(Starting to like KiXtart)
2003-07-07 04:18 PM
Creating mailbox in Exchange 5.5


I'm playing around with an example i found in the ADSI sdk doc. (ADSI Exchange programmer's guide --> Advanced Shema Concepts --> Visual basic usage examples --> Creating a Mailbox with IADsSecurityDescriptor and IADsSID in the ADSI Resource Kit)

The NT user creation part goes ok but the mailbox part not. The following piece of code have i created for making a mailbox.

;--- MailBox Parameters ---
$strDisplayName = "John Smith"
$strFirstName = "John"
$strLastName = "Smith"
$strAlias = $userName
;$strMTA = "cn=Microsoft MTA,cn=$server,cn=Servers,cn=Configuration,ou=$Site,o=$Org"
$strSMTPAddr = "jan.smith@@gispen.nl"

; Build Recipient container's adsPath:
; LDAP://myserver/CN=Recipients, OU=Site, O=Org
$ADsPath = "LDAP://MyServer/cn=Recipients,ou=Site,o=Organisation"
$objCont = $GetObject($ADsPath)

;---Create a new MailBox---
$mailBox = $objCont.Create($strAlias)
$mailBox.mailPreferenceOption = "0"
$mailBox.givenName = $strFirstName
$mailBox.sn = $strLastName
$mailBox.cn = $strDisplayName
$mailBox.uid = $strAlias
;$mailBox.Home-MTA = $strMTA
;$mailBox.Put "Home-MDB", strMDB
$mailBox.mail = $strSMTPAddr
;$mailBox.Put "MAPI-Recipient", True
$mailBox.rfc822Mailbox = $strSMTPAddr

; Associating to a primary account
; (Requires the ADSI tool kit - REGSVR32 ADSSECURITY.DLL )
;sid.SetAs ADS_SID_WINNT_PATH, "WinNT://" & domain & "/" & strAlias & ",user"
;sidHex = sid.GetAs(ADS_SID_HEXSTRING)
;mailBox.Put "Assoc-NT-Account", sidHex

; Commit the property cache to the directory service
$mailbox = ""

During the $mailbox.xxx = $Variable section i get all kind of Invalid Handle error.

The operation completed successfully.LDAP://MyServer/cn=Recipients,ou=Site,o=Organisation
The operation completed successfully.smithj
The handle is invalid.0
The handle is invalid.John
The handle is invalid.Smith
The handle is invalid.John Smith
The handle is invalid.smithj
The handle is invalid.
The handle is invalid.jan.smith@gispen.nl
The handle is invalid.jan.smith@gispen.nl
The handle is invalid.
The handle is invalid.

Anyone an idea what i'm doing wrong?

The account i use to create the user has all rights in Exchange from top to bottom

@Kix = 4.12
OS = NT 4

(KiX Master)
2003-07-07 04:31 PM
Re: Creating mailbox in Exchange 5.5

Some of your variables do not have a preceeding '4' sign. Secondly, comment out all lines, then start enabling each line to see where exactly the error occurs.

Richard H.Administrator
(KiX Supporter)
2003-07-07 04:36 PM
Re: Creating mailbox in Exchange 5.5

Rather than:
$objCont = $GetObject($ADsPath)
$objCont = GetObject($ADsPath)
GetObject() is a function, not an object.

[ 07. July 2003, 16:37: Message edited by: Richard H. ]

(Starting to like KiXtart)
2003-07-07 08:24 PM
Re: Creating mailbox in Exchange 5.5


i'm making progress

; Build Recipient container's adsPath:
; LDAP://myserver/CN=Recipients, OU=Site, O=Org
$ADsPath = "LDAP://,ou=GISPEN,o=Gispen International BV"
$objCont = GetObject($ADsPath)
;---Create a new MailBox---
$mailBox = $objCont.Create("organizationalPerson", $strAlias)
$mailBox.Put("givenName", $strFirstName)
$mailBox.Put("sn", $strLastName)
$mailBox.Put("cn", $strDisplayName)
$mailBox.Put("uid", $strAlias)
$mailBox.Put("Home-MTA", $strMTA)
;$mailBox.Put "Home-MDB", strMDB
$mailBox.Put("mail", $strSMTPAddr)
$mailBox.Put("MAPI-Recipient", True)
$mailBox.Put("rfc822Mailbox", $strSMTPAddr)
; Associating to a primary account
; (Requires the ADSI tool kit - REGSVR32 ADSSECURITY.DLL )
$sid.SetAs($ADS_SID_WINNT_PATH, "WinNT://GISPEN/$strAlias,user")
$sidHex = $sid.GetAs($ADS_SID_HEXSTRING)
$mailBox.Put("Assoc-NT-Account", $sidHex)

