On this page: http://technet.microsoft.com/en-us/library/aa996395.aspx I have followed the instructions for "Using a Receive Connector for Anonymous Relay". I went with the second option "Configuring the Receive Connector as Externally Secured". I'd like to see it in action with ADSIEdit or powershell but I don't know where to look. How do I view the extendedright "Ms-Exch-SMTP-Accept-Any-Recipient"? Is this a permission added to the receive connector or "anonymous logon" or what? TIA.

You can check it with Powershell like this: (get-receiveconnector <connectorid>).AuthMechanism For a connector set up for anonymous this should be set to ExternalAuthoritative.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

I'd like to see "Ms-Exch-SMTP-Accept-Any-Recipient" somewhere. The command you gave me produces: [PS] C:\Windows\system32>(get-receiveconnector "Anonymous relay").AuthMechanism Tls, ExternalAuthoritative [PS] C:\Windows\system32>

Using the Active Directory module from the RSAT tools: get-adpermission <DN of receive connector> |? {$_.extendedrights} |? {[string]$_.extendedrights -match "Ms-Exch-SMTP-A ccept-Any-Recipient"} | select identity,user,extendedrights[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

That also works from the EMS.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

Thanks. I found a way that makes more sense to me but I still don't know how I should have known "extendedrights" was available like that. When I do 'get-adpermission "some thing" | fl' I don't see "extendedrights" in there. How do I see all the properties for a given object in powershell?

| fl will only show you the default set of properties. To see them all, do | fl *, or use get-member ( | gm -membertype property)[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

Perfect, thanks a lot, the '*' is what I'll start using. You know what they say about teaching a man to fish. Two last questions: 1. What does |? do in your command? 2. Why do the following queries return different sets? (My command returns 5 users with this extendedright, yours only returns 4 - notice the ANONYMOUS LOGON doesn't show in b.) a. [PS] C:\Windows\system32>get-adpermission "anonymous relay" | select user,extendedrights | where {$_.extendedrights -like "Ms-Exch-SMTP-Accept-Any-Recipient"} User ExtendedRights ---- -------------- NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Any-Recipient} MYDOMAIN\Exchange Servers {ms-Exch-SMTP-Accept-Any-Recipient} MS Exchange\Hub Transport Servers {ms-Exch-SMTP-Accept-Any-Recipient} MS Exchange\Edge Transport Servers {ms-Exch-SMTP-Accept-Any-Recipient} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient} b. [PS] C:\Windows\system32>get-adpermission "CN=Anonymous Relay,CN=SMTP Receive Connectors,CN=Protocols,CN=Server01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com" |? {$_.extendedrights} |? {[string]$_.extendedrights -match "Ms-Exch-SMTP-Accept-Any-Recipient"} | select user,extendedrights User ExtendedRights ---- -------------- MYDOMAIN\Exchange Servers {ms-Exch-SMTP-Accept-Any-Recipient} MS Exchange\Hub Transport Servers {ms-Exch-SMTP-Accept-Any-Recipient} MS Exchange\Edge Transport Servers {ms-Exch-SMTP-Accept-Any-Recipient} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}

Are you sure they're both the same object? get-adpermission "anonymous relay" | select identity get-adpermission "CN=Anonymous Relay,CN=SMTP Receive Connectors,CN=Protocols,CN=Server01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com" | select identity Same result?[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

On Thu, 18 Nov 2010 20:54:55 +0000, mjolinor wrote: > > >Are you sure they're both the same object? > >get-adpermission "anonymous relay" | select identity > >get-adpermission "CN=Anonymous Relay,CN=SMTP Receive Connectors,CN=Protocols,CN=Server01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com" | select identity > >Same result? Why not just this? Get-ReceiveConnector "anonymous relay" | Get-ADPermission | where {$_.extendedrights -like "Ms-Exch-SMTP-Accept-Any-Recipient"} | ft user,extendedrights -auto --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Thu, 18 Nov 2010 20:54:55 +0000, mjolinor wrote: > > >Are you sure they're both the same object? > >get-adpermission "anonymous relay" | select identity > >get-adpermission "CN=Anonymous Relay,CN=SMTP Receive Connectors,CN=Protocols,CN=Server01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com" | select identity > >Same result? Why not just this? Get-ReceiveConnector "anonymous relay" | Get-ADPermission | where {$_.extendedrights -like "Ms-Exch-SMTP-Accept-Any-Recipient"} | ft user,extendedrights -auto --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP That works as long as you're running on the HT server that has that connector, otherwise you also have to specify the server. I didn't experiment with it much, and initially did the cast to [string] because the extendedrights property is an array of ExtendedRightIDParameter objects, and -like is a string operator. Apparently the automatic type casting will make up the difference.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

