Exchange Server Cookbook: For Exchange Server 2003 and Exchange 2000 Server
Recipe 5.15. Getting the List of Delegates for a Mailbox
Problem
You need to know which users have delegate access to a particular mailbox. Solution
Using a graphical user interface
In Outlook 2003, do the following:
Using a command-line interface
You can use the ldifde utility to dump the publicDelegates attribute for a selected set of users. For example, this command dumps the delegate list for the robichaux.net domain to the file delegates.txt: > ldifde -f delegates.txt -d "cn=users,dc=robichaux,dc=net" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*) (publicDelegatesBL=*))"
Using VBScript
' This code lists the delegates for the selected mailbox ' ------ SCRIPT CONFIGURATION ------ strDCName = "<serverName>" ' e.g., "Batman" strUserName = "/cn=<userName>, CN=Users, <ForestRootDN>" ' ------ END CONFIGURATION --------- ' find the target user strQuery = "LDAP://" & strDCName & strUserName Set theUser = GetObject(strQuery) WScript.echo "Delegates for " & strUserName On Error Resume Next delegateList = theUser.Get("publicDelegates") If Err.Number <> -2147463155 Then For Each Desc In delegateList WScript.Echo desc Next Else WScript.Echo "No delegates" End If
Discussion
The list of delegates is stored as a single AD attribute on the user account: publicDelegates. When you ask Outlook to display the delegate list, it does so by reading that attribute and expanding it, then reading the security descriptors on folders in the mailbox. It also allows you to explicitly assign permissions. However, reading publicDelegates directly from the user object doesn't tell you anything about what specific rights the defined delegates have, merely that they exist as delegates. At a minimum, they'll have the ability to send on behalf of the original user. See Also
Recipe 5.14 to grant full access to a mailbox |