From f7b80afd96b7f271e15bbfad36840d19925723b2 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Mon, 10 Oct 2022 15:39:08 -0500 Subject: [PATCH] Add Test-ExchangePropertyPermissions script --- .../.gitignore | 1 + .../GeneratePropertySetInfo.NotPublished.ps1 | 71 ++++++ .../Get-PropertySetInfo.ps1 | 34 +++ .../Test-ExchangePropertyPermissions.ps1 | 232 ++++++++++++++++++ .../Test-ExchangeSchema.ps1 | 80 ++++++ .../Get-ObjectTypeDisplayName.ps1 | 32 +++ .../Admin/Test-ExchangePropertyPermissions.md | 41 ++++ mkdocs.yml | 1 + 8 files changed, 492 insertions(+) create mode 100644 Admin/Test-ExchangePropertyPermissions/.gitignore create mode 100644 Admin/Test-ExchangePropertyPermissions/GeneratePropertySetInfo.NotPublished.ps1 create mode 100644 Admin/Test-ExchangePropertyPermissions/Get-PropertySetInfo.ps1 create mode 100644 Admin/Test-ExchangePropertyPermissions/Test-ExchangePropertyPermissions.ps1 create mode 100644 Admin/Test-ExchangePropertyPermissions/Test-ExchangeSchema.ps1 create mode 100644 Shared/ActiveDirectoryFunctions/Get-ObjectTypeDisplayName.ps1 create mode 100644 docs/Admin/Test-ExchangePropertyPermissions.md diff --git a/Admin/Test-ExchangePropertyPermissions/.gitignore b/Admin/Test-ExchangePropertyPermissions/.gitignore new file mode 100644 index 0000000000..6722cd96e7 --- /dev/null +++ b/Admin/Test-ExchangePropertyPermissions/.gitignore @@ -0,0 +1 @@ +*.xml diff --git a/Admin/Test-ExchangePropertyPermissions/GeneratePropertySetInfo.NotPublished.ps1 b/Admin/Test-ExchangePropertyPermissions/GeneratePropertySetInfo.NotPublished.ps1 new file mode 100644 index 0000000000..1245fbad8c --- /dev/null +++ b/Admin/Test-ExchangePropertyPermissions/GeneratePropertySetInfo.NotPublished.ps1 @@ -0,0 +1,71 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +$propertySets = @( + [PSCustomObject]@{ + Name = "Exchange-Information" + RightsGuid = [Guid]::Parse("1F298A89-DE98-47b8-B5CD-572AD53D267E") + MemberAttributes = New-Object System.Collections.ArrayList + }, + [PSCustomObject]@{ + Name = "Exchange-Personal-Information" + RightsGuid = [Guid]::Parse("B1B3A417-EC55-4191-B327-B72E33E38AF2") + MemberAttributes = New-Object System.Collections.ArrayList + }, + [PSCustomObject]@{ + Name = "Personal-Information" + RightsGuid = [Guid]::Parse("77B5B886-944A-11d1-AEBD-0000F80367C1") + MemberAttributes = New-Object System.Collections.ArrayList + }, + [PSCustomObject]@{ + Name = "Public-Information" + RightsGuid = [Guid]::Parse("E48D0154-BCF8-11D1-8702-00C04FB96050") + MemberAttributes = New-Object System.Collections.ArrayList + } +) + +$rootDSE = [ADSI]("LDAP://$([System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name)/RootDSE") +$schemaContainer = [ADSI]("LDAP://" + $rootDSE.schemaNamingContext) + +foreach ($propertySet in $propertySets) { + $rightsGuidByteString = "" + $propertySet.RightsGuid.ToByteArray() | ForEach-Object { $rightsGuidByteString += ("\$($_.ToString("X"))") } + $searcher = New-Object System.DirectoryServices.directorySearcher($schemaContainer, "(&(objectClass=attributeSchema)(attributeSecurityGuid=$rightsGuidByteString))") + $searcher.PageSize = 100 + $results = $searcher.FindAll() + foreach ($result in $results) { + [void]$propertySet.MemberAttributes.Add($result.Properties["cn"][0]) + } +} + +$getPropertySetInfoBuilder = New-Object System.Text.StringBuilder +[void]$getPropertySetInfoBuilder.AppendLine("# Copyright (c) Microsoft Corporation.") +[void]$getPropertySetInfoBuilder.AppendLine("# Licensed under the MIT License.") +[void]$getPropertySetInfoBuilder.AppendLine("") +[void]$getPropertySetInfoBuilder.AppendLine("# This is a generated function. Do not manually modify.") +[void]$getPropertySetInfoBuilder.AppendLine("function Get-PropertySetInfo {") +[void]$getPropertySetInfoBuilder.AppendLine(" [CmdletBinding()]") +[void]$getPropertySetInfoBuilder.AppendLine(" [OutputType([System.Object[]])]") +[void]$getPropertySetInfoBuilder.AppendLine(" param ()") +[void]$getPropertySetInfoBuilder.AppendLine("") +[void]$getPropertySetInfoBuilder.AppendLine(" # cSpell:disable") +[void]$getPropertySetInfoBuilder.AppendLine(" `$propertySetInfo = @(") +for ($i = 0; $i -lt $propertySets.Count; $i++) { + $propertySet = $propertySets[$i] + $memberAttributeString = [string]::Join(", ", ($propertySet.MemberAttributes | ForEach-Object { "`"$_`"" })) + [void]$getPropertySetInfoBuilder.AppendLine(" [PSCustomObject]@{") + [void]$getPropertySetInfoBuilder.AppendLine(" Name = `"$($propertySet.Name)`"") + [void]$getPropertySetInfoBuilder.AppendLine(" RightsGuid = [Guid]::Parse(`"$($propertySet.RightsGuid)`")") + [void]$getPropertySetInfoBuilder.AppendLine(" MemberAttributes = $memberAttributeString") + [void]$getPropertySetInfoBuilder.Append(" }") + if ($i + 1 -lt $propertySets.Count) { + [void]$getPropertySetInfoBuilder.AppendLine(",") + } +} +[void]$getPropertySetInfoBuilder.AppendLine(" )") +[void]$getPropertySetInfoBuilder.AppendLine(" # cSpell:enable") +[void]$getPropertySetInfoBuilder.AppendLine(" `$propertySetInfo") +[void]$getPropertySetInfoBuilder.AppendLine("}") +[void]$getPropertySetInfoBuilder.AppendLine("") + +Set-Content $PSScriptRoot\Get-PropertySetInfo.ps1 $getPropertySetInfoBuilder.ToString() diff --git a/Admin/Test-ExchangePropertyPermissions/Get-PropertySetInfo.ps1 b/Admin/Test-ExchangePropertyPermissions/Get-PropertySetInfo.ps1 new file mode 100644 index 0000000000..bee613b39f --- /dev/null +++ b/Admin/Test-ExchangePropertyPermissions/Get-PropertySetInfo.ps1 @@ -0,0 +1,34 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# This is a generated function. Do not manually modify. +function Get-PropertySetInfo { + [CmdletBinding()] + [OutputType([System.Object[]])] + param () + + # cSpell:disable + $propertySetInfo = @( + [PSCustomObject]@{ + Name = "Exchange-Information" + RightsGuid = [Guid]::Parse("1f298a89-de98-47b8-b5cd-572ad53d267e") + MemberAttributes = "ms-Exch-Assistant-Name", "ms-Exch-LabeledURI", "ms-Exch-ADC-Global-Names", "ms-Exch-Attribute-Certificate", "ms-Exch-AutoReply", "ms-Exch-AutoReply-Message", "ms-Exch-Deleted-Item-Flags", "ms-Exch-Deliv-Cont-Length", "ms-Exch-Deliver-And-Redirect", "ms-Exch-Enabled-Protocols", "ms-Exch-Expansion-Server-Name", "ms-Exch-Expiration-Time", "ms-Exch-Extension-Attribute-1", "ms-Exch-Extension-Attribute-10", "ms-Exch-Extension-Attribute-11", "ms-Exch-Extension-Attribute-12", "ms-Exch-Extension-Attribute-13", "ms-Exch-Extension-Attribute-14", "ms-Exch-Extension-Attribute-15", "ms-Exch-Extension-Attribute-2", "ms-Exch-Extension-Attribute-3", "ms-Exch-Extension-Attribute-4", "ms-Exch-Extension-Attribute-5", "ms-Exch-Extension-Attribute-6", "ms-Exch-Extension-Attribute-7", "ms-Exch-Extension-Attribute-8", "ms-Exch-Extension-Attribute-9", "ms-Exch-Folder-Pathname", "ms-Exch-Form-Data", "ms-Exch-Forwarding-Address", "ms-Exch-Hide-DL-Membership", "ms-Exch-Hide-From-Address-Lists", "ms-Exch-Home-MTA", "ms-Exch-Home-Server-Name", "ms-Exch-Internet-Encoding", "ms-Exch-Language", "ms-Exch-Language-ISO639", "ms-Exch-Mail-Nickname", "ms-Exch-MAPI-Recipient", "ms-Exch-MDB-Over-Hard-Quota-Limit", "ms-Exch-MDB-Over-Quota-Limit", "ms-Exch-MDB-Storage-Quota", "ms-Exch-MDB-Use-Defaults", "ms-Exch-OOF-Reply-To-Originator", "ms-Exch-POP-Character-Set", "ms-Exch-POP-Content-Format", "ms-Exch-Protocol-Settings", "ms-Exch-Replicated-Object-Version", "ms-Exch-Replication-Sensitivity", "ms-Exch-Replication-Signature", "ms-Exch-Report-To-Originator", "ms-Exch-Report-To-Owner", "ms-Exch-Security-Protocol", "ms-Exch-Submission-Cont-Length", "ms-Exch-Supported-Algorithms", "ms-Exch-Target-Address