬性。

將 Visual Basic 環境設定為執行 Visual Basic 範例

  1. 在 Exchange 2000 或 2003 伺服器上啟動 Microsoft Visual Basic 6.0 。
  2. 建立新的標準 EXE 專案。如果要執行此項操作,請按一下 [檔案] 功能表上的 [新增],然後按兩下 [標準 EXE]
  3. [專案] 功能表上,按一下 [參考],然後選取 [使用中 DS 類型程式庫][Exchange 管理的 Microsoft CDO]
  4. 在表單的原始檔檢視中,輸入或貼上下列程式碼,取代 Form_Load() 副程式。
  5. 將變數 sUserADsPath 所設定的值變更為 Active Directory 使用者物件 (您要檢視或修改其信箱權限) 的 LDAP 路徑。
注意: 此範例將告訴您如何讀取儲存在 msExchMailboxSecurityDescriptor 屬性上的信箱權限複本。它也會告訴您如何修改信箱權限與如何將完整信箱存取的 ACE 新增至 [自我] ACE 做為 trustee。

Visual Basic 程式碼

'********************************************************************'*'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,'*            gAceFlags, gFlags, gObjectType, gInheritedObjectType)'*'* Purpose: Adds an ACE to a DACL'* Input:       dacl            Object's Discretionary Access Control List'*              TrusteeName     SID or Name of the trustee user account'*              gAccessMask     Access Permissions'*              gAceType        ACE Types'*              gAceFlags       Inherit ACEs from the owner of the ACL'*              gFlags          ACE has an object type or inherited object type'*              gObjectType     Used for Extended Rights'*              gInheritedObjectType'*'* Output:  Object - New DACL with the ACE added'*'********************************************************************Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)    Dim Ace1    ' Create a new ACE object    Set Ace1 = CreateObject("AccessControlEntry")    Ace1.AccessMask = gAccessMask    Ace1.AceType = gAceType    Ace1.AceFlags = gAceFlags    Ace1.Flags = gFlags    Ace1.Trustee = TrusteeName    'Check to see if ObjectType needs to be set    If CStr(gObjectType) <> "0" Then       Ace1.ObjectType = gObjectType    End If    'Check to see if InheritedObjectType needs to be set    If CStr(gInheritedObjectType) <> "0" Then        Ace1.InheritedObjectType = gInheritedObjectType    End If    dacl.AddAce Ace1    ' Destroy objects    Set Ace1 = NothingEnd FunctionPrivate Sub Form_Load()Dim objContainer As IADsContainerDim objUser As IADsUserDim objMailbox As CDOEXM.IMailboxStoreDim oSecurityDescriptor As SecurityDescriptorDim dacl As AccessControlListDim ace As AccessControlEntry' ********************************************************************' You must change this variable according to your environment'sContainerADsPath = "LDAP://domain.com/cn=Users,DC=domain,DC=com"sUserLoginName = "testUser"sUserFirstName = "Test"sUserLastName = "User"sMBXStoreDN = "CN=Mailbox Store (ExServer),CN=First Storage Group," & _   "CN=InformationStore,CN=ExServer,CN=Servers,CN=AdminGP," & _   "CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange," & _   "CN=Services,CN=Configuration,DC=domain,DC=com"sTrustee = "domainName\userName"' ********************************************************************' Get directory container object objectSet objContainer = GetObject(sContainerADsPath)' Create the user object in the target container in Active DirectorySet objUser = objContainer.Create("User", "CN=" & sUserFirstName & " " & _              sUserLastName)objUser.Put "samAccountName", sUserLoginNameobjUser.Put "givenName", sUserFirstNameobjUser.Put "sn", sUserLastNameobjUser.SetInfoobjUser.SetPassword "password"objUser.SetInfo' Mailbox-enable the user object by using the CDOEXM::IMailboxStore ' interface' This also sets the msExchMailboxSecurityDescriptor appropriatelySet objMailbox = objUserobjMailbox.CreateMailbox sMBXStoreDNobjUser.SetInfo'**************************************************************************'  The msExchMailboxSecurityDescriptor attribute is a backlink attribute '   from the Exchange Mailbox in the Web store to the directory. What this'   implies is that the mailbox rights are stored on the actual mailbox in'   the Web store and this directory attribute reflects these mailbox '   rights.'  