Friday, October 3, 2008

Scripts to Create Archive Attender Service Account

Save this one as usercreation.vbs or something along those lines:

'Creates ArchiveUser in the Archive OU and assigns Password

Option Explicit
Dim objRootLDAP, objContainer, objUser, objShell, objNetwork, objLocalGroup, objDomainGroup, objWshNet
Dim strUser, strName, strContainer, strPassword, strDescription, strDomain, strLogon, strLastName, strDisplayName, strComputer

Set objWshNet = CreateObject("WScript.Network")
strUser = "ArchiveUser"
strName = "Archive"
strContainer = "OU=Archive ,"
strPassword = "Password"
strDescription = "Archive Attender Service Account"
strLogon = "ArchiveUser"
'Automatically pulls Domain
strDomain = objWshNet.UserDomain
strLastName = "Archive"
strDisplayName ="ArchiveUser"

'Gets you bound to AD
Set objRootLDAP = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & strContainer & _

' Performs user creation
Set objUser = objContainer.Create("User", "cn=" & strUser)
objUser.Put "sAMAccountName", strUser '25
objUser.Put "givenName", strName
objUser.put "sn",strLastName
objUser.put "UserPrincipalName",lcase(strLogon)&"@"&strDomain
objUser.put "DisplayName",strDisplayName
objUser.put "name",strName
objUser.put "description",strDescription

' Do not force a change of password on first login
objUser.SetPassword strPassword
objUser.Put "pwdLastSet", CLng(-1)

' Enable the user account
objUser.Put "userAccountControl", 512
objUser.Put "userAccountControl", &H10000


Now that we have a user, lets give themlocal admin rights.  You can name this localadmin.vbs or something like that:

Set objWshNet = CreateObject("WScript.Network")

strDomain = objWshNet.UserDomain
strComputer = objWshNet.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")

strUser = "ArchiveUser"
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")

'Add user to group

If Not objGroup.IsMember(objUser.ADsPath) Then
End If

We now have a user with local admin rights.   What about Exchange rights though?  

For Exchange 2007:

Create this script and name is ExchangeRights.ps1:

Add-ExchangeAdministrator -Identity ArchiveUser -role 'orgadmin'
$server = Get-MailboxServer
Add-ADPermission -Identity $server.Identity -User "ArchiveUser" -ExtendedRights ("Send As", "Receive As")
Get-MailboxDatabase | Add-ADPermission -user ArchiveUser -AccessRights GenericAll -ExtendedRights ("Send As", "Receive As", "MS-EXCH-STORE-ADMIN")

For Exchange 2003:

First enable the security tab to be displayed in ESM via this registry key:


Value Name: ShowSecurityPage
Data Type: REG_DWORD
Value: 1  

Once that is done, you need only do to the org level in ESM and add full rights for your new account (be sure to include Send As / Receive As rights).  If it isn't working, be sure that you didn't inadvertantly add the user to Domain Admins.  Domain Admins was set to have an explicit deny set for send/receive as as part of Microsoft's security push.

If you are not wanting to set permissions at the org level, you can set the permission levels down further so long as they apply to all the users/databases that you wish to process against.

No comments: