Listing Which Exchange Users Have or Are Delegates

When a user assigns delegate access to their mailbox, the delegate information is stored in the directory. This is the same for Exchange 5.5 and Exchange 200x.

To generate a list of all users with delegates and/or all users that are delegates, the directory can be queried for that information.

In Exchange 5.5, the attribute that lists any delegates is public-delegates. In Active Directory for Exchange 200x, the attribute populated when a delegate is assigned is publicDelegates. In Exchange 5.5, the attribute where mailboxes for which delegate access has been granted is public-delegates-bl. In Active Directory, the same attribute is publicDelegatesBL.

To generate a list of all Exchange users that are or have delegates, use header.exe to create a .csv file with the username along with the public-delegates and public-delegates-bl attributes. Then do a directory export from Exchange Administrator to that file.

Generating a similar list of mail-enabled users with delegate access to another mailbox or have delegates assigned to their mailbox for Exchange 2000 or 2003, you need to query Active Directory. LDIFDE can query and export this information to file by executing with specific switches similar to:

c:\>ldifde -f delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"

-f - assigns the output to the file named delegates.txt
-d - isolates OU in the directory to query
-l - determines what attributes to list
-r - filters for objects with any value for the attributes mentioned

The resulting query might look something like delegates.txt.

This might be useful in migration preparation or server consolidation planning.

William Lefkovics


William Lefkovics on September 20, 2004 at 11:05 PM in How-Tos, Useful Info
« SSL Diagnostics Tool | Main | Microsoft Data Protection Server (DPS) »

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345191a569e200e5501fb5208833

Listed below are links to weblogs that reference Listing Which Exchange Users Have or Are Delegates:

» Deleting delegate access from outlook from Absoblogginlutely
Finally succeeded in deleting a delegate from outlook. As per this post where the delegate remained in the permission lists I had another user who had the same disabled person as a delegate and I was unable to remove the... [Read More]

Tracked on Nov 28, 2005 12:40:29 PM

Comments

I have a lot of experience automation resource scheduling for Exchange and I thought I'd point out that the attribute doesn't mean much for Exchange 2000/2003. It should be reliable enough to query accurately who's doing delegation, but you won't be able to use it to manage (via scripts modifying the publicDelegates attribute) the actual delegation permissions, etc.., for a user.

The actual delegation is done via EDITOR ACE's per delegate on the ACL's of the "NON_IPM_SUBTREE/Freebusy Data" and Calendar, Inbox folders on the mailstore (also 3 MAPI attributes are set on the localFreebusy message). Forwarding messages to delegates is done via a hidden rule which will have an action for every delegate in the list. You can change the publicDelegates attribute and the only thing that will happen is Outlook will erroneously display those users in the Tools -> Options -> Delegates tab, but no real permissions are actually granted.

I figured I thought I'd dump this hard-earned knowledge somewhere so it's at least googleable in the future.

Posted by: Jason Krueger at Sep 21, 2004 8:06:46 AM

Exactly. It's more of a check of who is doing delegation. Thanks!

Posted by: William Lefkovics at Sep 21, 2004 9:01:35 AM

Hey there,

The comment from Jason Krueger gives me an answer to a perplexing issue I've been trying to resolve. We're using Exchange Server 2003 with Outlook 2003, when you use the Outlook client to add a Delegate and then subsequently delete the delegate account from Active Directory you run into the issue where other users get NDR's to meeting request that are sent to the mailbox of the user that had the (now deleted) delegate account.

Unfortunately you can't remove the delegate from the list (using Microsoft Outlook - Tools - Options - Delegates) as it has already been removed for you. Sadly the hidden rule which forwards the message appears to have NOT been removed! It's very frustrating.

I've found that if you run "outlook.exe /cleanserverrules" it does remove the rule - but this is no good as it deletes ALL your server rules - not ideal!

So do you guys have any idea how you can view/remove Hidden Server Rules? If you know how to do this I'd love to know :)

Thanks,

Damon

Posted by: Damon Coursey at Oct 4, 2004 7:25:36 PM

Doesn't the Exchange Consistency adjuster remove that sort of thing?

K

Posted by: Kevin Adams at Oct 12, 2004 11:45:57 AM

We have W2k running Outlook 2000. We cannot delete his delegates, no matter what I do. Can someone tell where the delegates are stored...i.e. exchange 2000 server? Please help. Thanks
Mark

Posted by: Mark at Oct 15, 2004 8:27:01 AM

Hi Mark
Have you removed any send as/send on behalf of permission on the delegated object

Posted by: Bat at Nov 18, 2004 3:38:39 AM

Hi, my requirement is I want to list Delegates list which are given to a Exchange 5.5 user's mailbox, through VisualBasic program..

please help me out ,

I appriciate early response,
Thanks in advance..

-Ezaz

Posted by: Ezaz at Dec 1, 2004 10:47:46 PM

Listing Which Exchange Users Have or Are Delegates
Posted on: http://hellomate.typepad.com/exchange/howtos/

Per Management request, I need to export a listing of all mailboxes that have delegates assigned to them. I searched Google and came up with the above article. I have a problem with the article though.

I don’t' see the following required attributes listed in any of the header tool's Object Classes for Exchange 5.5

public-delegates
public-delegates-bl

The version of the Header tool I'm using is 5.0.1457.10.