; Commit the property cache to the directory service
$mailbox = ""

The above code is working until the "Associating to a primary account" part starts. I get an error in expression in : $sid.SetAs($ADS_SID_WINNT_PATH, "WinNT://GISPEN/$strAlias,user")

(KiX Supporter)
2003-07-07 08:33 PM
Re: Creating mailbox in Exchange 5.5

search the ADSI SDK for "ADS_SID_WINNT_PATH" this should be some type of value that the ADSI .SetAs() is looking for.

The VBS script already had this variable defined where your kix scirpt does not.

(KiX Supporter)
2003-07-07 08:36 PM
Re: Creating mailbox in Exchange 5.5

ohh, i see you are setting the variable $ADS_SID_WINNT_PATH... but you are creating it as a string.

Have you tried creating it as a numeric number?


Also... you do have the ADSSECURITY.DLL registered?

(Starting to like KiXtart)
2003-07-08 04:06 PM
Re: Creating mailbox in Exchange 5.5

I've tried both ways (string and numeric) but no result

still :
Script error: expected expression!
$sid.SetAs($ADS_SID_WINNT_PATH, "WinNT://GISPEN/$strAlias,user")

And i can't find, not in the SDK or on msdn/technet what SetAs() wants.

(KiX Master Guru)
2003-07-08 04:08 PM
Re: Creating mailbox in Exchange 5.5

at first...
as far as I know, you can do nothing with ADSI if you are using exchange 5.5

(KiX Master Guru)
2003-07-08 04:17 PM
Re: Creating mailbox in Exchange 5.5

oh, stupid me.
sure it works.
haven't tried does not mean that it does not work.
now am wiser.

anyway, isn't getas and setas wscript functions?
(stupid me again quessing here...)

Howard Bullock
(KiX Supporter)
2003-07-08 04:21 PM
Re: Creating mailbox in Exchange 5.5

I think you are missing the proper object:

$oADsSid = CreateObject("ADsSid")

This does the opposite of what you are doing.

Howard Bullock
(KiX Supporter)
2003-07-08 04:25 PM
Re: Creating mailbox in Exchange 5.5

This is what you want...

$sidobj = createobject("adssid")
$sid = $sidobj.getas(1)

"ADSI SID = " + $sid ?

[ 08. July 2003, 16:25: Message edited by: Howard Bullock ]

(Starting to like KiXtart)
2003-07-09 08:24 AM
Re: Creating mailbox in Exchange 5.5

Got it working [Smile]

Thank you all.

; Security object for SD manipulation

;---------------CREATING A MAILBOX ----------------------

;--- Server, Org and Site information ---
$server = "ExchangeServer"
$Org = "Organisation"
$Site = "Organisational Unit"
$domain = "@DOMAIN"
$strDisplayName = "John Smith"
$strFirstName = "John"
$strLastName = "Smith"
$username = "smithj"
$strAlias = $username
$strMTA = "cn=Microsoft MTA,cn=$server,cn=Servers,cn=Configuration,ou=$Site,o=$Org"
$strSMTPAddr = "john.smith@@domain.com"
; Build Recipient container's adsPath:
; LDAP://myserver/CN=Recipients, OU=Site, O=Org
$ADsPath = "LDAP://$server/cn=Recipients,ou=$site,o=$Org"
$objCont = GetObject($ADsPath)
;---Create a new MailBox---
$mailBox = $objCont.Create("organizationalPerson", "cn=$strAlias")
$mailBox.Put("givenName", $strFirstName)
$mailBox.Put("sn", $strLastName)
$mailBox.Put("cn", $strDisplayName)
$mailBox.Put("uid", $strAlias)
$mailBox.Put("Home-MTA", $strMTA)
$mailBox.Put("mail", $strSMTPAddr)
$mailBox.Put("MAPI-Recipient", True)
$mailBox.Put("rfc822Mailbox", $strSMTPAddr)
; Associating to a primary account
; (Requires the ADSI tool kit - REGSVR32 ADSSECURITY.DLL )
$sidobj = CreateObject("adssid")
$sid = $sidobj.getas(1)
"ADSI SID = " + $sid ?
$mailBox.Put("Assoc-NT-Account", $sid)
? "Mailbox created: "@SERROR +"Error code: "+@ERROR
$mailbox = ""

