Recipe 5.15. Getting the List of Delegates for a MailboxProblemYou need to know which users have delegate access to a particular mailbox. SolutionUsing a graphical user interfaceIn Outlook 2003, do the following:
Using a command-line interfaceYou can use the ldifde utility to dump the publicDelegates attribute for a selected set of users. For example, this command dumps the delegate list for the robichaux.net domain to the file delegates.txt: > ldifde -f delegates.txt -d "cn=users,dc=robichaux,dc=net" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*) (publicDelegatesBL=*))" Using VBScript' This code lists the delegates for the selected mailbox ' ------ SCRIPT CONFIGURATION ------ strDCName = "<serverName>" ' e.g., "Batman" strUserName = "/cn=<userName>, CN=Users, <ForestRootDN>" ' ------ END CONFIGURATION --------- ' find the target user strQuery = "LDAP://" & strDCName & strUserName Set theUser = GetObject(strQuery) WScript.echo "Delegates for " & strUserName On Error Resume Next delegateList = theUser.Get("publicDelegates") If Err.Number <> -2147463155 Then For Each Desc In delegateList WScript.Echo desc Next Else WScript.Echo "No delegates" End If DiscussionThe list of delegates is stored as a single AD attribute on the user account: publicDelegates. When you ask Outlook to display the delegate list, it does so by reading that attribute and expanding it, then reading the security descriptors on folders in the mailbox. It also allows you to explicitly assign permissions. However, reading publicDelegates directly from the user object doesn't tell you anything about what specific rights the defined delegates have, merely that they exist as delegates. At a minimum, they'll have the ability to send on behalf of the original user. See AlsoRecipe 5.14 to grant full access to a mailbox |