如何在創(chuàng)建Exchange郵箱時(shí)設(shè)置權(quán)限

kenwang 2005-12-28

展開(kāi)全文

概要

本文介紹在 Microsoft Active Directory 目錄服務(wù)中為用戶對(duì)象啟用郵箱時(shí)，如何以編程方式修改 Microsoft Exchange Server 2000 或 2003 郵箱的郵箱權(quán)限。

本文包含示例代碼，向您顯示在已經(jīng)為 Exchange 2000 或 2003 信息存儲(chǔ)區(qū)中的用戶創(chuàng)建了實(shí)際郵箱之前，并且已經(jīng)在 Active Directory 中為用戶對(duì)象啟用了郵箱之后，如何設(shè)置 Exchange 2000 或 2003 郵箱的郵箱權(quán)限。

注意：如果 Exchange 2000 或 2003 信息存儲(chǔ)區(qū)中已經(jīng)存在郵箱，則此代碼不起作用。換句話說(shuō)，如果用戶的郵箱已經(jīng)被訪問(wèn)，則該代碼不會(huì)影響用戶郵箱的實(shí)際郵箱權(quán)限。有關(guān)在信息存儲(chǔ)區(qū)中已經(jīng)創(chuàng)建 Exchange 2000 郵箱前后如何設(shè)置該郵箱的郵箱權(quán)限的更多信息，請(qǐng)單擊下面的文章編號(hào)，以查看 Microsoft 知識(shí)庫(kù)中相應(yīng)的文章：

310866 (http://support.microsoft.com/kb/310866/) 如何設(shè)置信息存儲(chǔ)區(qū)中現(xiàn)有郵箱的 Exchange Server 2003 和 Exchange 2000 Server 郵箱權(quán)限

更多信息

在 Exchange 2000 或 2003 組織中，郵箱包含兩部分（在 Microsoft Windows 2000 或 Microsoft Windows Server 2003 域環(huán)境中）。

•	Active Directory 啟用了郵箱的用戶：這只是 Active Directory 中的用戶對(duì)象。此用戶對(duì)象上設(shè)置了多個(gè)相關(guān)郵件屬性和相關(guān)郵箱屬性。
•	Exchange 信息存儲(chǔ)區(qū)中的郵箱文件夾：這是用戶實(shí)際郵件的存儲(chǔ)位置，其中設(shè)置了多個(gè)特定于郵箱的屬性。

郵箱權(quán)限存儲(chǔ)在安全描述符屬性中，該屬性位于信息存儲(chǔ)區(qū)的郵箱中。Active Directory 用戶對(duì)象還有一個(gè)名為 msExchMailboxSecurityDescriptor 的屬性。此屬性設(shè)計(jì)為僅用于反映用戶郵箱的郵箱權(quán)限。

Exchange 2000 或 2003 中郵箱啟用過(guò)程的簡(jiǎn)要概述

下面是在 Active Directory 中創(chuàng)建 Exchange 2000 或 2003 啟用了郵箱的用戶通常所采取的步驟：

1.	域管理員從“Active Directory 用戶和計(jì)算機(jī)”(ADUnC) 管理單元或從使用 Active Directory Services Interfaces (ADSI) 的代碼，創(chuàng)建 Active Directory 用戶對(duì)象并啟用用戶帳戶。
2.	域管理員然后從 ADUnC 或通過(guò) Collaboration Data Objects for Exchange Management (CDOEXM) 中的 ImailboxStore 接口以編程方式為此用戶啟用郵箱。本文的“參考”一節(jié)中包含一個(gè)指向有關(guān) IMailboxStore 接口的文檔的鏈接。不支持除 CDOEXM 之外的任何用于以編程方式為用戶對(duì)象啟用郵箱的方法。這兩種方法可以確保在為用戶對(duì)象啟用郵箱時(shí)該用戶對(duì)象的 msExchMailboxSecurityDescriptor 屬性和其他多個(gè)屬性設(shè)置正確。此步驟主要設(shè)置 Active Directory 中用戶對(duì)象的郵件屬性和郵箱屬性的小子集。此時(shí)，用戶的郵箱還不能訪問(wèn)。
3.	根據(jù)計(jì)劃運(yùn)行的時(shí)間，Exchange 2000 或 2003 服務(wù)器上運(yùn)行的收件人更新服務(wù) (RUS) 會(huì)對(duì)此用戶對(duì)象的其余所有相關(guān)郵件屬性和相關(guān)郵箱屬性進(jìn)行標(biāo)記。此時(shí)，尚未在 Exchange 2000 或 2003 信息存儲(chǔ)區(qū)中創(chuàng)建用戶的郵箱。但是，已經(jīng)完全為用戶啟用了郵箱?，F(xiàn)在，郵箱已經(jīng)可以訪問(wèn)。
4.	用戶第一次訪問(wèn)郵箱或第一封郵件被路由到郵箱時(shí)，將在 Exchange 2000 或 2003 信息存儲(chǔ)區(qū)中創(chuàng)建實(shí)際郵箱。此時(shí)，當(dāng) Exchange 為用戶創(chuàng)建郵箱時(shí)，將在存儲(chǔ)區(qū)中郵箱的安全描述符中設(shè)置郵箱權(quán)限。這基于 msExchMailboxSecurityDescriptor 屬性中設(shè)置的訪問(wèn)控制條目 (ACE)。