", "ms-Exch-Telephone-Assistant", "ms-Exch-Unmerged-Atts", "ms-Exch-X500-NC", "ms-Exch-Alt-Recipient", "ms-Exch-Home-MDB", "ms-Exch-Auth-Orig", "ms-Exch-DL-Mem-Submit-Perms", "ms-Exch-Unauth-Orig", "ms-Exch-DL-Mem-Reject-Perms", "ms-Exch-Mailbox-Guid", "ms-Exch-Mailbox-Security-Descriptor", "ms-Exch-Master-Account-Sid", "ms-Exch-Imported-From", "ms-Exch-Custom-Proxy-Addresses", "ms-Exch-Deliv-Ext-Cont-Types", "ms-Exch-Delivery-Mechanism", "ms-Exch-DL-Mem-Default", "ms-Exch-DL-Member-Rule", "ms-Exch-FB-URL", "ms-Exch-Heuristics", "ms-Exch-IM-ACL", "ms-Exch-IM-Address", "ms-Exch-IM-Meta-Physical-URL", "ms-Exch-IM-Physical-URL", "ms-Exch-IM-Virtual-Server", "ms-Exch-PF-Tree-Type", "ms-Exch-TUI-Password", "ms-Exch-TUI-Speed", "ms-Exch-TUI-Volume", "ms-Exch-Unmerged-Atts-Pt", "ms-Exch-Voice-Mailbox-ID", "ms-Exch-Auth-Orig-BL", "ms-Exch-DL-Mem-Submit-Perms-BL", "ms-Exch-Unauth-Orig-BL", "ms-Exch-DL-Mem-Reject-Perms-BL", "ms-Exch-Use-OAB", "ms-Exch-Previous-Account-Sid", "ms-Exch-Query-Base-DN", "ms-Exch-Recip-Limit", "ms-Exch-Resource-GUID", "ms-Exch-Extension-Data", "ms-Exch-AL-Object-Version", "ms-Exch-Controlling-Zone", "ms-Exch-KM-Server", "ms-Exch-Policy-Option-List", "ms-Exch-Purported-Search-UI", "ms-Exch-Resource-Properties", "ms-Exch-Alt-Recipient-BL", "ms-Exch-Public-Delegates-BL", "ms-Exch-Policies-Excluded", "ms-Exch-Policies-Included", "ms-Exch-Policy-Enabled", "ms-Exch-Proxy-Custom-Proxy", "ms-Exch-Inconsistent-State", "ms-Exch-Conference-Mailbox-BL", "ms-Exch-Mailbox-Url", "ms-Exch-Pf-Root-Url", "ms-Exch-User-Account-Control", "ms-Exch-Mailbox-Folder-Set", "ms-Exch-Oma-Admin-Extended-Settings", "ms-Exch-Oma-Admin-Wireless-Enable", "ms-Exch-RequireAuthToSendTo", "ms-Exch-IMAP-OWA-URL-Prefix-Override", "ms-Exch-Originating-Forest", "ms-Exch-Resource-Capacity", "ms-Exch-Resource-Display", "ms-Exch-Resource-Meta-Data", "ms-Exch-Resource-Search-Properties", "ms-Exch-UM-Audio-Codec", "ms-Exch-UM-Dtmf-Map", "ms-Exch-UM-Enabled-Flags", "ms-Exch-UM-Fax-Id", "ms-Exch-UM-List-In-Directory-Search", "ms-Exch-UM-Max-Greeting-Duration", "ms-Exch-UM-Operator-Number", "ms-Exch-UM-Pin-Policy-Account-Lockout-Failures", "ms-Exch-UM-Pin-Policy-Disallow-Common-Patterns", "ms-Exch-UM-Pin-Policy-Expiry-Days", "ms-Exch-UM-Pin-Policy-Min-Password-Length", "ms-Exch-UM-Spoken-Name", "ms-Exch-Mailbox-Template-Link", "ms-Exch-UM-Template-Link", "ms-Exch-UM-Recipient-Dial-Plan-Link", "ms-Exch-External-OOF-Options", "ms-Exch-MDB-Rules-Quota", "ms-Exch-Mobile-Allowed-Device-IDs", "ms-Exch-Mobile-Debug-Logging", "ms-Exch-Mobile-Mailbox-Policy-Link", "ms-Exch-Mailbox-OAB-Virtual-Directories-Link", "ms-Exch-Server-Admin-Delegation-BL", "ms-Exch-Accepted-Domain-Flags", "ms-Exch-Accepted-Domain-Name", "ms-Exch-ELC-Expiry-Suspension-End", "ms-Exch-ELC-Expiry-Suspension-Start", "ms-Exch-Master-Account-History", "ms-Exch-Message-Hygiene-SCL-Junk-Threshold", "ms-Exch-Mobile-Mailbox-Flags", "ms-Exch-Recipient-Display-Type", "ms-Exch-Recipient-Type-Details", "ms-Exch-UM-Server-Writable-Flags", "ms-Exch-User-Culture", "ms-Exch-Version", "ms-Exch-HAB-Show-In-Departments", "ms-Exch-Max-Blocked-Senders", "ms-Exch-Max-Safe-Senders", "ms-Exch-Query-Filter-Metadata", "ms-Exch-CU", "ms-Exch-OU-Root", "ms-Exch-Sender-Hint-Large-Audience-Threshold", "ms-Exch-Sender-Hint-Translations", "ms-Exch-Sender-Hints-Enabled", "ms-Exch-UM-Enabled-Flags-2", "ms-Exch-Policy-Tag-Link", "ms-Exch-Policy-Tag-Link-BL", "ms-Exch-Arbitration-Mailbox", "ms-Exch-Enable-Moderation", "ms-Exch-Group-Depart-Restriction", "ms-Exch-Group-Join-Restriction", "ms-Exch-Moderation-Flags", "ms-Exch-OWA-Policy", "ms-Exch-Windows-Live-ID", "ms-Exch-Approval-Application-Link", "ms-Exch-Co-Managed-By-Link", "ms-Exch-Co-Managed-Objects-BL", "ms-Exch-Moderated-By-Link", "ms-Exch-Moderated-Objects-BL", "ms-Exch-Provisioning-Flags", "ms-Exch-Throttling-Policy-DN", "ms-Exch-Parent-Plan-Link", "ms-Exch-Bypass-Moderation-Link", "ms-Exch-Bypass-Moderation-BL", "ms-Exch-Bypass-Moderation-From-DL-Members-Link", "ms-Exch-Bypass-Moderation-From-DL-Members-BL", "ms-Exch-Reseller", "ms-Exch-Service-Plan", "ms-Exch-User-BL", "ms-Exch-UM-Mailbox-OVA-Language", "ms-Exch-Calendar-Repair-Disabled", "ms-Exch-Control-Point-Flags", "ms-Exch-Mailbox-Move-Flags", "ms-Exch-Mailbox-Move-Remote-Host-Name", "ms-Exch-Mailbox-Move-Status", "ms-Exch-Mailbox-Plan-Type", "ms-Exch-RMS-Licensing-Location-Url", "ms-Exch-Sync-Accounts-Policy-DN", "ms-Exch-Text-Messaging-State", "ms-Exch-UM-Load-Balancer-FQDN", "ms-Exch-Mailbox-Move-Target-MDB-Link", "ms-Exch-Mailbox-Move-Target-MDB-BL", "ms-Exch-Dirsync-ID", "ms-Exch-Management-Site-Link", "ms-Exch-UM-Audio-Codec-2", "ms-Exch-UM-Business-Location", "ms-Exch-UM-Business-Name", "ms-Exch-UM-Default-Mailbox", "ms-Exch-UM-Default-Outbound-Calling-Line-ID", "ms-Exch-UM-Week-Start-Day", "ms-Exch-Dirsync-Id-Source-Attribute", "ms-Exch-Galsync-Disable-Live-Id-On-Remove", "ms-Exch-Galsync-Federated-Tenant-Source-Attribute", "ms-Exch-Galsync-Last-Sync-Run", "ms-Exch-Galsync-Password-File-Path", "ms-Exch-Galsync-Provisioning-Domain", "ms-Exch-Galsync-Reset-Password-On-Next-Logon", "ms-Exch-Galsync-Schedule", "ms-Exch-Galsync-Source-Active-Directory-Schema-Version", "ms-Exch-Galsync-Wlid-Use-Smtp-Primary", "ms-Exch-MDB-Copy-Parent-Class", "ms-Exch-RBAC-Policy-Flags", "ms-Exch-UM-Forwarding-Address-Template", "ms-Exch-RBAC-Policy-Link", "ms-Exch-Config-Filter", "ms-Exch-Org-Federated-Mailbox", "ms-Exch-Previous-Home-MDB", "ms-Exch-Smtp-Max-Messages-Per-Connection", "ms-Exch-Availability-Per-User-Account-BL", "ms-Exch-Availability-Org-Wide-Account-BL", "ms-Exch-OWA-Transcoding-File-Types-BL", "ms-Exch-OWA-Allowed-File-Types-BL", "ms-Exch-OWA-Allowed-Mime-Types-BL", "ms-Exch-OWA-Force-Save-File-Types-BL", "ms-Exch-OWA-Force-Save-MIME-Types-BL", "ms-Exch-OWA-Blocked-File-Types-BL", "ms-Exch-OWA-Blocked-MIME-Types-BL", "ms-Exch-OWA-Remote-Documents-Allowed-Servers-BL", "ms-Exch-OWA-Remote-Documents-Blocked-Servers-BL", "ms-Exch-OWA-Transcoding-Mime-Types-BL", "ms-Exch-SMTP-Receive-Default-Accepted-Domain-BL", "ms-Exch-Mobile-Remote-Documents-Allowed-Servers-BL", "ms-Exch-Mobile-Remote-Documents-Blocked-Servers-BL", "ms-Exch-Mobile-Remote-Documents-Internal-Domain-Suffix-List-BL", "ms-Exch-Server-Site-BL", "ms-Exch-Organizations-Global-Address-Lists-BL", "ms-Exch-Organizations-Address-Book-Roots-BL", "ms-Exch-Organizations-Template-Roots-BL", "ms-Exch-Supervision-User-BL", "ms-Exch-RBAC-Policy-BL", "ms-Exch-Allow-Cross-Site-RPC-Client-Access", "ms-Exch-Data-Move-Replication-Constraint", "ms-Exch-Device-Access-Rule-Characteristic", "ms-Exch-Device-Access-Rule-Query-String", "ms-Exch-Dumpster-Quota", "ms-Exch-Dumpster-Warning-Quota", "ms-Exch-Edge-Sync-Advanced-Configuration", "ms-Exch-Edge-Sync-EHF-Backup-Lease-Location", "ms-Exch-Edge-Sync-EHF-Password", "ms-Exch-Edge-Sync-EHF-Primary-Lease-Location", "ms-Exch-Edge-Sync-EHF-Provisioning-URL", "ms-Exch-Edge-Sync-EHF-Reseller-ID", "ms-Exch-Edge-Sync-EHF-User-Name", "ms-Exch-Edge-Sync-Retry-Count", "ms-Exch-ESE-Param-Cache-Priority", "ms-Exch-ESE-Param-Replay-Background-Database-Maintenance", "ms-Exch-ESE-Param-Replay-Cache-Priority", "ms-Exch-ESE-Param-Replay-Checkpoint-Depth-Max", "ms-Exch-Foreign-Group-SID", "ms-Exch-Host-Server-Name", "ms-Exch-Mailbox-Move-Batch-Name", "ms-Exch-Max-Active-Mailbox-Databases", "ms-Exch-MDB-Name", "ms-Exch-Mobile-Access-Control", "ms-Exch-Mobile-Admin-Recipients", "ms-Exch-Mobile-User-Mail-Insert", "ms-Exch-Object-Count-Quota", "ms-Exch-POP-IMAP-External-Connection-Settings", "ms-Exch-POP-IMAP-Internal-Connection-Settings", "ms-Exch-RCA-Throttling-Policy-State", "ms-Exch-Sync-Accounts-Successive-Poison-Items-Threshold", "ms-Exch-Sync-Hub-Health-Log-Age-Quota-In-Hours", "ms-Exch-Sync-Hub-Health-Log-Directory-Size-Quota", "ms-Exch-Sync-Hub-Health-Log-File-Path", "ms-Exch-Sync-Hub-Health-Log-Per-File-Size-Quota", "ms-Exch-Sync-Mailbox-Health-Log-Age-Quota-In-Hours", "ms-Exch-Sync-Mailbox-Health-Log-Directory-Size-Quota", "ms-Exch-Sync-Mailbox-Health-Log-File-Path", "ms-Exch-Sync-Mailbox-Health-Log-Per-File-Size-Quota", "ms-Exch-Tenant-Perimeter-Settings-Flags", "ms-Exch-Tenant-Perimeter-Settings-Gateway-IP-Addresses", "ms-Exch-Tenant-Perimeter-Settings-Internal-Server-IP-Addresses", "ms-Exch-Tenant-Perimeter-Settings-Org-ID", "ms-Exch-Third-Party-Synchronous-Replication", "ms-Exch-UM-Certificate-Thumbprint", "ms-Exch-UM-Startup-Mode", "ms-Exch-Voice-Mail-Preview-Partner-Address", "ms-Exch-Voice-Mail-Preview-Partner-Assigned-ID", "ms-Exch-Voice-Mail-Preview-Partner-Max-Delivery-Delay", "ms-Exch-Voice-Mail-Preview-Partner-Max-Message-Duration", "ms-Exch-Mailbox-Move-Source-MDB-Link", "ms-Exch-Mailbox-Move-Source-MDB-BL", "ms-Exch-RMS-Computer-Accounts-Link", "ms-Exch-RMS-Computer-Accounts-BL", "ms-Exch-Intended-Mailbox-Plan-Link", "ms-Exch-Intended-Mailbox-Plan-BL", "ms-Exch-2003-Url", "ms-Exch-Legacy-Redirect-Type", "ms-Exch-License-Token", "ms-Exch-Mailbox-Folder-Set-2", "ms-Exch-Object-ID", "ms-Exch-Content-Conversion-Settings", "ms-Exch-IMAP4-Settings", "ms-Exch-Management-Settings", "ms-Exch-Mobile-Settings", "ms-Exch-OWA-Settings", "ms-Exch-POP3-Settings", "ms-Exch-Transport-Inbound-Settings", "ms-Exch-Transport-Outbound-Settings", "ms-Org-Group-Subtype-Name", "ms-Org-Is-Organizational-Group", "ms-Org-Other-Display-Names", "ms-Org-Leaders", "ms-Org-Leaders-BL", "ms-Exch-Ews-Application-Access-Policy", "ms-Exch-Ews-Enabled", "ms-Exch-Ews-Exceptions", "ms-Exch-Ews-Well-Known-Application-Policies", "ms-Exch-Archive-Address", "ms-Exch-Archive-Status", "ms-Exch-Authoritative-Policy-Tag-GUID", "ms-Exch-Authoritative-Policy-Tag-Note", "ms-Exch-AV-Authentication-Service", "ms-Exch-Capability-Identifiers", "ms-Exch-Distribution-Group-Default-OU", "ms-Exch-Distribution-Group-Name-Blocked-Words-List", "ms-Exch-Distribution-Group-Naming-Policy", "ms-Exch-External-Directory-Object-Id", "ms-Exch-External-Directory-Organization-Id", "ms-Exch-Last-Exchange-Changed-Time", "ms-Exch-Mailbox-Move-File-Path", "ms-Exch-Mailbox-Move-Request-Guid", "ms-Exch-MSO-Forward-Sync-Non-Recipient-Cookie", "ms-Exch-MSO-Forward-Sync-Recipient-Cookie", "ms-Exch-OWA-IM-Certificate-Thumbprint", "ms-Exch-OWA-IM-Server-Name", "ms-Exch-Pop-Imap-Log-File-Path", "ms-Exch-Pop-Imap-Log-File-Rollover-Frequency", "ms-Exch-Pop-Imap-Per-Log-File-Size-Quota", "ms-Exch-Remote-Recipient-Type", "ms-Exch-SIP-Access-Service", "ms-Exch-UM-Dial-Plan-Timezone", "ms-Exch-When-Mailbox-Created", "ms-Exch-Default-Public-MDB", "ms-Exch-Default-Public-MDB-BL", "ms-Exch-Mailbox-Move-Source-User-Link", "ms-Exch-Mailbox-Move-Source-User-BL", "ms-Exch-Mailbox-Move-Storage-MDB-Link", "ms-Exch-Mailbox-Move-Storage-MDB-BL", "ms-Exch-Mailbox-Move-Target-User-Link", "ms-Exch-Mailbox-Move-Target-User-BL", "ms-Exch-Activity-Based-Authentication-Timeout-Interval", "ms-Exch-Anonymous-Throttling-Policy-State", "ms-Exch-Edge-Sync-Connector-Version", "ms-Exch-Generic-Forwarding-Address", "ms-Exch-Partner-Group-ID", "ms-Exch-Shared-Config-Service-Plan-Tag", "ms-Exch-Shared-Identity-Server-Box-RAC", "ms-Exch-TPD-CSP-Name", "ms-Exch-TPD-CSP-Type", "ms-Exch-TPD-Display-Name", "ms-Exch-TPD-Extranet-Certification-Url", "ms-Exch-TPD-Extranet-Licensing-Url", "ms-Exch-TPD-Flags", "ms-Exch-TPD-Intranet-Certification-Url", "ms-Exch-TPD-Intranet-Licensing-Url", "ms-Exch-TPD-Key-Container-Name", "ms-Exch-TPD-Key-ID", "ms-Exch-TPD-Key-IDType", "ms-Exch-TPD-Key-Number", "ms-Exch-TPD-Private-Key", "ms-Exch-TPD-SLC-Certificate-Chain", "ms-Exch-TPD-Templates", "ms-Exch-Transport-Reseller-Intra-Tenant-Mail-Content-Type", "ms-Exch-Transport-Reseller-Settings-Inbound-Gateway-ID", "ms-Exch-Transport-Reseller-Settings-Link", "ms-Exch-Transport-Reseller-Settings-Outbound-Gateway-ID", "ms-Exch-UM-Source-Forest-Policy-Names", "ms-Exch-Shared-Config-Link", "ms-Exch-Shared-Config-BL", "ms-Exch-Active-Instance-Sleep-Interval", "ms-Exch-Assistants-Throttle-Workcycle", "ms-Exch-Community-URL", "ms-Exch-Community-URL-Enabled", "ms-Exch-ESE-Param-Background-Database-Maintenance-Delay", "ms-Exch-ESE-Param-Background-Database-Maintenance-Interval-Max", "ms-Exch-ESE-Param-Background-Database-Maintenance-Interval-Min", "ms-Exch-ESE-Param-Background-Database-Maintenance-Serialization", "ms-Exch-ESE-Param-Hung-IO-Action", "ms-Exch-ESE-Param-Hung-IO-Threshold", "ms-Exch-ESE-Param-Pre-Read-IO-Max", "ms-Exch-ESE-Param-Replay-Background-Database-Maintenance-Delay", "ms-Exch-ESE-Param-Replay-Pre-Read-IO-Max", "ms-Exch-Intended-Service-Plan", "ms-Exch-MRS-Request-Type", "ms-Exch-Notification-Address", "ms-Exch-Notification-Enabled", "ms-Exch-Passive-Instance-Sleep-Interval", "ms-Exch-Sync-Daemon-Max-Version", "ms-Exch-Sync-Daemon-Min-Version", "ms-Exch-Transport-Intra-Tenant-Mail-Content-Type", "ms-Exch-Transport-Partner-Connector-Domain", "ms-Exch-Transport-Partner-Routing-Domain", "ms-Exch-Audit-Admin", "ms-Exch-Audit-Delegate", "ms-Exch-Audit-Delegate-Admin", "ms-Exch-Audit-Owner", "ms-Exch-Bypass-Audit", "ms-Exch-Interrupt-User-On-Audit-Failure", "ms-Exch-IRM-Log-Max-Age", "ms-Exch-IRM-Log-Max-Directory-Size", "ms-Exch-IRM-Log-Max-File-Size", "ms-Exch-IRM-Log-Path", "ms-Exch-Is-MSO-Dirsync-Enabled", "ms-Exch-Is-MSO-Dirsynced", "ms-Exch-Mailbox-Audit-Enable", "ms-Exch-Mailbox-Audit-Log-Age-Limit", "ms-Exch-Mobile-OTA-Notification-Mail-Insert", "ms-Exch-On-Premise-Object-Guid", "ms-Exch-Shadow-Assistant-Name", "ms-Exch-Shadow-C", "ms-Exch-Shadow-Co", "ms-Exch-Shadow-Country-Code", "ms-Exch-Shadow-Department", "ms-Exch-Shadow-Display-Name", "ms-Exch-Shadow-Facsimile-Telephone-Number", "ms-Exch-Shadow-Given-Name", "ms-Exch-Shadow-Home-Phone", "ms-Exch-Shadow-Info", "ms-Exch-Shadow-L", "ms-Exch-Shadow-Mail-Nickname", "ms-Exch-Shadow-Mobile", "ms-Exch-Shadow-Other-Facsimile-Telephone", "ms-Exch-Shadow-Other-Home-Phone", "ms-Exch-Shadow-Other-Telephone", "ms-Exch-Shadow-Pager", "ms-Exch-Shadow-Physical-Delivery-Office-Name", "ms-Exch-Shadow-Postal-Code", "ms-Exch-Shadow-Proxy-Addresses", "ms-Exch-Shadow-Sn", "ms-Exch-Shadow-St", "ms-Exch-Shadow-Street-Address", "ms-Exch-Shadow-Telephone-Assistant", "ms-Exch-Shadow-Telephone-Number", "ms-Exch-Shadow-Title", "ms-Exch-Shadow-Windows-Live-ID", "ms-Exch-Shadow-WWW-Home-Page", "ms-Exch-SMTP-Extended-Protection-Policy", "ms-Exch-Mailbox-Move-Source-Archive-MDB-Link", "ms-Exch-Mailbox-Move-Source-Archive-MDB-BL", "ms-Exch-Mailbox-Move-Target-Archive-MDB-Link", "ms-Exch-Mailbox-Move-Target-Archive-MDB-BL", "ms-Exch-Address-Book-Flags", "ms-Exch-Dirsync-Source-Object-Class", "ms-Exch-Edge-Sync-EHF-Flags", "ms-Exch-Fed-Target-OWA-URL", "ms-Exch-Mailbox-Audit-Last-Admin-Access", "ms-Exch-Mailbox-Audit-Last-Delegate-Access", "ms-Exch-Mailbox-Audit-Last-External-Access", "ms-Exch-Migration-Log-Age-Quota-In-Hours", "ms-Exch-Migration-Log-Directory-Size-Quota", "ms-Exch-Migration-Log-Extension-Data", "ms-Exch-Migration-Log-Log-File-Path", "ms-Exch-Migration-Log-Logging-Level", "ms-Exch-Migration-Log-Per-File-Size-Quota", "ms-Exch-MSO-Forward-Sync-Async-Operation-Ids", "ms-Exch-Previous-Mailbox-Guid", "ms-Exch-SIP-SBC-Service", "ms-Exch-Smtp-Receive-Tls-Domain-Capabilities", "ms-Exch-Smtp-Send-Ndr-Level", "ms-Exch-Smtp-Send-Tls-Domain