Mailperm.wsc Com Object   Download files

This is the main object that the  whole process revolves around. Its essentially a WSC Com object with 2 functions that take in one parameter and outputs another.

RestUser function

The RestUser function role is to add the restrictions to a users mailbox, it takes in one parameter which is the Distinguished Name of the user. Once it has the DN it can then use this to open the object via using the getobject method and then modify the authorg and submissionContlength active directory attributes which will restrict the user from sending and receiving email.

function restuser(CUserID)
	on error resume next
	qsting = "LDAP://" & cUserID
	set objUser = GetObject(qsting)
	objUser.Put "authOrig", "CN=administrator,CN=Users,DC=yourdomain,DC=com"
	objUser.Put "submissionContlength", 1
	objUser.setinfo
	if err.number <> 0 then
		restuser = "Error"
	else
		restuser = objUser.mail
	end if
end function

After setinfo is called it checks for any errors and then either returns an error back to the calling application or returns the email address of the user which is then used by the calling script to send an email.

UnrestUser function

The Unrestuser function role is to remove the restrictions from a users mailbox. It takes in one parameter which is the Distinguished name of the user. Once it has the DN it can then use this to open the object via using the getobject method and then modify the authorg and submissionContlength active directory attributes by using putex to clear both these attributes.

function unrestuser(CUserID)
	on error resume next
	qsting = "LDAP://" & CUserID
	set objUser = GetObject(qsting)
	rem objUser.GetInfoEx Array("authOrig"), 0
	objUser.PutEx 1, "authOrig", 0
	objUser.PutEx 1, "submissionContlength", 0
	objUser.setinfo
	if err.number <> 0 then
		unrestuser = "Error"
	else
		unrestuser = rs.fields("mail")
	end if
end function

After setinfo is called it checks for any errors and then either returns an error back to the calling application or returns the email address of the user which is then used by the calling asp page to send an email.

Installing and using the Com+ object

The Com+ object should be installed on whatever machine you are going to install the email policy approval web pages so this machine needs to be running IIS. The ADSI code should work from any machine in your network as long as its running Windows 2000 or greater. There is one hard-coded line you need to change which is the DN name of the one user you want to be able to send mail to the restricted mailbox. The easiest way to get the DN name of a user is to use either ADSIedit or CSVDE.

objUser.Put "authOrig", "CN=administrator,CN=Users,DC=yourdomain,DC=com"

Register the Com+ object

To register the object its just a matter of right clicking on the mailperm.wsc file and select Register from the context menu (its that easy).

Creating a COM+ Wrapper for your object

Once you've built and registered your object you now need to create a COM+ wrapper so you can set the user context you wish it to run under. To do this you need to go into Component Services under Administration Tools and create a new Empty Com+ app (and call it for instance mailperm) This will start the Com+ application creation wizard, In the Identity screen you should select "This User" to specify a user to run the Com+ app under see below for details on this

Specify a user for the Mailperm Com+ object

With the MAILPERM Com object for it to work correctly you must have it running under an account that has rights to modify the active directory authorig and submissionContlength properties for all users in your domain. There are a few ways to do this, the easiest way is to set it to a user that has administrative rights in your domain (this is the least secure way however and has the potential to be possibly exploited in a negative way). The most secure way is to create an account for the Com object to run under then using the Active Directory delegation wizard assign this accounts rights to modify the Active Directory properties that you wish the account to modify (eg. the Authorig and SubmissionContlength).

Changes to the default Security under Windows 2003

In Windows 2003 the default setting for security has changed compared to that of Windows 2000. Windows 2003 now enforces security checks for COM+ applications which means if you don't change the setting from the default and you don't configure the security roles in your application you may see the following error message when you try and use your COM+ object in a ASP page "Access is denied to this object" (this is if you have turned off show friendly Http errors). To solve this problem you can do one of two things the first thing you could do is configure the security roles in your COM+ application and give rights to all the accounts you want to run the application rights to the COM+ object. The other option (which is the easy one) is to disable access checks for this COM+ app, to do this from the properties of the COM+ wrapper on the security tab in the authorization section remove the tick from "Enforce Access Check for this application".

Import the Mailperm Com+ application object into the Wrapper

Once you have created your Com+ wrapper you now need to import the Component that you have registered into this wrapper so it will now run under the user context of this application wrapper. To do this open the Com+ app you have created above in Component Services and then open the components folder and then right click on this folder and select new component from the context menu. This will start the new component wizard,  you then need to select import components that are already registered and then select the mailperm.wsc component from the list that is presented.

Next Page - Approval Pages and Setup script             Previous

Download files