mjolinor, thanks for the help. get-adpermission "anonymous relay" | select identity vs. get-adpermission "CN=Anonymous Relay,CN=SMTP Receive Connectors,CN=Protocols,CN=Server01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com" | select identity returned very different results. I have a connector with the same name on my old 2007 server that I'm trying to get rid of as well as my new 2010 server I'm moving to. Looks like that was causing the confusion regarding the results. Also, thanks again for the powershell tips. I wish Microsoft didn't try to make programmers out of all of us...

Rich, can you tell me why -like works, and -contains doesn'tt? The extendedrights property is an array type, so I would expect that if -like returns $true, then -contains should also. There wasn't any wildcard matching done in the -like statement so it had to be an exact match. What am I missing? $perm = get-receiveconnector "<server\connector" | get-adpermission | select -first 1 write-host "`nChecking extended rights" $perm.extendedrights write-host "`nChecking object type" $perm.extendedrights.gettype() Write-host "`nTesting -contains ms-Exch-SMTP-Accept-Any-Sender" $perm.extendedrights -contains "ms-Exch-SMTP-Accept-Any-Sender" Write-Host "`nTesting -like ms-Exch-SMTP-Accept-Any-Sender" [bool]($perm.extendedrights -like "ms-Exch-SMTP-Accept-Any-Sender") Checking extended rights ms-Exch-SMTP-Accept-Any-Sender Checking object type IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True ExtendedRightIdParameter[] System.Array Testing -contains ms-Exch-SMTP-Accept-Any-Sender False Testing -like ms-Exch-SMTP-Accept-Any-Sender True[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

Since thread is already answered, I'm going to ask about this over in the Powershell forum.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

On Fri, 19 Nov 2010 01:11:54 +0000, mjolinor wrote: >Rich, can you tell me why -like works, and -contains doesn'tt? > >The extendedrights property is an array type, so I would expect that if -like returns $true, then -contains should also. There wasn't any wildcard matching done in the -like statement so it had to be an exact match. > >What am I missing? Not sure. I'm guessing the -like operator uses the ToString() method. If you do this: $p=@() Get-ReceiveConnector <connector> | Get-ADPermission | foreach { if($_.extendedrights -like "Ms-Exch-SMTP-Accept-Any-Recipient") {$p+=$_} } And then "$p[0] | fl *" you'll see an ExtendedRights property. But if you do "$p[0].extendedrights" you get nothing. "$p[0].extendedrights | gm" shows the type to be "Microsoft.Exchange.Configuration.Tasks.ExtendedRightIdParameter" "($p[0].extendedrights).gettype()" shows that to be a System.Array class. "($p[0].extendedrights).length" returns a 1. "($p[0].extendedrights).contains("ms-Exch-SMTP-Accept-Any-Recipient")" returns an error: Method invocation failed because [Microsoft.Exchange.Configuration.Tasks.ExtendedRightIdParameter[]] doesn't contain a method named 'contains'. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Yeah, I figure that out later. -like is coercing the objects to [string] in order to do the match. -contains has to be an exact match of identical object types: (get-date) -like [string](get-date) True ,(get-date) -contains (get-date) True ,(get-date) -contains [string](get-date) False [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

I do get the extended right of ms-Exch-SMTP-Accept-Any-Recipient if I do $p[0].extendedrights on the connector on my server. Not all of the ADPermissions in the permission set will have extended rights. I suspect that the one your testing on doesn't have any in the first permission that was returned. I think the results your getting from doing the get-memeber are a result of the syntax you're using. $p[0].extendedrights is an array $p[0].extendedrights | gm will unroll the array and send the individual elements down the pipeline, and you end up doing the gm on a single extendedright object. gm -inputobject $p[0].extendedrights coughs up the properties and methods of the array itself. [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "