Approval Pages and Setup script          Download files

Now you have successfully registered the mailperm Com object you can now use this object. The first thing you need to do when dealing with a new users mailbox is to firstly set the restrictions on this mailbox and send that user a mail pointing them to the email policy approval web pages. If your using a mailbox creation script you could implement the code from the restuser function in the mailperm com object into your mailbox creation script. The one thing you need to be aware of is that you still need to wait until the Recipient Update Service (RUS) has run against this active directory account before you will be able to send an email to this mailbox. You can force the RUS to run programmatically see this Qbase for more details (This still does not guarantee an immediate update so you may need to use a small delay before sending the email.). Another method is that you could wait until the RUS has run on your new mailbox and then run the script below to enable the restrictions on the email account and also send an email to the new user.

Setpermsnew.vbs Script

This script takes the username as the command line parameter does a search in Active Directory for this user and then creates a instance of the mailperm Com Object and executes the restperm function passing in the DN of the user account it retrieved from the search. If this is success it then sends an email to the user telling them they need to accept the email policy before their email will be activated.

The following hard coded lines needs to be changed

emailbody = emailbody & "<a href=""http://yourserver.com/emailpolicy/emailpolicy.asp"">http://yourserver.com/emailpolicy/emailpolicy.asp</a></p>" & VbCrLf

You need to set the URL to the URL of where you have installed the approval pages.

objEmail.From = "Administrator@yourdomain.com"

Set this to your own administrator (or what ever address you have used in the Com object)

objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "yourserver"

Change this to your mail servers servername.

to run the script just use Setpermsnew.vbs username

Policy Approval Pages

The policy approval pages are 3 ASP pages that take a user though the policy approval process.  The first page emailpolicy.asp is a simple page that displays your company email policy and has a accept button down the bottom. Clicking the accept button on this page submits itself to the approvemail.asp page. The approvemail.asp page creates an instance of the mailperm.wsc object and executes the unrestuser function and passes the Users Distinguished Name to this function (using ADSystemInfo) . If this is successful it will then display a message telling the user it was successful and they will have to wait 30 minutes for the change to take effect. It also sends a copy of the emailpolicy to the user and the HR department to signify the user has accepted the policy. It generates this email using CDO and Mhtmlbody function to generate a message body from a web page. If the function fails it display an error to the user and also sends a mail to the helpdesk and system administrator indicating a failure has occurred. The third asp page emailpolicyagree.asp is only used to generate the email to the user and HR via the mhtmlbody function.

Within the approvemail.asp page you need to change the following hardcoded lines (in two places)

objEmail.From = "administrator@youdomain.com"
objEmail.cc = "hr@yourcomain.com"

in the failure part you need to change the above lines as well as

objEmail.To = "helpdesk@yourdomain.com"

objEmail.CreateMHTMLBody "http://yourserver/emailapprove/emailpolicyagree.asp"

objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") =  "yourserver"

Installing the Approval Pages

What I recommend with these ASP pages is to create a new directory on your web server (eg emailapprove) copy these pages into this directory and then go into the Internet Services Manager and view the properties of the directory. You need to allow execute permissions for scripts and executables on the general page. And then go into the directory security tab and select the authentication control button and remove all other security options except NTLM. This will mean you will have to use a browser that supports NTLM to authenticate to use these web pages (IE) and you need to remember that you can't proxy NTLM authentication so it needs direct browser access (eg needs to be in your browser exceptions). The ASP pages rely on this security to be able to grab the Users Distinguished Name  which is then used in the mailperm Com functions. If your using Windows 2003 make sure you have enabled ASP pages.

Using these pages - Delays cause and effect

Depending on your environment you will find the affect and timing for the mailbox restrictions to be enabled and disabled will differ. For example if you have multiple DC's and multiple Exchange servers depending on where you install these approval pages you won't know which DC the changes will occur on and which GC your Exchange box is using. A few things you can try to speed things up is in the ADSI statement you can put the server name which will direct where the update happens. eg

sting = "LDAP://server.domain.com/" & cUserID

Another thing you could do is install repadmin (A Windows resource kit utility) on the server you have the Com+ object on and then include a run statement that forced a replication with the server you target in the above ADSI statement by doing something like.

repadmin /syncall Server.dnsname.com dc=youdomain,dc=com,dc=au

Otherwise your stuck with a delay thats usually about 30 minutes for restrictions to take affect and be disabled.

Troubleshooting the pages and Scripts

If you do run into problems with these pages here are some things you can try to fix the issue.

The first thing you should do is turn off "Show friendly http error message" in Internet explorer you can do this from Tools-Internet Options-Advanced-Browsing. Turning this off will allow you to see any ASP errors and hopefully it will tell you the exact line its is failing at which will help you trying to diagnose problems.

If you keep receiving general access denied errors when attempting an update it could mean that your Com object is not configured properly or the account which it is running under does not have rights to the properties its trying to update in active directory. You may also receive this if you are trying to modify a user that has administrative rights in your domain. If the user the Com object is running under has only been given modify property rights they will not be able to modify the properties of a user with Administrative rights. So if your testing this make sure you are trying to modify a user with normal rights and not an administrative user.

If you receive a "The Server.Createobject failed while checking permissions Access is denied to this object" error this could be because you are running Windows 2003 and you have "Enforce Access Check for this application" enabled on your Com Object. Have a look at the Changes to the default Security under Windows 2003 section on the previous page.

If you receive a "CDO.Message.1: The transport failed to connect to the server" error when using the any of these scripts this could be because you have got a default Outlook Express setting (that using https) affecting the CDO code. Try removing any Outlook Express mail configurations and try again.

A Final word on Security with WSC com objects

Windows Script Component Objects are pretty useful when it comes to development, testing and proof of concept but for the type of actions that are being performed in this article you should make the following considerations when rolling into production. Firstly performance wise a compiled DLL will always win hands down over any piece of VB script any day of week (there is a big difference is performance between the two). Secondly WSC components are inherently insecure because the code sits in a easily modifiable text(xml) file that sits on the hard drive. Meaning anybody who gains access to your hard drive can modify the code inside your WSC com object and then have it executed under the more privilege account (this is the main reason you should not use a domain admin account as the identity for you Com wrapper).

So what is the answer well the best thing to do is to compile that code in VB or C , or if your into .Net you could write some managed code. As a starter I've include a VB version in the download, the process of using the Dll once you have compiled it is exactly the same as using a WSC com object you will need to change the object ID in the ASP pages and scripts to match you new component OID.

Previous

Download files