msExchMailboxSecurityDesciptor 屬性

此屬性存在于 Active Directory 中的用戶對(duì)象中。它存儲(chǔ)用戶的郵箱安全描述符的部分副本。此屬性不鏈接回用戶的郵箱安全描述符。

換句話說(shuō)，如果直接修改此屬性，將不會(huì)更新 Exchange 信息存儲(chǔ)區(qū)中用戶的郵箱中的實(shí)際郵箱安全描述符，除非在信息存儲(chǔ)區(qū)中創(chuàng)建實(shí)際郵箱之前設(shè)置此屬性。

實(shí)際上，如果由 Active Directory 中用戶對(duì)象的 msExchMailboxSecurityDescriptor 屬性反映的安全描述符和信息存儲(chǔ)區(qū)中用戶郵箱中存儲(chǔ)的安全描述符之間有沖突，Exchange 會(huì)修復(fù) msExchMailboxSecurityDescriptor 屬性以反映用戶郵箱中的安全描述符。如果從 ADUnC 或通過(guò) CDOEXM IExchangeMailbox 接口修改用戶郵箱的安全描述符，則 msExchMailboxSecurityDescriptor 屬性會(huì)自動(dòng)更新以反映這些更改。

使用 msExchMailboxSecurityDescriptor 屬性的限制

•

僅當(dāng)在信息存儲(chǔ)區(qū)中創(chuàng)建郵箱之前設(shè)置此屬性時(shí)，對(duì)此屬性進(jìn)行的更改才會(huì)反映在用戶郵箱的安全描述符中。注意，當(dāng) Active Directory 中啟用了郵箱的用戶第一次訪問(wèn)郵箱或所有郵件都發(fā)送到此用戶時(shí)，將在 Exchange 存儲(chǔ)區(qū)中創(chuàng)建此用戶的 Exchang 2000 和 2003 郵箱。

•

此屬性的另一個(gè)限制是該屬性不反映實(shí)際郵箱的安全描述符中任何繼承的 ACE。因此，讀取此目錄屬性不是讀取用戶的郵箱權(quán)限的最準(zhǔn)確的方法。

使用 msExchMailboxSecurityDescriptor 屬性的優(yōu)點(diǎn)

•

此屬性在 Active Directory 中的用戶對(duì)象上定義。因此，可以使用任何與輕型目錄訪問(wèn)協(xié)議 (LDAP) 兼容的 API（如 ADSI API 或 LDAP API）訪問(wèn)該屬性。

•

因?yàn)榇舜a不需要 CDOEXM，所以您可以從未安裝 Microsoft Exchange 2000 和 2003 系統(tǒng)管理工具的服務(wù)器運(yùn)行該代碼。但是同樣必須在信息存儲(chǔ)區(qū)中創(chuàng)建用戶郵箱之前設(shè)置郵箱權(quán)限。另外，您可以隨時(shí)讀取此用戶郵箱的郵箱權(quán)限。但是請(qǐng)記住本文中提到的限制。（請(qǐng)參閱“使用 msExchMailboxSecurityDescriptor 屬性的限制”一節(jié)。）

如果未在信息存儲(chǔ)區(qū)中創(chuàng)建實(shí)際郵箱之前設(shè)置啟用了郵箱的用戶的 msExchMailboxSecurityDescriptor 屬性，則信息存儲(chǔ)區(qū)中郵箱的實(shí)際安全描述符屬性將不包含具有下列內(nèi)容的 ACE：