", "ms-Exch-Target-Server-Admins", "ms-Exch-Target-Server-Partner-Admins", "ms-Exch-Target-Server-Partner-View-Only-Admins", "ms-Exch-Target-Server-View-Only-Admins", "ms-Exch-Minor-Partner-Id", "ms-Exch-Mobile-OTA-Notification-Mail-Insert-2", "ms-Exch-Reconciliation-Cookies", "ms-Exch-Responsible-For-Sites", "ms-Exch-Shadow-Manager-Link", "ms-Exch-Supported-Shared-Config-Link", "ms-Exch-Supported-Shared-Config-BL", "ms-Exch-Calculated-Target-Address", "ms-Exch-Deletion-Period", "ms-Exch-Objects-Deleted-This-Period", "ms-Exch-Shadow-Company", "ms-Exch-Shadow-Initials", "ms-Exch-MSO-Forward-Sync-Replay-List", "ms-Exch-OWA-Failback-URL", "ms-Exch-Admin-Audit-Log-Excluded-Cmdlets", "ms-Exch-Countries", "ms-Exch-Usage-Location", "ms-Exch-Extended-Protection-SPNList", "ms-Exch-Migration-Log-Directory-Size-Quota-Large", "ms-Exch-PopImap-Extended-Protection-Policy", "ms-Exch-Dirsync-Authority-Metadata", "ms-Exch-Dirsync-Status", "ms-Exch-Dirsync-Status-Ack", "ms-Exch-Edge-Sync-Config-Flags", "ms-Exch-Is-Dirsync-Status-Pending", "ms-Exch-Localization-Flags", "ms-Exch-RoleGroup-Type", "ms-Exch-Coexistence-Domains", "ms-Exch-Coexistence-External-IP-Addresses", "ms-Exch-Coexistence-Feature-Flags", "ms-Exch-Coexistence-On-Premises-Smart-Host", "ms-Exch-Coexistence-Secure-Mail-Certificate-Thumbprint", "ms-Exch-Coexistence-Servers", "ms-Exch-Coexistence-Transport-Servers", "ms-Exch-Content-Byte-Encoder-Type-For-7-Bit-Charsets", "ms-Exch-Content-Preferred-Internet-Code-Page-For-Shift-Jis", "ms-Exch-Content-Required-Char-Set-Coverage", "ms-Exch-Dir-Sync-Service-Instance", "ms-Exch-Extension-Attribute-16", "ms-Exch-Extension-Attribute-17", "ms-Exch-Extension-Attribute-18", "ms-Exch-Extension-Attribute-19", "ms-Exch-Extension-Attribute-20", "ms-Exch-Extension-Attribute-21", "ms-Exch-Extension-Attribute-22", "ms-Exch-Extension-Attribute-23", "ms-Exch-Extension-Attribute-24", "ms-Exch-Extension-Attribute-25", "ms-Exch-Extension-Attribute-26", "ms-Exch-Extension-Attribute-27", "ms-Exch-Extension-Attribute-28", "ms-Exch-Extension-Attribute-29", "ms-Exch-Extension-Attribute-30", "ms-Exch-Extension-Attribute-31", "ms-Exch-Extension-Attribute-32", "ms-Exch-Extension-Attribute-33", "ms-Exch-Extension-Attribute-34", "ms-Exch-Extension-Attribute-35", "ms-Exch-Extension-Attribute-36", "ms-Exch-Extension-Attribute-37", "ms-Exch-Extension-Attribute-38", "ms-Exch-Extension-Attribute-39", "ms-Exch-Extension-Attribute-40", "ms-Exch-Extension-Attribute-41", "ms-Exch-Extension-Attribute-42", "ms-Exch-Extension-Attribute-43", "ms-Exch-Extension-Attribute-44", "ms-Exch-Extension-Attribute-45", "ms-Exch-Extension-Custom-Attribute-1", "ms-Exch-Extension-Custom-Attribute-2", "ms-Exch-Extension-Custom-Attribute-3", "ms-Exch-Extension-Custom-Attribute-4", "ms-Exch-Extension-Custom-Attribute-5", "ms-Exch-External-Directory-Object-Class", "ms-Exch-Mailbox-Database-Transport-Flags", "ms-Exch-Max-Concurrent-Migrations", "ms-Exch-Migration-Flags", "ms-Exch-MRS-Proxy-Flags", "ms-Exch-MRS-Proxy-Max-Connections", "ms-Exch-MSO-Forward-Sync-Divergence-Count", "ms-Exch-MSO-Forward-Sync-Divergence-Timestamp", "ms-Exch-Organization-Upgrade-Policy-Date", "ms-Exch-Organization-Upgrade-Policy-Enabled", "ms-Exch-Organization-Upgrade-Policy-MaxMailboxes", "ms-Exch-Organization-Upgrade-Policy-Priority", "ms-Exch-Organization-Upgrade-Policy-Source-Version", "ms-Exch-Organization-Upgrade-Policy-Status", "ms-Exch-Organization-Upgrade-Policy-Target-Version", "ms-Exch-OWA-Set-Photo-URL", "ms-Exch-Recipient-SoftDeleted-Status", "ms-Exch-When-Soft-Deleted-Time", "ms-Exch-MSO-Forward-Sync-Divergence-Related-Object-Link", "ms-Exch-Organization-Upgrade-Policy-Link", "ms-Exch-Organization-Upgrade-Policy-BL", "ms-Exch-Address-Book-Policy-Link", "ms-Exch-Address-Book-Policy-BL", "ms-Exch-Address-Lists-Link", "ms-Exch-Address-Lists-BL", "ms-Exch-Global-Address-List-Link", "ms-Exch-Global-Address-List-BL", "ms-Exch-Offline-Address-Book-Link", "ms-Exch-Offline-Address-Book-BL", "ms-Exch-All-Room-List-Link", "ms-Exch-All-Room-List-BL", "ms-Exch-Default-Public-Folder-Mailbox", "ms-Exch-Forest-Mode-Flag", "ms-Exch-Workload-Classification", "ms-Exch-Workload-Management-Is-Enabled", "ms-Exch-Workload-Type", "ms-Exch-Workload-Management-Policy-Link", "ms-Exch-Workload-Management-Policy-BL", "ms-Exch-Customer-Expectation-Critical", "ms-Exch-Customer-Expectation-Overloaded", "ms-Exch-Customer-Expectation-Underloaded", "ms-Exch-Discretionary-Critical", "ms-Exch-Discretionary-Overloaded", "ms-Exch-Discretionary-Underloaded", "ms-Exch-Internal-Maintenance-Critical", "ms-Exch-Internal-Maintenance-Overloaded", "ms-Exch-Internal-Maintenance-Underloaded", "ms-Exch-Resource-Type", "ms-Exch-Urgent-Critical", "ms-Exch-Urgent-Overloaded", "ms-Exch-Urgent-Underloaded", "ms-Exch-Device-Client-Type", "ms-Exch-Malware-Filtering-Defer-Attempts", "ms-Exch-Malware-Filtering-Defer-Wait-Time", "ms-Exch-Malware-Filtering-Flags", "ms-Exch-Malware-Filtering-Primary-Update-Path", "ms-Exch-Malware-Filtering-Secondary-Update-Path", "ms-Exch-Malware-Filtering-Update-Frequency", "ms-Exch-Malware-Filtering-Update-Timeout", "ms-Exch-Team-Mailbox-Expiration", "ms-Exch-Team-Mailbox-Expiry-Days", "ms-Exch-Team-Mailbox-Owners", "ms-Exch-Team-Mailbox-SharePoint-Linked-By", "ms-Exch-Team-Mailbox-SharePoint-Url", "ms-Exch-Team-Mailbox-Show-In-Client-List", "ms-Exch-Account-Forest-Link", "ms-Exch-Account-Forest-BL", "ms-Exch-Trusted-Domain-Link", "ms-Exch-Trusted-Domain-BL", "ms-Exch-Archive-Database-Link-SL", "ms-Exch-Disabled-Archive-Database-Link-SL", "ms-Exch-Fed-Delegation-Trust-SL", "ms-Exch-Home-MDB-SL", "ms-Exch-Home-MTA-SL", "ms-Exch-Mailbox-Move-Source-Archive-MDB-Link-SL", "ms-Exch-Mailbox-Move-Source-MDB-Link-SL", "ms-Exch-Mailbox-Move-Storage-MDB-Link-SL", "ms-Exch-Mailbox-Move-Target-Archive-MDB-Link-SL", "ms-Exch-Mailbox-Move-Target-MDB-Link-SL", "ms-Exch-Malware-Filter-Config-Alert-Text", "ms-Exch-Malware-Filter-Config-External-Body", "ms-Exch-Malware-Filter-Config-External-Subject", "ms-Exch-Malware-Filter-Config-Flags", "ms-Exch-Malware-Filter-Config-From-Address", "ms-Exch-Malware-Filter-Config-From-Name", "ms-Exch-Malware-Filter-Config-Internal-Body", "ms-Exch-Malware-Filter-Config-Internal-Subject", "ms-Exch-Management-Site-Link-SL", "ms-Exch-Off-Line-AB-Server-SL", "ms-Exch-Organization-Upgrade-Policy-Link-SL", "ms-Exch-Previous-Archive-Database-SL", "ms-Exch-Previous-Home-MDB-SL", "ms-Exch-RMS-Computer-Accounts-Link-SL", "ms-Exch-Spam-Add-Header", "ms-Exch-Spam-Asf-Settings", "ms-Exch-Spam-Asf-Test-Bcc-Address", "ms-Exch-Spam-False-Positive-Cc", "ms-Exch-Spam-Flags", "ms-Exch-Spam-Modify-Subject", "ms-Exch-Spam-Outbound-Spam-Cc", "ms-Exch-Spam-Redirect-Address", "ms-Exch-Transport-Reseller-Settings-Link-SL", "ms-Exch-Hygiene-Configuration-Link", "ms-Exch-Accepted-Domain-BL", "ms-Exch-Hygiene-Configuration-Malware-BL", "ms-Exch-Hosted-Content-Filter-Config-Link", "ms-Exch-Hygiene-Configuration-Spam-BL", "ms-Exch-Auto-DAG-Param-Database-Copies-Per-Database", "ms-Exch-Auto-DAG-Param-Database-Copies-Per-Volume", "ms-Exch-Auto-DAG-Param-Database-Copy-Flags", "ms-Exch-Auto-DAG-Param-Database-Flags", "ms-Exch-Auto-DAG-Param-Databases-Root-Folder-Path", "ms-Exch-Auto-DAG-Param-Failed-Volumes-Root-Folder-Path", "ms-Exch-Auto-DAG-Param-Flags", "ms-Exch-Auto-DAG-Param-Server-Flags", "ms-Exch-Auto-DAG-Param-Total-Number-Of-Databases", "ms-Exch-Auto-DAG-Param-Total-Number-Of-Servers", "ms-Exch-Auto-DAG-Param-Volumes-Root-Folder-Path", "ms-Exch-Auto-DAG-Schema-Version", "ms-Exch-MDB-Availability-Group-Replication-Port", "ms-Exch-Server