(Starting to like KiXtart)
2003-07-09 11:30 AM
Re: Creating mailbox in Exchange 5.5

Not completely :-(

The mailbox security is not working.

vb code:

Dim sec As New ADsSecurity 'You can also use -- Set sec = CreateObject("ADsSecurity") for late binding
Dim sd As IADsSecurityDescriptor
Dim dacl As IADsAccessControlList
Dim ace As New AccessControlEntry

' Set the mailbox security
' to allow the user to modify a user attribute,
' send mail, and receive mail
Set sd = sec.GetSecurityDescriptor(mailBox.ADsPath)
Set dacl = sd.DiscretionaryAcl
ace.Trustee = domain & "\" & strAlias
dacl.AddAce ace
sd.DiscretionaryAcl = dacl
sec.SetSecurityDescriptor sd

"Translated to KiX"
$secobj = CreateObject("ADsSecurity")
$sd = getobjectoption("IADsSecurityDescriptor")
$dacl = getobjectoption("IADsAccessControlList")
$aceobj = CreateObject("AccessControlEntry")
$sd = $Secobj.GetSecurityDescripter($mailbox.$ADsPath)
$dacl = $sd.DiscretionaryAcl
$aceobj.Thrustee = "@DOMAIN\$strAlias"
$dacl.AddAce = $aceobj
$sd.DiscretionaryAcl = $dacl

$secobj.SetSecurityDescriptor = $sd

Script error: unknown or unexpected command []!
$sd = $Secobj.GetSecurityDescripter($mailbox.$ADsPath)

Any ideas?

(KiX Master Guru)
2003-07-09 11:36 AM
Re: Creating mailbox in Exchange 5.5

how come:
Set sd = secobj.GetSecurityDescriptor(mailBox.ADsPath)

translates to:
$sd = $secobj.GetSecurityDescriptor($mailBox.$ADsPath)

I would quess:
$sd = $secobj.GetSecurityDescriptor($mailBox.ADsPath)

is closer, but...
without seeing what is ADsPath in initial code, can't make really good quesses [Wink]

[ 09. July 2003, 12:00: Message edited by: Lonkero ]

(Starting to like KiXtart)
2003-07-10 12:00 AM
Re: Creating mailbox in Exchange 5.5

$ADsPath = "LDAP://$server/cn=Recipients,ou=$site,o=$Org"

When changing to:
$sd = $Secobj.GetSecurityDescripter($mailbox.ADsPath)

I get "Unknown name"

(KiX Master Guru)
2003-07-10 12:01 AM
Re: Creating mailbox in Exchange 5.5

with initial code I ment the vbscript. [Wink]

(KiX Master Guru)
2003-07-10 12:05 AM
Re: Creating mailbox in Exchange 5.5

found the difference in your vb-code and in the script code [Big Grin]

you write in kix-version:

instead of:

(KiX Master)
2003-07-10 12:26 AM
Re: Creating mailbox in Exchange 5.5

Very keen eye there Lonkero. [Cool]

(Starting to like KiXtart)
2003-07-10 09:50 AM
Re: Creating mailbox in Exchange 5.5

Indeed very keen [Smile]

This part is now working without errors
$secobj = CreateObject("ADsSecurity")
$sd = getobjectoption("IADsSecurityDescriptor")
$dacl = getobjectoption("IADsAccessControlList")
$aceobj = CreateObject("AccessControlEntry")
$sd = $Secobj.GetSecurityDescriptor($mailbox.ADsPath)
$dacl = $sd.DiscretionaryAcl
$dacl.AddAce.Put = $aceobj
$sd.DiscretionaryAcl = $dacl

But it doesn't give the result that i thought it should have. I thought that this would set the NT account with permissions on the mailbox but as you can see in the image that isn't working.