•	受信者屬性設(shè)置為本人
•	訪問(wèn)掩碼屬性設(shè)置為郵箱完全控制權(quán)限
•	讀取權(quán)限設(shè)置為允許
•	ACE 類型設(shè)置為允許

如果是這種情況，則當(dāng)用戶嘗試訪問(wèn)公用文件夾或本地 Exchange 服務(wù)器之外的任何資源時(shí)，可能會(huì)遇到問(wèn)題。CDOEXM 庫(kù)中的 IMailboxStore 接口之所以是唯一受支持的以編程方式針對(duì) Exchange 2000 或 2003 存儲(chǔ)區(qū)為 Active Directory 用戶啟用郵箱的機(jī)制，這是其中一個(gè)原因。下面的示例向您顯示如何使用 ADSI 和 CDOEXM 在 Active Directory 中創(chuàng)建啟用了郵箱的用戶對(duì)象。然后，手動(dòng)設(shè)置 msExchMailboxSecurityDescriptor 接口以包含具有代碼中指定的受信者的 ACE。此示例的唯一目的就是向您顯示如何在訪問(wèn)用戶郵箱以及在信息存儲(chǔ)區(qū)中創(chuàng)建用戶郵箱之前設(shè)置此屬性（如果該屬性以前未正確設(shè)置）。

設(shè)置 Visual Basic 環(huán)境以運(yùn)行 Visual Basic 示例

1.	在 Exchange 2000 或 2003 服務(wù)器上啟動(dòng) Microsoft Visual Basic 6.0。
2.	創(chuàng)建一個(gè)新的標(biāo)準(zhǔn) EXE 項(xiàng)目。為此，請(qǐng)單擊文件菜單上的新建，然后雙擊標(biāo)準(zhǔn) EXE。
3.	在項(xiàng)目菜單上，單擊引用，然后選擇“活動(dòng) DS 類型庫(kù)”和“Microsoft CDO for Exchange Management”。
4.	在窗體的源視圖中，鍵入或粘貼以下代碼以替換 Form_Load() 子例程。
5.	將變量 sUserADsPath 中設(shè)置的值更改為您要查看或修改其郵箱權(quán)限的 Active Directory 用戶對(duì)象的 LDAP 路徑。

注意：此示例向您顯示了如何讀取 msExchMailboxSecurityDescriptor 屬性中存儲(chǔ)的郵箱權(quán)限的副本。它還顯示了如何修改郵箱權(quán)限以及向作為受信者的本人 ACE 添加郵箱完全控制權(quán)限的 ACE。

回到頂端

Visual Basic 代碼

‘********************************************************************
‘*
‘* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
‘*            gAceFlags, gFlags, gObjectType, gInheritedObjectType)
‘*
‘* Purpose: Adds an ACE to a DACL
‘* Input:       dacl            Object‘s Discretionary Access Control List
‘*              TrusteeName     SID or Name of the trustee user account
‘*              gAccessMask     Access Permissions
‘*              gAceType        ACE Types
‘*              gAceFlags       Inherit ACEs from the owner of the ACL
‘*              gFlags          ACE has an object type or inherited object type
‘*              gObjectType     Used for Extended Rights
‘*              gInheritedObjectType
‘*
‘* Output:  Object - New DACL with the ACE added
‘*
‘********************************************************************

Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
    Dim Ace1
    ‘ Create a new ACE object
    Set Ace1 = CreateObject("AccessControlEntry")
    Ace1.AccessMask = gAccessMask
    Ace1.AceType = gAceType
    Ace1.AceFlags = gAceFlags
    Ace1.Flags = gFlags
    Ace1.Trustee = TrusteeName
    ‘Check to see if ObjectType needs to be set
    If CStr(gObjectType) <> "0" Then
       Ace1.ObjectType = gObjectType
    End If

    ‘Check to see if InheritedObjectType needs to be set
    If CStr(gInheritedObjectType) <> "0" Then
        Ace1.InheritedObjectType = gInheritedObjectType
    End If
    dacl.AddAce Ace1

    ‘ Destroy objects
    Set Ace1 = Nothing
End Function


Private Sub Form_Load()
Dim objContainer As IADsContainer
Dim objUser As IADsUser
Dim objMailbox As CDOEXM.IMailboxStore
Dim oSecurityDescriptor As SecurityDescriptor
Dim dacl As AccessControlList
Dim ace As AccessControlEntry