-Fault-Zone", "ms-Exch-Smtp-Receive-Role", "ms-Exch-SMTP-Receive-Sender-Domain", "ms-Exch-Spam-Allowed-IP-Ranges", "ms-Exch-Spam-Blocked-IP-Ranges", "ms-Exch-Transport-Rule-State", "ms-Exch-Group-External-Member-Count", "ms-Exch-Group-Member-Count", "ms-Exch-Organization-Flags-2", "ms-Exch-RMSOnline-Certification-Location-Url", "ms-Exch-RMSOnline-Key-Sharing-Location-Url", "ms-Exch-RMSOnline-Licensing-Location-Url", "ms-Exch-Throttling-Policy-Flags", "ms-Exch-Malware-Filter-Config-External-Sender-Admin-Address", "ms-Exch-Malware-Filter-Config-Internal-Sender-Admin-Address", "ms-Exch-Malware-Filtering-Scan-Timeout", "ms-Exch-Spam-Country-Block-List", "ms-Exch-Spam-Language-Block-List", "ms-Exch-Spam-Notify-Outbound-Recipients", "ms-Exch-Auth-App-Secret", "ms-Exch-Auth-Application-Identifier", "ms-Exch-Auth-Auth-Server-Type", "ms-Exch-Auth-Authorization-Url", "ms-Exch-Auth-Certificate-Data", "ms-Exch-Auth-Certificate-Thumbprint", "ms-Exch-Auth-Flags", "ms-Exch-Auth-Issuer-Name", "ms-Exch-Auth-Issuing-Url", "ms-Exch-Auth-Linked-Account", "ms-Exch-Auth-Metadata-Url", "ms-Exch-Auth-Realm", "ms-Exch-Mailflow-Policy-Countries", "ms-Exch-Mailflow-Policy-Keywords", "ms-Exch-Mailflow-Policy-Publisher-Name", "ms-Exch-Mailflow-Policy-Transport-Rules-Template-Xml", "ms-Exch-Mailflow-Policy-Version", "ms-Exch-Public-Folder-EntryId", "ms-Exch-Public-Folder-Mailbox", "ms-Exch-Public-Folder-Smtp-Address", "ms-Exch-Spam-Digest-Frequency", "ms-Exch-Spam-Quarantine-Retention", "ms-Exch-Transport-MaxRetriesForLocalSiteShadow", "ms-Exch-Transport-MaxRetriesForRemoteSiteShadow", "ms-Exch-Transport-Rule-Immutable-Id", "ms-Exch-WAC-Discovery-Endpoint", "ms-Exch-Anonymous-Throttling-Policy-State-Ex", "ms-Exch-Canary-Data-0", "ms-Exch-Canary-Data-1", "ms-Exch-Canary-Data-2", "ms-Exch-Correlation-Id", "ms-Exch-EAS-Throttling-Policy-State-Ex", "ms-Exch-EWS-Throttling-Policy-State-Ex", "ms-Exch-General-Throttling-Policy-State-Ex", "ms-Exch-IMAP-Throttling-Policy-State-Ex", "ms-Exch-OWA-Throttling-Policy-State-Ex", "ms-Exch-POP-Throttling-Policy-State-Ex", "ms-Exch-Powershell-Throttling-Policy-State-Ex", "ms-Exch-RCA-Throttling-Policy-State-Ex", "ms-Exch-Relocate-Tenant-Completion-Target-Vector", "ms-Exch-Relocate-Tenant-Flags", "ms-Exch-Relocate-Tenant-Safe-Lockdown-Schedule", "ms-Exch-Relocate-Tenant-Source-Forest", "ms-Exch-Relocate-Tenant-Start-Lockdown", "ms-Exch-Relocate-Tenant-Start-Retired", "ms-Exch-Relocate-Tenant-Start-Sync", "ms-Exch-Relocate-Tenant-Status", "ms-Exch-Relocate-Tenant-Target-Forest", "ms-Exch-Relocate-Tenant-Transition-Counter", "ms-Exch-Sync-Cookie", "ms-Exch-Adfs-Authentication-Raw-Configuration", "ms-Exch-Service-End-Point-URL", "ms-Exch-Sync-Service-Instance-New-Tenant-Max-Version", "ms-Exch-Sync-Service-Instance-New-Tenant-Min-Version", "ms-Exch-Transport-Dumpster-Hold-Time", "ms-Exch-Transport-Rule-Config", "ms-Exch-Virtual-Directory-Flags", "ms-Exch-Archive-Release", "ms-Exch-Mailbox-Release", "ms-Exch-Transport-Inbound-Protocol-Logging-Level", "ms-Exch-Configuration-XML", "ms-Exch-Component-States", "ms-Exch-On-Premises-Organization-Guid", "ms-Exch-Public-Folder-Deleted-Item-Retention", "ms-Exch-Smtp-TLS-Certificate", "ms-Exch-On-Premises-Inbound-Connector-Link", "ms-Exch-On-Premises-Inbound-Connector-BL", "ms-Exch-On-Premises-Outbound-Connector-Link", "ms-Exch-On-Premises-Outbound-Connector-BL", "ms-Exch-Auth-Next-Effective-Date", "ms-Exch-Organization-Upgrade-Request", "ms-Exch-Organization-Upgrade-Status", "ms-Exch-PolicyTip-Message-Config-Action", "ms-Exch-PolicyTip-Message-Config-Locale", "ms-Exch-PolicyTip-Message-Config-Message", "ms-Exch-Transport-Rule-ExpireTime", "ms-Exch-Transport-Rule-Version", "ms-Exch-Transport-Rule-Target-Link", "ms-Exch-Transport-Rule-Target-BL", "ms-Exch-Coexistence-Edge-Transport-Servers", "ms-Exch-Database-Group", "ms-Exch-Smtp-Tls-Senders-Certificate-Name", "ms-Exch-MDB-Availability-Group-Configuration-Link", "ms-Exch-MDB-Availability-Group-Configuration-BL", "ms-Exch-Calendar-Logging-Quota", "ms-Exch-Coexistence-Frontend-Transport-Servers", "ms-Exch-Monitoring-Override-Apply-Version", "ms-Exch-Previous-Recipient-Type-Details", "ms-Exch-MSO-Forward-Sync-Cookie-Property-Set-Version", "ms-Exch-MSO-Forward-Sync-Cookie-Timestamp", "ms-Exch-Associated-Accepted-Domain-Link", "ms-Exch-Associated-Accepted-Domain-BL", "ms-Exch-Catch-All-Recipient-Link", "ms-Exch-Catch-All-Recipient-BL", "ms-Exch-Public-Folder-Moved-Item-Retention", "ms-Exch-Push-Notifications-Throttling-Policy-State-Ex", "ms-Exch-Max-ABP", "ms-Exch-Max-OAB", "ms-Exch-Offline-OrgId-Home-Realm-Record", "ms-Exch-Provisioning-Tags", "ms-Exch-EvictedMembers-Link", "ms-Exch-EvictedMemebers-BL", "ms-Exch-Tenant-Country", "ms-Exch-Encryption-Throttling-Policy-State-Ex", "ms-Exch-Mailbox-Container-Guid", "ms-Exch-Unified-Mailbox", "ms-Exch-OAB-Generating-Mailbox-Link", "ms-Exch-OAB-Generating-Mailbox-BL", "ms-Exch-UG-Member-Link", "ms-Exch-UG-Member-BL", "ms-Exch-Aux-Mailbox-Parent-Object-Id-Link", "ms-Exch-Aux-Mailbox-Parent-Object-Id-BL", "ms-Exch-Multi-Mailbox-GUIDs", "ms-Exch-Sts-Refresh-Tokens-Valid-From", "ms-Exch-Multi-Mailbox-Locations-Link", "ms-Exch-Group-Security-Flags", "ms-Exch-Multi-Mailbox-Locations-BL", "ms-Exch-Multi-Mailbox-Databases-Link", "ms-Exch-Multi-Mailbox-Databases-BL", "ms-Exch-Auth-Policy-Link", "ms-Exch-Auth-Policy-BL", "ms-Exch-Administrative-Unit-Link", "ms-Exch-Administrative-Unit-BL", "ms-Exch-Immutable-Sid", "ms-Exch-UG-Event-Subscription-Link", "ms-Exch-UG-Event-Subscription-BL" + }, + [PSCustomObject]@{ + Name = "Exchange-Personal-Information" + RightsGuid = [Guid]::Parse("b1b3a417-ec55-4191-b327-b72e33e38af2") + MemberAttributes = "ms-Exch-UM-Pin-Checksum", "ms-Exch-Message-Hygiene-Flags", "ms-Exch-ELC-Mailbox-Flags", "ms-Exch-Message-Hygiene-SCL-Delete-Threshold", "ms-Exch-Message-Hygiene-SCL-Quarantine-Threshold", "ms-Exch-Message-Hygiene-SCL-Reject-Threshold", "ms-Exch-Safe-Recipients-Hash", "ms-Exch-Safe-Senders-Hash", "ms-Exch-Blocked-Senders-Hash", "ms-Exch-Device-Friendly-Name", "ms-Exch-Device-Health", "ms-Exch-Device-ID", "ms-Exch-Device-IMEI", "ms-Exch-Device-Mobile-Operator", "ms-Exch-Device-OS", "ms-Exch-Device-OS-Language", "ms-Exch-Device-Telephone-Number", "ms-Exch-Device-Type", "ms-Exch-Device-User-Agent", "ms-Exch-First-Sync-Time", "ms-Exch-Last-Update-Time", "ms-Exch-Signup-Addresses", "ms-Exch-User-Display-Name", "ms-Exch-Immutable-Id", "ms-Exch-Sharing-Partner-Identities", "ms-Exch-Transport-Recipient-Settings-Flags", "ms-Exch-External-Sync-State", "ms-Exch-Device-Model", "ms-Exch-UM-Calling-Line-IDs", "ms-Exch-Aggregation-Subscription-Credential", "ms-Exch-Send-As-Addresses", "ms-Exch-Retention-Comment", "ms-Exch-Retention-URL", "ms-Exch-Server-Association-Link", "ms-Exch-Server-Association-BL", "ms-Exch-Alternate-Mailboxes", "ms-Exch-Sharing-Policy-Link", "ms-Exch-UM-Addresses", "ms-Exch-UM-Phone-Provider", "ms-Exch-Supervision-User-Link", "ms-Exch-Supervision-DL-Link", "ms-Exch-Supervision-One-Off-Link", "ms-Exch-Archive-GUID", "ms-Exch-Archive-Name", "ms-Exch-Archive-Quota", "ms-Exch-Archive-Warn-Quota", "ms-Exch-OWA-Remote-Documents-Internal-Domain-Suffix-List-BL", "ms-Exch-Parent-Plan-BL", "ms-Exch-Supervision-DL-BL", "ms-Exch-Supervision-One-Off-BL", "ms-Exch-Archive-Database-Link", "ms-Exch-Archive-Database-BL", "ms-Exch-Device-Access-State", "ms-Exch-Device-Access-State-Reason", "ms-Exch-Device-EAS-Version", "ms-Exch-Mobile-Blocked-Device-IDs", "ms-Exch-Delegate-List-Link", "ms-Exch-Delegate-List-BL", "ms-Exch-Device-Access-Control-Rule-Link", "ms-Exch-Device-Access-Control-Rule-BL", "ms-Exch-Sharing-Anonymous-Identities", "ms-Exch-Litigation-Hold-Date", "ms-Exch-Litigation-Hold-Owner", "ms-Exch-Disabled-Archive-GUID", "ms-Exch-Disabled-Archive-Database-Link", "ms-Exch-Shadow-When-Soft-Deleted-Time" + }, + [PSCustomObject]@{ + Name = "Personal-Information" + RightsGuid = [Guid]::Parse("77b5b886-944a-11d1-aebd-0000f80367c1") + MemberAttributes = "Address", "Address-Home", "Assistant", "Comment", "Country-Name", "Facsimile-Telephone-Number", "International-ISDN-Number", "Locality-Name", "ms-DS-Host-Service-Account", "ms-DS-Supported-Encryption-Types", "ms-DS-Last-Successful-Interactive-Logon-Time", "ms-DS-Last-Failed-Interactive-Logon-Time", "ms-DS-Failed-Interactive-Logon-Count", "ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon", "MSMQ-Digests", "MSMQ-Sign-Certificates", "Personal-Title", "Phone-Fax-Other", "Phone-Home-Other", "Phone-Home-Primary", "Phone-Ip-Other", "Phone-Ip-Primary", "Phone-ISDN-Primary", "Phone-Mobile-Other", "Phone-Mobile-Primary", "Phone-Office-Other", "Phone-Pager-Other", "Phone-Pager-Primary", "Physical-Delivery-Office-Name", "Picture", "Post-Office-Box", "Postal-Address", "Postal-Code", "Preferred-Delivery-Method", "Registered-Address", "State-Or-Province-Name", "Street-Address", "Telephone-Number", "Teletex-Terminal-Identifier", "Telex-Number", "Telex-Primary", "User-Cert", "User-Shared-Folder", "User-Shared-Folder-Other", "User-SMIME-Certificate", "X121-Address", "X509-Cert", "ms-DS-GeoCoordinates-Altitude", "ms-DS-GeoCoordinates-Latitude", "ms-DS-GeoCoordinates-Longitude", "ms-DS-cloudExtensionAttribute1", "ms-DS-cloudExtensionAttribute2", "ms-DS-cloudExtensionAttribute3", "ms-DS-cloudExtensionAttribute4", "ms-DS-cloudExtensionAttribute5", "ms-DS-cloudExtensionAttribute6", "ms-DS-cloudExtensionAttribute7", "ms-DS-cloudExtensionAttribute8", "ms-DS-cloudExtensionAttribute9", "ms-DS-cloudExtensionAttribute10", "ms-DS-cloudExtensionAttribute11", "ms-DS-cloudExtensionAttribute12", "ms-DS-cloudExtensionAttribute13", "ms-DS-cloudExtensionAttribute14", "ms-DS-cloudExtensionAttribute15", "ms-DS-cloudExtensionAttribute16", "ms-DS-cloudExtensionAttribute17", "ms-DS-cloudExtensionAttribute18", "ms-DS-cloudExtensionAttribute19", "ms-DS-cloudExtensionAttribute20", "ms-DS-External-Directory-Object-Id", "ms-Exch-Public-Delegates" + }, + [PSCustomObject]@{ + Name = "Public-Information" + RightsGuid = [Guid]::Parse("e48d0154-bcf8-11d1-8702-00c04fb96050") + MemberAttributes = "Additional-Information", "Allowed-Attributes", "Allowed-Attributes-Effective", "Allowed-Child-Classes", "Allowed-Child-Classes-Effective", "Alt-Security-Identities", "Common-Name", "Company", "Department", "Description", "Display-Name-Printable", "Division", "E-mail-Addresses", "Given-Name", "Initials", "Legacy-Exchange-DN", "Manager", "ms-DS-Allowed-To-Delegate-To", "ms-DS-Auxiliary-Classes", "ms-DS-Approx-Immed-Subordinates", "ms-DS-Phonetic-First-Name", "ms-DS-Phonetic-Last-Name", "ms-DS-Phonetic-Department", "ms-DS-Phonetic-Company-Name", "ms-DS-Phonetic-Display-Name", "ms-DS-HAB-Seniority-Index", "ms-DS-Source-Object-DN", "Obj-Dist-Name", "Object-Category", "Object-Class", "Object-Guid", "Organization-Name", "Organizational-Unit-Name", "Other-Mailbox", "Proxy-Addresses", "RDN", "Reports", "Service-Principal-Name", "Show-In-Address-Book", "Surname", "System-Flags", "Text-Country", "Text-Encoded-OR-Address", "Title", "User-Principal-Name", "ms-Exch-UC-Voice-Mail-Settings", "ms-Exch-User-Hold-Policies" + } ) + # cSpell:enable + $propertySetInfo +} diff --git a/Admin/Test-ExchangePropertyPermissions/Test-ExchangePropertyPermissions.ps1 b/Admin/Test-ExchangePropertyPermissions/Test-ExchangePropertyPermissions.ps1 new file mode 100644 index 0000000000..349ffd42c3 --- /dev/null +++ b/Admin/Test-ExchangePropertyPermissions/Test-ExchangePropertyPermissions.ps1 @@ -0,0 +1,232 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +[CmdletBinding()] +param ( + [Parameter(Mandatory = $true, Position = 0)] + [string] + $TargetObjectDN, + + [Parameter(Mandatory = $true, Position = 1)] + [string] + $ComputerAccountDN, + + [Parameter(Mandatory = $false, Position = 2)] + [string] + $DomainController, + + [Parameter(Mandatory = $false, Position = 3)] + [switch] + $SaveReport, + + [Parameter(Mandatory = $false, Position = 3)] + [switch] + $OutputDebugInfo +) + +begin { + . $PSScriptRoot\..\..\Shared\Out-Columns.ps1 + . $PSScriptRoot\..\..\Shared\ActiveDirectoryFunctions\Get-ActiveDirectoryAcl.ps1 + . $PSScriptRoot\..\..\Shared\ActiveDirectoryFunctions\Get-ExchangeADSplitPermissionsEnabled.ps1 + . $PSScriptRoot\..\..\Shared\ActiveDirectoryFunctions\Get-ExchangeOtherWellKnownObjects.ps1 + . $PSScriptRoot\..\..\Shared\ActiveDirectoryFunctions\Get-ObjectTypeDisplayName.ps1 + . $PSScriptRoot\..\..\Shared\ActiveDirectoryFunctions\Get-TokenGroupsGlobalAndUniversal.ps1 + . $PSScriptRoot\Get-PropertySetInfo.ps1 + . $PSScriptRoot\Test-ExchangeSchema.ps1 + + $requiredWellKnownGroupsInToken = "Exchange Trusted Subsystem", "Exchange Servers" + + $report = [PSCustomObject]@{ + TargetObjectDN = $TargetObjectDN + ComputerAccountDN = $ComputerAccountDN + DomainController = $DomainController + RequiredInToken = @() + Token = $null + ACL = $null + ProblemsFound = @() + } +} + +process { + if (-not (Test-ExchangeSchema)) { + Write-Warning "Schema validation failed. Exiting." + return + } + + if (Get-ExchangeADSplitPermissionsEnabled) { + Write-Host "Split permissions is enabled. In this scenario, it is expected that the Exchange server + computer account does not have write permission to many recipient attributes. The script will + report these as problems, although they may be normal for this configuration." + } + + $token = Get-TokenGroupsGlobalAndUniversal -DistinguishedName $ComputerAccountDN + $report.Token = $token + Write-Host "Token groups: $ComputerAccountDN" + $token | Out-Columns + + $wellKnownObjects = Get-ExchangeOtherWellKnownObjects + foreach ($wellKnownName in $requiredWellKnownGroupsInToken) { + $groupDN = ($wellKnownObjects | Where-Object { $_.WellKnownName -eq $wellKnownName }).DistinguishedName + $objectSidBytes = ([ADSI]("LDAP://$groupDN")).Properties["objectSID"][0] + $objectSid = New-Object System.Security.Principal.SecurityIdentifier($objectSidBytes, 0) + $report.RequiredInToken += [PSCustomObject]@{ + WellKnownName = $wellKnownName + DistinguishedName = $groupDN + ObjectSid = $objectSid.ToString() + } + + $matchFound = $token | Where-Object { $_.SID -eq $objectSid.ToString() } + if ($null -eq $matchFound) { + $report.ProblemsFound += "The group $wellKnownName is not in the token." + } + } + + $params = @{ + DistinguishedName = $TargetObjectDN + } + + if (-not [string]::IsNullOrEmpty($DomainController)) { + $params.DomainController = $DomainController + } + + $acl = Get-ActiveDirectoryAcl @params + $objectTypeCache = @{} + $displayAces = @() + for ($i = 0; $i -lt $acl.Access.Count; $i++) { + $ace = $acl.Access[$i] + if ($ace.ObjectType -ne [Guid]::Empty) { + if ($null -ne $objectTypeCache[$ace.ObjectType]) { + $ace | Add-Member -NotePropertyName ObjectTypeDisplay -NotePropertyValue $objectTypeCache[$ace.ObjectType] + } else { + $objectTypeDisplay = Get-ObjectTypeDisplayName -ObjectType $ace.ObjectType + $objectTypeCache[$ace.ObjectType] = $objectTypeDisplay + $ace | Add-Member -NotePropertyName ObjectTypeDisplay -NotePropertyValue $objectTypeDisplay + } + } + + if ($ace.InheritedObjectType -ne [Guid]::Empty) { + if ($null -ne $objectTypeCache[$ace.InheritedObjectType]) { + $ace | Add-Member -NotePropertyName