I'm looking for a way to get a list of users who allow other users to have access to their calendar or other folders in their mailboxes. I'd also want a list of the users who have the access along with the folders that they have access to and what kind of permissions that they have been granted to access these folders. Is it possible and if so how would I go about it?

Hi ExchangeCanada (Go Canucks!)

It is possible, but not totally trivial. There are a few things you can do to get parts of the answer or all of the answer.

1. Assuming Outlook is using Exchange 200x, then whether delegates exist on a mailbox is stored as an attribute in Active Directory. If a user's mailbox has delegates, they would be listed in the multi-value attribute called publicDelegates. If the user is a delegate, then which mailbox they are delegates for are listed in the publicDelegatesBL attribute. This information is readable with ADSIEdit, but for a lot of mailboxes, you would certainly prefer a script or export to gather that information. LDIFDE can export specific attributes from Active Directory. The command might read as follows:

c:\>ldifde -f delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"

-f - assigns the output to the file named delegates.txt
-d - isolates which OU in the directory to query
-l - determines which attributes to list in the output
-r - filters for objects with any value for the attributes mentioned

I outline the above in an entry from my blog a few years ago. This does not get you all the information you are looking for, but it is one way to see how much delegates are used in your organization. Folder-specific permissions are stored in Exchange as MAPI permissions for each folder.

2. The pfdavadmin tool provides better access to delegate permissions across the organization. It accesses Exchange using WebDAV and it is intended originally for public folder administration and troubleshooting, especially folder permission issues. It can also export information regarding folder permissions. Downloading the PFDAVAdmin.exe executable will extract to a folder with a very important document to reference appropriately called PFDAVAdmin.doc. Therein you will find all the instructions you will need.

Simply, when I connect to the Exchange Server with the utility, I select the radio button for mailbox store. I think it requests that you enable logging within PFDAVAdmin. After that, Export permissions choosing specific folders and subfolders. This exports the DACL information to a text file in My Documents by default. This is not to be confused with the log file it wants to put in c:\pfdavadmin by default.

On my Exchange Server at home, Sam and Diane are delegates on William's mailbox. Depending on what format you choose, the output may look something like this snippet:

SETACL Mailboxes\william\Top of Information Store\Inbox MVPPRESS\sam Reviewer MVPPRESS\diane Reviewer NO
SETACL Mailboxes\william\Top of Information Store\Outbox NT AUTHORITY\ANONYMOUS LOGON None NO
SETACL Mailboxes\william\Top of Information Store\Sent Items NT AUTHORITY\ANONYMOUS LOGON None NO
SETACL Mailboxes\william\Top of Information Store\Deleted Items NT AUTHORITY\ANONYMOUS LOGON None NO
SETACL Mailboxes\william\Top of Information Store\Calendar MVPPRESS\sam Editor MVPPRESS\diane Editor NO
SETACL Mailboxes\william\Top of Information Store\Contacts MVPPRESS\sam Author MVPPRESS\diane None NO
SETACL Mailboxes\william\Top of Information Store\Drafts NT AUTHORITY\ANONYMOUS LOGON None NO
SETACL Mailboxes\william\Top of Information Store\Journal MVPPRESS\sam None MVPPRESS\diane None NO
SETACL Mailboxes\william\Top of Information Store\Notes MVPPRESS\sam None MVPPRESS\diane None NO
SETACL Mailboxes\william\Top of Information Store\Tasks MVPPRESS\sam Editor MVPPRESS\diane Editor NO

The PFDAVAdmin tool is free from Microsoft and is mostly intuitive to use, but after you read the documentation. I did not go into detail on the inputs I made to produce reports on this information. This tool can also be used to centrally manage those delegate permissions as well.

3. Finally, there are scripting solutions out there that can return detailed delegate information from Exchange. In the Windows Platform SDK, there is a dll called ACL.dll which when used with CDO can retrieve MAPI folder permissions.

Exchange scripting guru from Australia, Glen Scales, offers a script to connect to every mailbox, read the MAPI permissions on the root folders (as you would see in the Outlook delegation applet), and report on the results. The user context executing the script would need sufficient Exchange permissions of course. Glen calls this a 'reverse permission audit script'. Don't miss the comments after his blogpost there.

These three options should provide the information you need regarding Outlook folder delegation. I am inclinded to use the PFDAVAdmin utility, but Glen's script may be more to your liking. The output for these queries is basic text that you may have to manipulate to draw out the specific content you seek.

Regards

William Lefkovics, MCSE, A+, BSBA

 

Thanks for the information. I'll give it a try.