‘ ********************************************************************
‘ You must change this variable according to your environment
‘

sContainerADsPath = "LDAP://domain.com/cn=Users,DC=domain,DC=com"
sUserLoginName = "testUser"
sUserFirstName = "Test"
sUserLastName = "User"
sMBXStoreDN = "CN=Mailbox Store (ExServer),CN=First Storage Group," & _
   "CN=InformationStore,CN=ExServer,CN=Servers,CN=AdminGP," & _
   "CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange," & _
   "CN=Services,CN=Configuration,DC=domain,DC=com"
sTrustee = "domainName\userName"
‘ ********************************************************************

‘ Get directory container object object
Set objContainer = GetObject(sContainerADsPath)

‘ Create the user object in the target container in Active Directory
Set objUser = objContainer.Create("User", "CN=" & sUserFirstName & " " & _
              sUserLastName)
objUser.Put "samAccountName", sUserLoginName
objUser.Put "givenName", sUserFirstName
objUser.Put "sn", sUserLastName
objUser.SetInfo
objUser.SetPassword "password"
objUser.SetInfo

‘ Mailbox-enable the user object by using the CDOEXM::IMailboxStore
‘ interface
‘ This also sets the msExchMailboxSecurityDescriptor appropriately
Set objMailbox = objUser
objMailbox.CreateMailbox sMBXStoreDN
objUser.SetInfo

‘**************************************************************************
‘  The msExchMailboxSecurityDescriptor attribute is a backlink attribute
‘   from the Exchange Mailbox in the Web store to the directory. What this
‘   implies is that the mailbox rights are stored on the actual mailbox in
‘   the Web store and this directory attribute reflects these mailbox
‘   rights.
‘  By default, changing this attribute does not affect the mailbox rights
‘   in the store. This attribute can only be modified before the actual
‘   mailbox in the store is created. If it is set before the mailbox in
‘   the Web store is created, Exchange will use the DACL set on this
‘   attribute as the DACL for mailbox rights on the mailbox in the store.
‘   Therefore, it can only be set before the mailbox-creation time.
‘  On installing Exchange 2000 SP2 on the Exchange Server where this code
‘   is being run, that would enable modifying the actual mailbox rights
‘   even after mailbox creation.
‘**************************************************************************

‘ Get the copy Mailbox Security Descriptor (SD) stored on the
‘ msExchMailboxSecurityDescriptor attribute
objUser.GetInfoEx Array("msExchMailboxSecurityDescriptor"), 0
Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")

‘ Extract the Discretionary Access Control List (ACL) using the
‘ IADsSecurityDescriptor interface
Set dacl = oSecurityDescriptor.DiscretionaryAcl

‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
‘  The following block of code demonstrates reading all the ACEs on a
‘  DACL for the Exchange 2000 mailbox.
‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Debug.Print "Here are the existing ACEs the mailbox‘s DACL - "

‘ Enumerate all the access control entries (ACEs) in the ACL using
‘ the IADsAccessControlList interface, thus displaying the current
‘ mailbox rights
Debug.Print "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
Debug.Print "-------  ----------  -------  --------  -----  ----------" & _
            " -------------------"
Debug.Print

For Each ace In dacl
‘ Display all the ACEs‘ properties by using the IADsAccessControlEntry
‘ interface
    Debug.Print ace.Trustee & ", " & ace.AccessMask & ", " & _
      ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & _
      ace.ObjectType & ", " & ace.InheritedObjectType
Next

‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
‘  The following block of code demonstrates adding a new ACE to the DACL
‘  for the Exchange 2000 mailbox with the Trustee specified in sTrustee,
‘  giving allow "Full Control" over this mailbox.
‘  This is the same task that is performed by ADUnC when selecting Add,
‘  specifying the Trustee, and checking the "Full Mailbox Access" Rights
‘  checkbox under the Mailbox Rights in the Exchange Advanced tab on the
‘  properties of a user.
‘  Similarly, you could remove ACEs from this ACL as well using the
‘  IADsAccessControlEntry interfaces.
‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘

‘ Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
‘ Setting the Access Mask to 131075 enables "full mailbox access" and
‘ "read" privileges
AddAce dacl, sTrustee, 131075, _
       ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0

‘ Add the modified DACL back onto the Security Descriptor
oSecurityDescriptor.DiscretionaryAcl = dacl