InheritedObjectTypeDisplay -NotePropertyValue $objectTypeCache[$ace.InheritedObjectType] + } else { + $objectTypeDisplay = Get-ObjectTypeDisplayName -ObjectType $ace.InheritedObjectType + $objectTypeCache[$ace.InheritedObjectType] = $objectTypeDisplay + $ace | Add-Member -NotePropertyName InheritedObjectTypeDisplay -NotePropertyValue $objectTypeDisplay + } + } + + $ace | Add-Member -MemberType NoteProperty -Name "Index" -Value $i + $displayAces += $ace + } + + $report.ACL = $displayAces + Write-Host "ACL: $TargetObjectDN" + $displayAces | Where-Object { $_.PropagationFlags -ne "InheritOnly" } | Out-Columns -Properties Index, IdentityReference, AccessControlType, ActiveDirectoryRights, ObjectTypeDisplay, IsInherited + + $propertySetInfo = Get-PropertySetInfo + $attributeCount = $propertySetInfo.MemberAttributes.Count + $progressCount = 0 + $sw = New-Object System.Diagnostics.Stopwatch + $sw.Start() + $schemaPath = ([ADSI]("LDAP://$([System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name)/RootDSE")).Properties["schemaNamingContext"][0] + $identityReferenceCache = @{} + foreach ($propertySet in $propertySetInfo) { + foreach ($attributeName in $propertySet.MemberAttributes) { + $progressCount++ + if ($sw.ElapsedMilliseconds -gt 1000) { + $sw.Restart() + Write-Progress -Activity "Checking permissions" -PercentComplete $((($progressCount * 100) / $attributeCount)) + } + + $attributeSchemaEntry = [ADSI]("LDAP://CN=$attributeName,$schemaPath") + if ($attributeSchemaEntry.Properties["attributeSecurityGuid"].Count -lt 1) { + # This schema validation failure should be extremely rare, but we have seen a few + # cases in lab/dev/test environments, such as when ADSchemaAnalyzer has been used to + # copy schema between forests. + $report.ProblemsFound += "The attribute $attributeName is not in the $($propertySet.Name) property set." + continue + } + + $schemaIdGuid = New-Object Guid(, $attributeSchemaEntry.Properties["schemaIDGuid"][0]) + + # We need to hit a write allow ACE for a SID in the token on one of the following: + # - The rightsGuid from the property set + # - The schemaIdGuid from the attributeSchemaEntry + # We must hit the allow before we hit a deny on the same thing. + + $found = $false + $problemAceIndex = $null + for ($i = 0; $i -lt $displayAces.Count; $i++) { + $ace = $displayAces[$i] + if ($ace.PropagationFlags -eq "InheritOnly") { + continue + } + + $sidToFind = $null + if ($null -eq $ace.IdentityReference.SID) { + if ($null -ne $identityReferenceCache[$ace.IdentityReference.Value]) { + $sidToFind = $identityReferenceCache[$ace.IdentityReference.Value] + } else { + $sidToFind = $ace.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value + $identityReferenceCache[$ace.IdentityReference.Value] = $sidToFind + } + } else { + $sidToFind = $ace.IdentityReference.SID + } + + $matchingSid = $token | Where-Object { $_.SID -eq $sidToFind.ToString() } + if ($null -ne $matchingSid) { + # The ACE affects this token. + # Does it affect this property? + if ($ace.ObjectType -eq $propertySet.RightsGuid -or $ace.ObjectType -eq $schemaIdGuid -or $ace.ObjectType -eq [Guid]::Empty) { + if ($ace.ActiveDirectoryRights -contains "WriteProperty" -or $ace.ActiveDirectoryRights -contains "GenericAll") { + if ($ace.AccessControlType -eq "Allow") { + $found = $true + break + } else { + $problemAceIndex = $i + break + } + } + } + } + } + + if (-not $found) { + if ($null -ne $problemAceIndex) { + $report.ProblemsFound += "The property $attributeName is denied Write by ACE $problemAceIndex." + } else { + $report.ProblemsFound += "The property $attributeName is not allowed Write by any ACE." + } + } + } + } + + if ($report.ProblemsFound.Count -gt 0) { + foreach ($problem in $report.ProblemsFound) { + Write-Warning $problem + } + } else { + Write-Host "No problems found." + } + + if ($SaveReport) { + $reportPath = $PSScriptRoot + "\" + "PermissionReport-$([DateTime]::Now.ToString("yyMMddHHmmss")).xml" + $report | Export-Clixml $reportPath + Write-Host "Report saved to $reportPath" + } + + if ($OutputDebugInfo) { + $debugInfo = @{ + ACL = $acl + DisplayAces = $displayAces + IdentityReferenceCache = $identityReferenceCache + Token = $token + TargetObjectDN = $TargetObjectDN + Report = $report + } + + $debugInfoPath = Join-Path $PSScriptRoot "DebugInfo.xml" + $debugInfo | Export-Clixml -Path $debugInfoPath + Write-Host "Debug info saved to $debugInfoPath" + } +} diff --git a/Admin/Test-ExchangePropertyPermissions/Test-ExchangeSchema.ps1 b/Admin/Test-ExchangePropertyPermissions/Test-ExchangeSchema.ps1 new file mode 100644 index 0000000000..6fd78b9487 --- /dev/null +++ b/Admin/Test-ExchangePropertyPermissions/Test-ExchangeSchema.ps1 @@ -0,0 +1,80 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +function Test-ExchangeSchema { + [CmdletBinding()] + + # cSpell:disable + $requiredSchemaEntries = @( + [PSCustomObject]@{ SchemaObject = "User"; AttributeName = "systemAuxiliaryClass"; RequiredValues = @("mailRecipient") }, + [PSCustomObject]@{ SchemaObject = "Group"; AttributeName = "systemAuxiliaryClass"; RequiredValues = @("mailRecipient") }, + [PSCustomObject]@{ SchemaObject = "mail-Recipient"; AttributeName = "mayContain"; RequiredValues = + @("altRecipient", "altRecipientBL", "assistant", "authOrig", "authOrigBL", "autoReplyMessage", + "company", "delivContLength", "deliverAndRedirect", "deliveryMechanism", "delivExtContTypes", "department", + "dLMemDefault", "dLMemRejectPerms", "dLMemRejectPermsBL", "dLMemSubmitPerms", "dLMemSubmitPermsBL", "dnQualifier", + "enabledProtocols", "expirationTime", "extensionData", "folderPathname", "formData", "forwardingAddress", + "homeMTA", "importedFrom", "internetEncoding", "labeledURI", "language", "languageCode", "mail", "mailNickname", + "mAPIRecipient", "msDS-ExternalDirectoryObjectId", "msDS-GeoCoordinatesAltitude", "msDS-GeoCoordinatesLatitude", + "msDS-GeoCoordinatesLongitude", "msDS-HABSeniorityIndex", "msDS-PhoneticDisplayName", "msExchAddressBookFlags", + "msExchAdministrativeUnitLink", "msExchAggregationSubscriptionCredential", "msExchArbitrationMailbox", + "msExchArchiveRelease", "msExchAssistantName", "msExchAuditAdmin", "msExchAuditDelegate", "msExchAuditDelegateAdmin", + "msExchAuditOwner", "msExchAuthPolicyLink", "msExchAuxMailboxParentObjectIdLink", "msExchBlockedSendersHash", + "msExchBypassAudit", "msExchBypassModerationBL", "msExchBypassModerationFromDLMembersBL", + "msExchBypassModerationFromDLMembersLink", "msExchBypassModerationLink", "msExchCalculatedTargetAddress", + "msExchCalendarRepairDisabled", "msExchCapabilityIdentifiers", "msExchCoManagedObjectsBL", "msExchConfigurationXML", + "msExchCustomProxyAddresses", "msExchDirsyncID", "msExchDirsyncSourceObjectClass", "msExchEdgeSyncRetryCount", + "msExchEnableModeration", "msExchEwsApplicationAccessPolicy", "msExchEwsEnabled", "msExchEwsExceptions", + "msExchEwsWellKnownApplicationPolicies", "msExchExpansionServerName", "msExchExternalSyncState", "msExchFBURL", + "msExchForeignGroupSID", "msExchGenericForwardingAddress", "msExchGroupExternalMemberCount", "msExchGroupMemberCount", + "msExchGroupSecurityFlags", "msExchHABShowInDepartments", "msExchHomeMTASL", "msExchImmutableId", "msExchImmutableSid", + "msExchIntendedMailboxPlanLink", "msExchInterruptUserOnAuditFailure", "msExchLabeledURI", "msExchLicenseToken", + "msExchLitigationHoldDate", "msExchLitigationHoldOwner", "msExchLocalizationFlags", "msExchMailboxAuditEnable", + "msExchMailboxAuditLastAdminAccess", "msExchMailboxAuditLastDelegateAccess", "msExchMailboxAuditLastExternalAccess