none
Remove Full Access Permissions to All Mailboxes PowerShell CMD

    Question

  • As part of some troubleshooting a few months back I granted a user account Full Permissions to all Exchange 2010 mailboxes.   I now need to reverse this without, hopefully, breaking the ability of the users to access his own mailbox.

    What command might I use to accomplish this:

    Get-Mailbox | Remove-MailboxPermission -user (the user name with the access) -AccessRights Fullaccess -InheritanceType all

      

    Will this command work and then I need to just add Full Permissions back to the user's mailbox?   Or is there a better way to accomplish this?

      

      Thank you !!


    Dave Zuver Davis Wright Tremaine Seattle, WA
    Wednesday, June 15, 2011 5:04 PM

Answers

  • I had assigned permissions and I removed them using this command:

     

    Get-MailboxDatabase | Remove-ADPermission –User “hansb” –AccessRights ExtendedRight –ExtendedRights Receive-As, ms-Exch-Store-Admin

     

    All is good now.  Thank you so much !!


    Dave Zuver Davis Wright Tremaine Seattle, WA
    Thursday, June 16, 2011 2:17 PM
  • yes,

    Get-Mailbox | Remove-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by DZuver Wednesday, June 15, 2011 6:03 PM
    Wednesday, June 15, 2011 5:15 PM
  • Have you checked to make sure that the user you are using to perform the command has the appropriate rights under RBAC?
    • Marked as answer by DZuver Thursday, June 16, 2011 2:17 PM
    Thursday, June 16, 2011 2:23 AM
  • check the following

    http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/5df36b89-86fd-4bdf-b9a9-c891b151f33e/


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by DZuver Thursday, June 16, 2011 2:17 PM
    Thursday, June 16, 2011 11:06 AM

All replies

  • yes,

    Get-Mailbox | Remove-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by DZuver Wednesday, June 15, 2011 6:03 PM
    Wednesday, June 15, 2011 5:15 PM
  • Quick follow-up on this -- Do I need to add the permissions back to the users mailbox (I'm thinking YES)?    And will this remove his access for all future account creations?

    One more question:  :)  Sorry - but what if I wanted to do it only by database?

     

    Thank you


    Dave Zuver Davis Wright Tremaine Seattle, WA
    Wednesday, June 15, 2011 7:19 PM
  • I guess I need a bit more help on this --   When I run the command, I receive errors on the accounts that the user has FullAccess to:

     

    WARNING: An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Allow]  and was ignored on object "CN=Olson\,
    Michael,OU=Systems,OU=Staff,OU=SEA Users,OU=SEA,OU=Windows 7,OU=Master OU,DC=DWT,DC=com".

    Do you know how I can fix this?

    Thank you


    Dave Zuver Davis Wright Tremaine Seattle, WA
    Wednesday, June 15, 2011 9:44 PM
  • Have you checked to make sure that the user you are using to perform the command has the appropriate rights under RBAC?
    • Marked as answer by DZuver Thursday, June 16, 2011 2:17 PM
    Thursday, June 16, 2011 2:23 AM
  • check the following

    http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/5df36b89-86fd-4bdf-b9a9-c891b151f33e/


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by DZuver Thursday, June 16, 2011 2:17 PM
    Thursday, June 16, 2011 11:06 AM
  • I had assigned permissions and I removed them using this command:

     

    Get-MailboxDatabase | Remove-ADPermission –User “hansb” –AccessRights ExtendedRight –ExtendedRights Receive-As, ms-Exch-Store-Admin

     

    All is good now.  Thank you so much !!


    Dave Zuver Davis Wright Tremaine Seattle, WA
    Thursday, June 16, 2011 2:17 PM