‘ Save New SD onto the user
objUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor

‘ Commit changes from the property cache to the Information Store
objUser.SetInfo

MsgBox "Done viewing and modifying the copy of the Mailbox Security Descriptor"

End Sub

回到頂端

Visual Basic 腳本代碼

Dim objContainer
Dim objUser
Dim objMailbox
Dim oSecurityDescriptor
Dim dacl
Dim ace

‘ ********************************************************************
‘ You must change this variable according to your environment
‘

sContainerADsPath = "LDAP://domain.com/cn=Users,DC=domain,DC=com"
sUserLoginName = "testUser"
sUserFirstName = "Test"
sUserLastName = "User"
sMBXStoreDN = "CN=Mailbox Store (ExServer),CN=First Storage Group," & _
   "CN=InformationStore,CN=ExServer,CN=Servers,CN=AdminGP," & _
   "CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange," & _
   "CN=Services,CN=Configuration,DC=domain,DC=com"
sTrustee = "domainName\userName"
‘ ********************************************************************

‘ Get directory container object object
Set objContainer = GetObject(sContainerADsPath)

‘ Create the user object in the target container in Active Directory
Set objUser = objContainer.Create("User", "CN=" & sUserFirstName & " " & _
              sUserLastName)
objUser.Put "samAccountName", sUserLoginName
objUser.Put "givenName", sUserFirstName
objUser.Put "sn", sUserLastName
objUser.SetInfo
objUser.SetPassword "password"
objUser.SetInfo

‘ Mailbox enable the user object by using the CDOEXM::IMailboxStore
‘ interface
‘ This also sets the msExchMailboxSecurityDescriptor appropriately
Set objMailbox = objUser
objMailbox.CreateMailbox sMBXStoreDN
objUser.SetInfo

‘**************************************************************************
‘  The msExchMailboxSecurityDescriptor attribute is a backlink attribute
‘   from the Exchange Mailbox in the Web Store to the directory. What this
‘   implies is that the mailbox rights are stored on the actual mailbox in
‘   the Web store and this directory attribute reflects these mailbox
‘   rights.
‘  By default, changing this attribute does not affect the mailbox rights
‘   in the store. This attribute can only be modified before the actual
‘   mailbox in the store is created. If it is set before the mailbox in
‘   the Web store is created, Exchange will use the DACL set on this
‘   attribute as the DACL for mailbox rights on the mailbox in the store.
‘   Therefore, it can only be set before the mailbox creation time.
‘  On installing Exchange 2000 SP2 on the Exchange Server where this code
‘   is being run, that would enable modifying the actual mailbox rights
‘   even after mailbox creation.
‘**************************************************************************

‘ Get the copy Mailbox Security Descriptor (SD) stored on the
‘ msExchMailboxSecurityDescriptor attribute
objUser.GetInfoEx Array("msExchMailboxSecurityDescriptor"), 0
Set oSecurityDescriptor = objUser.Get("msExchMailboxSecurityDescriptor")

‘ Extract the Discretionary Access Control List (ACL) using the
‘ IADsSecurityDescriptor interface
Set dacl = oSecurityDescriptor.DiscretionaryAcl

‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
‘  The following block of code demonstrates reading all the ACEs on a
‘  DACL for the Exchange 2000 mailbox.
‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Wscript.echo "Here are the existing ACEs the mailbox‘s DACL - "

‘ Enumerate all the access control entries (ACEs) in the ACL using
‘ the IADsAccessControlList interface, thus displaying the current
‘ mailbox rights
Wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
Wscript.echo "-------  ----------  -------  --------  -----  ----------" & _
            " -------------------"
Wscript.echo

For Each ace In dacl
‘ Display all the ACEs‘ properties using the IADsAccessControlEntry
‘ interface
    Wscript.echo ace.Trustee & ", " & ace.AccessMask & ", " & _
      ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & _
      ace.ObjectType & ", " & ace.InheritedObjectType
Next

‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
‘  The following block of code demonstrates adding a new ACE to the DACL
‘  for the Exchange 2000 mailbox with the Trustee specified in sTrustee,
‘  giving allow "Full Control" over this mailbox.
‘  This is the same task that is performed by ADUnC when selecting Add,
‘  specifying the Trustee, and checking the "Full Mailbox Access" Rights
‘  checkbox under the Mailbox Rights in the Exchange Advanced tab on the
‘  properties of a user.
‘  Similarly, you could remove ACEs from this ACL as well using the
‘  IADsAccessControlEntry interfaces.
‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘

‘ Template: AddAce(TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
‘ Setting the Access Mask to 131075 enables "full mailbox access" and
‘ "read" priviledges
AddAce dacl, sTrustee, 131075, _
       ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0

‘ Add the modified DACL back onto the Security Descriptor
oSecurityDescriptor.DiscretionaryAcl = dacl

‘ Save New SD onto the user
objUser.Put "msExchMailboxSecurityDescriptor", oSecurityDescriptor

‘ Commit changes from the property cache to the information store
objUser.SetInfo

MsgBox "Done viewing and modifying the copy of the Mailbox Security Descriptor"


‘********************************************************************
‘*
‘* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
‘*            gAceFlags, gFlags, gObjectType, gInheritedObjectType)
‘*
‘* Purpose: Adds an ACE to a DACL
‘* Input:       dacl            Object‘s Discretionary Access Control List
‘*              TrusteeName     SID or Name of the trustee user account
‘*              gAccessMask     Access Permissions
‘*              gAceType        ACE Types
‘*              gAceFlags       Inherit ACEs from the owner of the ACL
‘*              gFlags          ACE has an object type or inherited object type
‘*              gObjectType     Used for Extended Rights
‘*              gInheritedObjectType
‘*
‘* Output:  Object - New DACL with the ACE added
‘*
‘********************************************************************

Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
    Dim Ace1
    ‘ Create a new ACE object
    Set Ace1 = CreateObject("AccessControlEntry")
    Ace1.AccessMask = gAccessMask
    Ace1.AceType = gAceType
    Ace1.AceFlags = gAceFlags
    Ace1.Flags = gFlags
    Ace1.Trustee = TrusteeName
    ‘Check to see if ObjectType needs to be set
    If CStr(gObjectType) <> "0" Then
       Ace1.ObjectType = gObjectType
    End If

    ‘Check to see if InheritedObjectType needs to be set
    If CStr(gInheritedObjectType) <> "0" Then
        Ace1.InheritedObjectType = gInheritedObjectType
    End If
    dacl.AddAce Ace1

    ‘ Destroy objects
    Set Ace1 = Nothing
End Function

參考

有關(guān) CDOEXM IMailboxStore::CreateMailbox 的更多信息，請(qǐng)?jiān)L問(wèn)下面的 Microsoft 網(wǎng)站：

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/_cdo_imailboxstore_createmailbox.asp (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/_cdo_imailboxstore_createmailbox.asp)

有關(guān) ADSI 中相關(guān)安全接口的更多信息，請(qǐng)?jiān)L問(wèn)下面的 Microsoft 網(wǎng)站：

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/security_interfaces.asp (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/security_interfaces.asp)

Adssecurity.dll 是 Active Directory Service Interfaces (ADSI) 2.5 資源工具包的一部分。要下載 ADSI 2.5 資源工具包，請(qǐng)?jiān)L問(wèn)下面的 Microsoft 網(wǎng)站。使用 Regsvr32 注冊(cè) ADsSecurity.dll。

http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/default.asp (http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/default.asp)

有關(guān)關(guān)聯(lián)的外部帳戶的更多信息，請(qǐng)單擊下面的文章編號(hào)，以查看 Microsoft 知識(shí)庫(kù)中相應(yīng)的文章：

278888 (http://support.microsoft.com/kb/278888/) 如何將 Exchange 2000 郵箱或 Exchange 2003 郵箱與 Windows NT 4.0 帳戶關(guān)聯(lián)

本站是提供個(gè)人知識(shí)管理的網(wǎng)絡(luò)存儲(chǔ)空間，所有內(nèi)容均由用戶發(fā)布，不代表本站觀點(diǎn)。請(qǐng)注意甄別內(nèi)容中的聯(lián)系方式、誘導(dǎo)購(gòu)買(mǎi)等信息，謹(jǐn)防詐騙。如發(fā)現(xiàn)有害或侵權(quán)內(nèi)容，請(qǐng)點(diǎn)擊一鍵舉報(bào)。

轉(zhuǎn)藏 分享

QQ空間 QQ好友新浪微博微信

獻(xiàn)花（0） +1

來(lái)自： kenwang > 《我的圖書(shū)館》

舉報(bào)/認(rèn)領(lǐng)