", + "msExchMailboxAuditLogAgeLimit", "msExchMailboxFolderSet", "msExchMailboxFolderSet2", "msExchMailboxMoveBatchName", + "msExchMailboxMoveFlags", "msExchMailboxMoveRemoteHostName", "msExchMailboxMoveSourceArchiveMDBLink", + "msExchMailboxMoveSourceArchiveMDBLinkSL", "msExchMailboxMoveSourceMDBLink", "msExchMailboxMoveSourceMDBLinkSL", + "msExchMailboxMoveStatus", "msExchMailboxMoveTargetArchiveMDBLink", "msExchMailboxMoveTargetArchiveMDBLinkSL", + "msExchMailboxMoveTargetMDBLink", "msExchMailboxMoveTargetMDBLinkSL", "msExchMailboxPlanType", "msExchMailboxRelease", + "msExchMailboxSecurityDescriptor", "msExchMasterAccountSid", "msExchMessageHygieneFlags", + "msExchMessageHygieneSCLDeleteThreshold", "msExchMessageHygieneSCLJunkThreshold", + "msExchMessageHygieneSCLQuarantineThreshold", "msExchMessageHygieneSCLRejectThreshold", "msExchModeratedByLink", + "msExchModeratedObjectsBL", "msExchModerationFlags", "msExchMultiMailboxDatabasesLink", "msExchObjectID", + "msExchOrganizationUpgradeRequest", "msExchOrganizationUpgradeStatus", "msExchOWAPolicy", "msExchParentPlanLink", + "msExchPartnerGroupID", "msExchPoliciesExcluded", "msExchPoliciesIncluded", "msExchPolicyEnabled", + "msExchPolicyOptionList", "msExchPreviousAccountSid", "msExchPreviousRecipientTypeDetails", "msExchProvisioningFlags", + "msExchProxyCustomProxy", "msExchPublicFolderMailbox", "msExchPublicFolderSmtpAddress", "msExchRBACPolicyLink", + "msExchRecipientDisplayType", "msExchRecipientSoftDeletedStatus", "msExchRecipientTypeDetails", "msExchRecipLimit", + "msExchRemoteRecipientType", "msExchRequireAuthToSendTo", "msExchResourceCapacity", "msExchResourceDisplay", + "msExchResourceMetaData", "msExchResourceSearchProperties", "msExchRetentionComment", "msExchRetentionURL", + "msExchRMSComputerAccountsLink", "msExchRoleGroupType", "msExchSafeRecipientsHash", "msExchSafeSendersHash", + "msExchSendAsAddresses", "msExchSenderHintTranslations", "msExchShadowWhenSoftDeletedTime", + "msExchSharingAnonymousIdentities", "msExchSharingPartnerIdentities", "msExchSharingPolicyLink", "msExchSignupAddresses", + "msExchStsRefreshTokensValidFrom", "msExchSupervisionDLLink", "msExchSupervisionOneOffLink", "msExchSupervisionUserLink", + "msExchSyncAccountsPolicyDN", "msExchTextMessagingState", "msExchThrottlingPolicyDN", + "msExchTransportRecipientSettingsFlags", "msExchUCVoiceMailSettings", "msExchUGEventSubscriptionLink", "msExchUGMemberLink", + "msExchUMAddresses", "msExchUMCallingLineIDs", "msExchUMDtmfMap", "msExchUMListInDirectorySearch", + "msExchUMRecipientDialPlanLink", "msExchUMSpokenName", "msExchUsageLocation", "msExchUserAccountControl", + "msExchUserHoldPolicies", "msExchWhenMailboxCreated", "msExchWhenSoftDeletedTime", "msExchWindowsLiveID", "pOPCharacterSet", + "pOPContentFormat", "protocolSettings", "publicDelegates", "publicDelegatesBL", "replicationSensitivity", "secretary", + "securityProtocol", "submissionContLength", "targetAddress", "unauthOrig", "unauthOrigBL", "userSMIMECertificate", + "versionNumber") + } + ) + # cSpell:enable + + $schemaPath = ([ADSI]("LDAP://$([System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name)/RootDSE")).Properties["schemaNamingContext"][0] + + $schemaIsGood = $true + + foreach ($o in $requiredSchemaEntries) { + $schemaObject = [ADSI]("LDAP://CN=$($o.SchemaObject),$schemaPath") + $attributeValues = $schemaObject.Properties[$o.AttributeName] + $missingValues = $o.RequiredValues | Where-Object { $attributeValues -notcontains $_ } + if ($missingValues) { + Write-Host "$($o.SchemaObject) missing $($o.AttributeName): $missingValues" + $schemaIsGood = $false + } + } + + return $schemaIsGood +} diff --git a/Shared/ActiveDirectoryFunctions/Get-ObjectTypeDisplayName.ps1 b/Shared/ActiveDirectoryFunctions/Get-ObjectTypeDisplayName.ps1 new file mode 100644 index 0000000000..7371a95ff6 --- /dev/null +++ b/Shared/ActiveDirectoryFunctions/Get-ObjectTypeDisplayName.ps1 @@ -0,0 +1,32 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +function Get-ObjectTypeDisplayName { + [CmdletBinding()] + param ( + [Parameter()] + [Guid] + $ObjectType + ) + + $rootDSE = [ADSI]"LDAP://$([System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name)/RootDSE" + $extendedRightsContainer = [ADSI]"LDAP://$("CN=Extended-Rights," + $rootDSE.ConfigurationNamingContext)" + $searcher = New-Object System.DirectoryServices.DirectorySearcher($extendedRightsContainer, "(&(rightsGuid=$ObjectType))", "displayName") + $result = $searcher.FindOne() + + if ($null -ne $result) { + $result.Properties["displayName"][0] + return + } + + $schemaContainer = [ADSI]"LDAP://$("CN=Schema," + $rootDSE.ConfigurationNamingContext)" + $objectTypeBytes = [string]::Join("", ($ObjectType.ToByteArray() | ForEach-Object { ("\" + $_.ToString("X")) })) + $searcher = New-Object System.DirectoryServices.DirectorySearcher($schemaContainer, "(&(schemaIdGuid=$objectTypeBytes))", "lDAPDisplayName") + $result = $searcher.FindOne() + if ($null -ne $result) { + $result.Properties["lDAPDisplayName"][0] + return + } + + throw "ObjectType $ObjectType not found" +} diff --git a/docs/Admin/Test-ExchangePropertyPermissions.md b/docs/Admin/Test-ExchangePropertyPermissions.md new file mode 100644 index 0000000000..338a15b6d8 --- /dev/null +++ b/docs/Admin/Test-ExchangePropertyPermissions.md @@ -0,0 +1,41 @@ +# Test-ExchangePropertyPermissions + +Download the latest release: [Update-Engines.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Update-Engines.ps1) + +## Syntax + +```powershell +Test-ExchangePropertyPermissions.ps1 + [-TargetObjectDN] + [-ComputerAccountDN] + [[-DomainController] ] + [-OutputDebugInfo] + [] +``` + +## Example + +.\Test-ExchangePropertyPermissions.ps1 -TargetObjectDN "CN=SomeRecipient,OU=Users,DC=contoso,DC=com" -ComputerAccountDN "CN=SomeServerName,OU=Computers,DC=contoso,DC=com" + +This example retrieves the group memberships of the SomeServerName computer account and then examines the ACL of SomeRecipient +to determine if that computer account can write to all expected attributes of that recipient. + +## Description + +Test-ExchangePropertyPermissions is designed to detect certain schema issues which can manifest as +permissions problems and can be challenging to identify manually, including: + +* Scenarios where a property set does not include all the expected properties. +* Scenarios where an objectClass definition is missing expected properties. + +Note that the script does not perform an exhaustive check for all possible schema issues. It is +only designed to identify a specific subset of issues which we have encountered. For example, using +AD Schema Analyzer as described here is one such scenario: + +https://learn.microsoft.com/en-us/previous-versions/technet-magazine/dd547839(v=msdn.10) + +As noted in that article, this is known to corrupt the Exchange attributes. This script is able +to detect that scenario, and other similar scenarios. + +Further, note that such issues cannot be fixed by the script. Using AD Schema Analyzer as described +results in an unsupported forest that should be torn down. diff --git a/mkdocs.yml b/mkdocs.yml index c4dd8d0f1e..69eac08311 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -13,6 +13,7 @@ nav: - Reset-ScanEngineVersion: Admin/Reset-ScanEngineVersion.md - SetUnifiedContentPath: Admin/SetUnifiedContentPath.md - Test-AMSI: Admin/Test-AMSI.md + - Test-ExchangePropertyPermissions: Admin/Test-ExchangePropertyPermissions.md - Update-Engines: Admin/Update-Engines.md - Calendar: - Check-SharingStatus: Calendar/Check-SharingStatus.md