By default, changing this attribute does not affect the mailbox rights '   in the store. This attribute can only be modified before the actual '   mailbox in the store is created. If it is set before the mailbox in '   the Web store is created, Exchange will use the DACL set on this '   attribute as the DACL for mailbox rights on the mailbox in the store.'   Therefore, it can only be set before the mailbox-creation time.'  On installing Exchange 2000 SP2 on the Exchange Server where this code'   is being run, that would enable modifying the actual mailbox rights '   even after mailbox creation.'**************************************************************************' Get the copy Mailbox Security Descriptor (SD) stored on the' msExchMailboxSecurityDescriptor attributeobjUser.GetInfoEx Array("msExchMailboxSecurityDescriptor"), 0Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")' Extract the Discretionary Access Control List (ACL) using the ' IADsSecurityDescriptor interfaceSet dacl = oSecurityDescriptor.DiscretionaryAcl''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''  The following block of code demonstrates reading all the ACEs on a '  DACL for the Exchange 2000 mailbox.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''Debug.Print "Here are the existing ACEs the mailbox's DACL - "' Enumerate all the access control entries (ACEs) in the ACL using ' the IADsAccessControlList interface, thus displaying the current ' mailbox rightsDebug.Print "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"Debug.Print "-------  ----------  -------  --------  -----  ----------" & _            " -------------------"Debug.PrintFor Each ace In dacl' Display all the ACEs' properties by using the IADsAccessControlEntry ' interface    Debug.Print ace.Trustee & ", " & ace.AccessMask & ", " & _       ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & _      ace.ObjectType & ", " & ace.InheritedObjectTypeNext''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''  The following block of code demonstrates adding a new ACE to the DACL '  for the Exchange 2000 mailbox with the Trustee specified in sTrustee, '  giving allow "Full Control" over this mailbox.'  This is the same task that is performed by ADUnC when selecting Add, '  specifying the Trustee, and checking the "Full Mailbox Access" Rights '  checkbox under the Mailbox Rights in the Exchange Advanced tab on the '  properties of a user.'  Similarly, you could remove ACEs from this ACL as well using the '  IADsAccessControlEntry interfaces.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)' Setting the Access Mask to 131075 enables "full mailbox access" and ' "read" privilegesAddAce dacl, sTrustee, 131075, _       ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0' Add the modified DACL back onto the Security DescriptoroSecurityDescriptor.DiscretionaryAcl = dacl' Save New SD onto the userobjUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor' Commit changes from the property cache to the Information StoreobjUser.SetInfoMsgBox "Done viewing and modifying the copy of the Mailbox Security Descriptor"End Sub				

