Active-Directory
當組授予權限時,Exchange 2010 自動映射郵箱功能不起作用
我有一個共享郵箱,我需要將其部署到我們的一個部門,該郵箱位於帶有 Outlook 2010 客戶端的 Exchange 2010 SP2 環境中。由於顯而易見的原因,我試圖依賴Exchange 2010 SP1 引入的自動映射功能,但它不起作用。
仔細觀察,這將是因為它不適用於組,巧妙地阻止了它成為一個有用的功能,用於管理多個郵件使用者的任何人。
上面的連結包含一個解決方法 PowerShell 腳本,用於讀取組的成員資格並直接添加這些成員以獲得完全訪問權限,但這不提供在人員加入或離開部門時更新自動映射的功能。
當使用組授予使用者對郵箱的完全訪問權限時,是否有人知道如何使此功能發揮作用?(或者對如何解決這個問題有任何想法,甚至?現在,我正在考慮一個定期更新相關 AD 屬性的 Powershell 腳本,但是……必須有更好的方法。)
當我們遇到同樣的問題時,我創建了這個腳本。也許這不是世界上最漂亮的東西,但它可以完成工作。我有一個單獨
OU的訪問組,然後另一個用於資源郵箱。A-組和資源郵箱使用相同的名稱,組的前面 除外。例如
A-RESMBX1組名和REXMBX1資源郵箱。該腳本列舉組中的組
OU,然後列舉其中的資源郵箱OU。然後它循環遍歷每個組並找到匹配的資源郵箱。當找到匹配項時,它會列舉組的使用者,然後將它們添加到msExchDelegateListLink資源郵箱的屬性中。它還將從
msExchDelegateListLink屬性中刪除不再是關聯訪問組成員的使用者。我在 DC 上的計劃任務中執行它。我們的需求是由於需要訪問大量資源郵箱的實習生的高流動率。
您需要更新
$Groups&的 OU 的 LDAP 路徑$ResMBXs以及您的 DC 名稱$DomainControllerImport-Module ActiveDirectory $DomainController = "MYDOMAINCONTROLLER" $Groups = Get-ADGroup -Filter * -SearchBase 'OU=Groups,OU=Resource Mailboxes,DC=mydomain,DC=com' -Server $DomainController | Sort-Object Name $ResMBXs = Get-ADUser -Filter * -SearchBase 'OU=Resource Mailboxes,DC=mydomain,DC=com' -Server $DomainController -properties msExchDelegateListLink | Sort-Object Name Write-Host "Enumerating Groups and Resource Mailboxes..." Write-Host "" # IsMember function is borrowed from : http://gallery.technet.microsoft.com/scriptcenter/5adf9ad0-1abf-4557-85cd-657da1cc7df4 # Hash table of security principals and their security group memberships. $GroupList = @{} Function IsMember ($ADObject, $GroupName) { # Function to check if $ADObject is a member of security group $GroupName. # Check if security group memberships for this principal have been determined. If ($GroupList.ContainsKey($ADObject.sAMAccountName.ToString() + "\") -eq $False) { # Memberships need to be determined for this principal. Add "pre-Windows 2000" # name to the hash table. $GroupList.Add($ADObject.sAMAccountName.ToString() + "\", $True) # Retrieve tokenGroups attribute of principal, which is operational. $ADObject.psbase.RefreshCache("tokenGroups") $SIDs = $ADObject.psbase.Properties.Item("tokenGroups") # Populate hash table with security group memberships. ForEach ($Value In $SIDs) { $SID = New-Object System.Security.Principal.SecurityIdentifier $Value, 0 # Translate into "pre-Windows 2000" name. $Group = $SID.Translate([System.Security.Principal.NTAccount]) $GroupList.Add($ADObject.sAMAccountName.ToString() + "\" + $Group.Value.Split("\")[1], $True) } } # Check if $ADObject is a member of $GroupName. If ($GroupList.ContainsKey($ADObject.sAMAccountName.ToString() + "\" + $GroupName)) { Return $True } Else { Return $False } } Foreach ($gr in $Groups) { Foreach ($mbx in $ResMBXs) { $MBXName = "A-" + $mbx.Name $LDAPUser=[ADSI]"LDAP://$($DomainController)/$($mbx.distinguishedName)" if ($gr.Name -eq $MBXName) { #Build an Array of DNs from each Group $Members = Get-ADGroupMember $gr -Server $DomainController if ($Members -ne $Null) { Foreach ($mbr in $Members){ if($mbr.distinguishedName -ne $Null) { $LDAPUser.msExchDelegateListLink.Add($mbr.distinguishedName) $LDAPUser.SetInfo() } $AddedUsers += $mbr.Name } } Else {Write-Host -foregroundcolor darkyellow "Group contains no members..."; Write-Host ""} if($mbx.msExchDelegateListLink -ne $Null) { $ACLUsers = $mbx.msExchDelegateListLink Foreach ($ACLUser in $ACLUsers) { #Check if user is a member of the current group #If not, remove from attribute $user = [ADSI]"LDAP://$($DomainController)/$($ACLUser)" $userDN = Get-ADUser $ACLUser -Server $DomainController $mem = IsMember $user $gr.Name If ($mem -eq $False) { $LDAPUser.msExchDelegateListLink.Remove($userDN.distinguishedName) $LDAPUser.SetInfo() Write-Host "The Following User was removed from: " -nonewline; Write-Host -foregroundcolor yellow $mbx.Name Write-Host -nonewline -foregroundcolor darkyellow " " $UserDN.Name Write-Host "" } } } $Members = "" Write-Host "The Following Users were added to: " -nonewline; Write-Host -foregroundcolor yellow $mbx.Name Write-Host "" Write-Host -foregroundcolor darkyellow $AddedUsers Write-Host "" $AddedUsers = "" } } }