What am I missing?

Mike

Posted by: Michael at Jan 3, 2005 3:28:44 PM

Thank you Bat. Your answer to Mark, regarding removal of delegates was spot-on.
Cheers, Greg

Posted by: Greg Cullen at May 30, 2005 5:10:44 PM

I had the same issue with the meeting request NDR's due to a deleted delegate account.

You will need to use MDBVU32.EXE to delete the hidden forwarding rule for meeting requests.

The rule is a message in the inbox called "Schedule+ EMS interface"
See this article for a how to on MDBVU32.EXE
http://hellomate.typepad.com/exchange/2003/10/when_oof_doesnt.html

Posted by: Jim Miller at Aug 9, 2005 7:53:41 PM

I am wondering if my IT organization can tell which emails have been read by a delegate; when delegate rights were first assigned; and what time or date emaisl might have been read by a delegate.

Thanks for the help!

Posted by: harry at Aug 22, 2005 3:46:50 PM

The only way i've found to remove the delegate is to activate the old user, recreate the mailbox and then remove the delegate from outlook when using the users mailbox (I create a new profile and use my exchange admin account).
Using the mdbvu utility didn't work and the only other method I found was to delete the mailbox and recreate it but that is a pain (as per my thread at http://www.absoblogginlutely.net/mtblogarchive/005385.php )
The utility mentioned on this page should help us change our deletion procedures to check for delegates BEFORE deleting them from AD. Thanks.

Posted by: Andy at Nov 28, 2005 12:38:46 PM

We are looking for a way to change an exchange user into a resource.
Any thoughts?

Posted by: Mark Latham at Feb 21, 2006 11:54:00 AM

If you cannot remove someone's Delegates then that user has Send on Behalf permissions on that users mailbox. In AD, go to Exchange Properties, Delivery Restrictions Tab and then remove the Send of Behalf of permissions for the users who cannot be removed from delegates. After that remove them from Delegates, apply and they won't be back.

Posted by: Mike Mason at Apr 4, 2006 4:05:06 PM

But that doesn't work if the original delegate has been deleted.

Posted by: Pat Richard at Apr 10, 2006 12:09:39 PM

First you give the Domain Admins group full control on the users mailbox.
Then login as the administrator and create the profile for Outlook for that user that has the problem deleting the delegations.
You will see that you can delete the object that was previous deleted.

Posted by: patrick at Oct 26, 2007 5:34:56 AM

When I run this command from CMD

ldifde -f delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"

I get a No entries found.

Help Please, Eric

Posted by: Help me at Jul 3, 2008 10:46:24 AM

Hi Eric, check that you actually have your mailbox users under the Users OU. You may need to tweak this to suit your own environment. Also obviously if no one in the users OU is using delegates then it wouldn't return anything.

Posted by: Stu at Jul 31, 2008 8:48:26 AM

Problem NDRs can be resolved by looking at rules in the users mailbox via OWA. Deleting the (no name) rule makes the NDRs go away (and probably other serverside configuration as well).

I recommend having the user recreate their delegates after they (not you, make them self sufficient) delete the (no name) rule.

If you need to fix the ndr yourself, give yourself full mailbox access and then hop onto OWA via the https://yourowa/exchange/problemuser go to rules, do the business and save changes.

This is also the way that I change out of office messages - when staff are ill, they've made a mistake/typo in the message or after they have left and the message is 'inappropriate'. Does anyone know of an easy way to delegate/manage this kind of access without full mailbox permissions in the back end - maybe a plugin to AD or something with a gui?

Posted by: David at Sep 17, 2008 12:53:29 AM

The OWA fix for this worked like a charm..thanks

Posted by: Aaron at Feb 4, 2009 7:21:09 AM

"Hi Mark
Have you removed any send as/send on behalf of permission on the delegated object"

Hey there BAT. This did it for me, thanks!!

Posted by: BampaJ at May 14, 2009 8:52:33 AM

First you give the Domain Admins group full control on the users mailbox.
Then login as the administrator and create the profile for Outlook for that user that has the problem deleting the delegations.
You will see that you can delete the object that was previous deleted.

Posted by: Term Paper at Feb 15, 2010 11:58:04 PM

I have found the best thing to give you actual calendar information along with all other TOP Information Store folders permissions is PFDAVAdmin. Connect to a server and choose all mailboxes, enable logging, then choose to export permissions. It will dump at the folder level who has permissions to that mailboxes calender and display what level permissions were granted. The nice thing is that the output file is the same for 2007 as it is for 2003 so you can write scripts to parse out the wanted information.

Posted by: Marc_VA at May 19, 2010 7:06:42 AM

nice write up and wondrous comments thanks for posting.

Posted by: Michael at Jun 4, 2010 6:08:31 AM

Just Curious,

... Eric did you get the "No Entries" issue resolved? I seem to be having the same issue. I know it is something I am doing (or not doing rather) I am just unclear of what. When the command is run it logs onto my DC I get the spew of everything going well but... at the end "No Entries". As for the reply posted... My mailbox users are indeed in the "Users" OU.

Thanks,

Posted by: Poppa Rob at Sep 22, 2010 3:20:51 PM