Visual Basic Script 程式碼

Dim objContainerDim objUserDim objMailboxDim oSecurityDescriptorDim daclDim ace' ********************************************************************' You must change this variable according to your environment'sContainerADsPath = "LDAP://domain.com/cn=Users,DC=domain,DC=com"sUserLoginName = "testUser"sUserFirstName = "Test"sUserLastName = "User"sMBXStoreDN = "CN=Mailbox Store (ExServer),CN=First Storage Group," & _   "CN=InformationStore,CN=ExServer,CN=Servers,CN=AdminGP," & _   "CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange," & _   "CN=Services,CN=Configuration,DC=domain,DC=com"sTrustee = "domainName\userName"' ********************************************************************' Get directory container object objectSet objContainer = GetObject(sContainerADsPath)' Create the user object in the target container in Active DirectorySet objUser = objContainer.Create("User", "CN=" & sUserFirstName & " " & _              sUserLastName)objUser.Put "samAccountName", sUserLoginNameobjUser.Put "givenName", sUserFirstNameobjUser.Put "sn", sUserLastNameobjUser.SetInfoobjUser.SetPassword "password"objUser.SetInfo' Mailbox enable the user object by using the CDOEXM::IMailboxStore ' interface' This also sets the msExchMailboxSecurityDescriptor appropriatelySet objMailbox = objUserobjMailbox.CreateMailbox sMBXStoreDNobjUser.SetInfo'**************************************************************************'  The msExchMailboxSecurityDescriptor attribute is a backlink attribute '   from the Exchange Mailbox in the Web Store to the directory. What this'   implies is that the mailbox rights are stored on the actual mailbox in'   the Web store and this directory attribute reflects these mailbox '   rights.'  By default, changing this attribute does not affect the mailbox rights '   in the store. This attribute can only be modified before the actual '   mailbox in the store is created. If it is set before the mailbox in '   the Web store is created, Exchange will use the DACL set on this '   attribute as the DACL for mailbox rights on the mailbox in the store.'   Therefore, it can only be set before the mailbox creation time.'  On installing Exchange 2000 SP2 on the Exchange Server where this code'   is being run, that would enable modifying the actual mailbox rights '   even after mailbox creation.'**************************************************************************' Get the copy Mailbox Security Descriptor (SD) stored on the' msExchMailboxSecurityDescriptor attributeobjUser.GetInfoEx Array("msExchMailboxSecurityDescriptor"), 0Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")' Extract the Discretionary Access Control List (ACL) using the ' IADsSecurityDescriptor interfaceSet dacl = oSecurityDescriptor.DiscretionaryAcl''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''  The following block of code demonstrates reading all the ACEs on a '  DACL for the Exchange 2000 mailbox.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''Wscript.echo "Here are the existing ACEs the mailbox's DACL - "' Enumerate all the access control entries (ACEs) in the ACL using ' the IADsAccessControlList interface, thus displaying the current ' mailbox rightsWscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"Wscript.echo "-------  ----------  -------  --------  -----  ----------" & _            " -------------------"Wscript.echoFor Each ace In dacl' Display all the ACEs' properties using the IADsAccessControlEntry ' interface    Wscript.echo ace.Trustee & ", " & ace.AccessMask & ", " & _       ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & _      ace.ObjectType & ", " & ace.InheritedObjectTypeNext''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''  The following block of code demonstrates adding a new ACE to the DACL '  for the Exchange 2000 mailbox with the Trustee specified in sTrustee, '  giving allow "Full Control" over this mailbox.'  This is the same task that is performed by ADUnC when selecting Add, '  specifying the Trustee, and checking the "Full Mailbox Access" Rights '  checkbox under the Mailbox Rights in the Exchange Advanced tab on the '  properties of a user.'  Similarly, you could remove ACEs from this ACL as well using the '  IADsAccessControlEntry interfaces.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)' Setting the Access Mask to 131075 enables "full mailbox access" and ' "read" priviledgesAddAce dacl, sTrustee, 131075, _       ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0' Add the modified DACL back onto the Security DescriptoroSecurityDescriptor.DiscretionaryAcl = dacl' Save New SD onto the userobjUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor' Commit changes from the property cache to the information storeobjUser.SetInfoMsgBox "Done viewing and modifying the copy of the Mailbox Security Descriptor"'********************************************************************'*'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,'*            gAceFlags, gFlags, gObjectType, gInheritedObjectType)'*'* Purpose: Adds an ACE to a DACL'* Input:       dacl            Object's Discretionary Access Control List'*              TrusteeName     SID or Name of the trustee user account'*              gAccessMask     Access Permissions'*              gAceType        ACE Types'*              gAceFlags       Inherit ACEs from the owner of the ACL'*              gFlags          ACE has an object type or inherited object type'*              gObjectType     Used for Extended Rights'*              gInheritedObjectType'*'* Output:  Object - New DACL with the ACE added'*'********************************************************************Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)    Dim Ace1    ' Create a new ACE object    Set Ace1 = CreateObject("AccessControlEntry")    Ace1.AccessMask = gAccessMask    Ace1.AceType = gAceType    Ace1.AceFlags = gAceFlags    Ace1.Flags = gFlags    Ace1.Trustee = TrusteeName    'Check to see if ObjectType needs to be set    If CStr(gObjectType) <> "0" Then       Ace1.ObjectType = gObjectType    End If    'Check to see if InheritedObjectType needs to be set    If CStr(gInheritedObjectType) <> "0" Then        Ace1.InheritedObjectType = gInheritedObjectType    End If    dacl.AddAce Ace1    ' Destroy objects    Set Ace1 = NothingEnd Function				
参考
如需有關 CDOEXM IMailboxStore::CreateMailbox 的詳細資訊,請造訪下列 Microsoft Developer Network (MSDN) 網站:如需有關 ADSI 安全性相關介面的詳細資訊,請造訪下列 MSDN 網站:Adssecurity.dll 是「Active Directory 服務介面」(ADSI) 2.5 Resource Kit 的一部分。如果要下載 ADSI 2.5 Resource Kit,請造訪下列 Microsoft 網站:使用 Regsvr32 註冊 ADsSecurity.dll。 如需有關外部帳戶的詳細資訊,請按一下下面的文件編號,檢視「Microsoft 知識庫」中的文件:
278888XADM:如何在 Exchange 2000 信箱和 Windows NT 4.0 帳戶之間建立關聯
內容

文章識別碼:304935 - 最後檢閱時間:01/15/2007 09:08:00 - 修訂: 7.2

Microsoft Exchange Server 2003 Standard Edition, Microsoft Exchange 2000 Server Standard Edition, Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows 2000 Server, Microsoft Active Directory Service Interfaces 2.5, Microsoft Collaboration Data Objects for Exchange Management 1.1

  • kbhowto kbdswadsi2003swept KB304935
意見反應
script>");