(KiX Master Guru)
2003-07-10 09:54 AM
Re: Creating mailbox in Exchange 5.5

hey, how you got that kind of view?
I have 5.5 sp4 and don't have no permissions tab.
does the account occur on general tab as box owner?

(Starting to like KiXtart)
2003-07-10 10:24 AM
Re: Creating mailbox in Exchange 5.5

This view can be set in Tools --> options --> Permissions tab --> Enabling "Show permissions page for all object"

The NT account is set as Primary Windows NT Account on the General Tab but that is done when creating the mailbox: $mailBox.Put("Assoc-NT-Account", $sid)

But if there are no permissions set opening the mailbox can't be done :-(

(Starting to like KiXtart)
2003-07-11 11:02 AM
Re: Creating mailbox in Exchange 5.5

Found an example on how to set the NT-Security-Descriptor but it is in Visual Basic.Net Can someone help me translate it?

Dim usr As New DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com")
Dim newAce = New AccessControlEntryClass()
Dim usrSD As SecurityDescriptor = CType(usr.Properties("ntSecurityDescriptor").Value, SecurityDescriptor)
Dim usrAcl As AccessControlList = CType(usrSD.DiscretionaryAcl, AccessControlList)
newAce.Trustee = "AliceW"
newAce.AccessMask = - 1
newAce.AceType = 0
usrSD.DiscretionaryAcl = usrAcl
usr.Properties("ntSecurityDescriptor").Value = usrSD

[ 11. July 2003, 11:02: Message edited by: Raceeend ]

(KiX Master Guru)
2003-07-11 11:12 AM
Re: Creating mailbox in Exchange 5.5

can check more on it.
anyway, is this supposed to support older systems?
I mean, it's .Net so it's stuff can also be server 2k3 related.

(Hey THIS is FUN)
2004-01-12 12:19 PM
Re: Creating mailbox in Exchange 5.5

Found this old post, and want to do a similar thing.

I would like to change the NT Primary account for a mailbox to another user. Its Exchange 5.5 + sp4 on W2k.

Any nice code for this ?


(KiX Master)
2004-01-12 03:30 PM
Re: Creating mailbox in Exchange 5.5

See for example http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnadsi/html/msdn_adsiexch.asp to get you started (not ).

(Hey THIS is FUN)
2004-01-12 03:53 PM
Re: Creating mailbox in Exchange 5.5

Hi Sealeopard

I read on MS with the following quote:

LDAP name = Assoc-NT-Account / The primary NT account associated with this Mailbox


Limitations of ADSI
ADSI cannot yet manipulate Access Control Lists (ACLs), which contain security information about which user has rights on a certain object. It cannot get the Windows NT Security Identifier (SID), the binary representation of a users account name, and thus cannot set the bits necessary to create the users rights. Thus developers cannot create a functional Mailbox object completely with ADSI, since a mailbox object requires the NT account SID in the Assoc-NT-Account attribute as well as the correct security rights on the mailbox object in the NT-Security-Descriptor attribute. The capability to manipulate ACLs is expected in a future release.

So it seems that it is not possibly to change the NT account with a script.


(KiX Master)
2004-01-12 06:12 PM
Re: Creating mailbox in Exchange 5.5

Yes, that is correct.

(KiX Master Guru)
2004-01-13 01:10 AM
Re: Creating mailbox in Exchange 5.5

nah, shouldn't it work with CSV file that has updated fields...
IIRC, admin.exe allows updating of info...

(KiX Master Guru)
2004-05-07 10:43 AM
Re: Creating mailbox in Exchange 5.5

was checking on this myself once again and started wondering, is there anything new to this?

(Starting to like KiXtart)
2004-05-10 02:38 PM
Re: Creating mailbox in Exchange 5.5

Not that i have found so far.