Encountered a issue with permissions not showing up under the send-as/full permissions in EMC but would be displayed with a 'Get-MailboxPermissions' in the EMS. This included both permission from the 'new' domain as well as the 'old' one. From my understanding this is can be a bug with the way Exchange 2007 reads them, but not necessarily I care about; just care about resolving the issue. Bug had to do with the sidhistory from a mailbox migration, which kind of matches up but in my case the sidhistory was clean.
First trying the Exchange 2003 tools could not work, it is a native 2007 set up and I did not want to extend the schema for 2003; the tools were limited in functionality otherwise. Not because of bloat it would give, but but because I have no time to set up a test environment to try it out first.
Other symptoms included when trying a 'Remove-MailboxPermission -identity usermailbox -user userpermission' it would give the error "Remove-MailboxPermission: Cannot remove ACE on object 'CN=xxxxxx, OU=xxxxxxx, OU=xxxxxx, DC=xxxxxx, DC=xxx' for account DOMAIN\USERNAME because it is not present.
The way that worked for me is:
1) In EMS type: Get-Mailbox -resultsize unlimited | Get-MailboxPermission | where { -not ($_.User -like "NT AUTHORITY\SELF") -and ($_.IsInherited -eq $false) } |select User, Identity, @{name"AccessRights";Expression={$_.AccessRights}}
Should get an output like:
domain\userpermission domain/ou/mailboxuser {ReadPermission}
Can even add a | Export-csv c:\filename.csv to get it all in a file to make it easier to read
2) The command that worked for me was specifying the accessrights (kind of a duh moment), so like:
Remove-Mailbox -identity usermailbox -user userpermission -AccessRights permission
Just make sure you are doing the right permission, fullaccess vs readpermission, or it will fail. Also a PIA to type out if you have an unresolved SID. Lastly, for the userpermission, I did it fully qualified, so domain\username. Should be ok if the account is on the same domain as the Exchange, but will fail if it is on another using a trust.
Wednesday, 22 February 2012
Subscribe to:
Comments (Atom)