locked
Full Access given to Security Distribution Group has added the group the delegates for every mailbox RRS feed

  • Question

  • Hello,

    I've given the group of mailbox administrators (Mail-enabled Universal Security group) GenericAll Permissions at database level for every database.  This way they have full access to all mailboxes.

    But now this group has been added to the resourcedelegates list on every mailbox.

    How is this possible and how can I remove this resoucedelegate without deleting the correct delegates

    Powershell set-calendarprocessing for user gives error: "resourcedelegates can only be set on resource mailboxes"

    Environment:  Exchange 2010 SP2 DAG

    Windows 2008 R2

    Please advise

    Frederik


    Frederik

    Monday, September 17, 2012 1:37 PM

Answers

  • Hi Helles,

    Do you mean that after you grant the full access permission, the administrator would be listed in the value of the target mailbox's AD attribute msExchDelegateListLink ?

    If so, this could be normal and we could manually remove them in ADSI Edit one by one(Or you could follow the steps below to check if the administrators are listed in the same place, if so, you could remove them and see if the Quest Notes Migrator would still reconganize them as delegate):

      • Open AdsiEdit.msc.
      • Expand Default naming context to CN=Users.
      • Select the user account whose mailbox is being displayed as an additional mailbox in Outlook.
      • Right-click this account and click Properties.
      • Select the msExchDelegateListLink attribute and click Edit.
      • Select the account you want to remove (this is the account who sees the additional mailboxes displayed in Outlook) and click Remove.
      • Click OK twice.

    Or we could use ADModify to clear them on multiple users:

    This tool could be downloaded from here:

    ADModify.NET

    http://admodify.codeplex.com/releases/view/6065

    Steps to remove the value:

    1.  Start AD Modify andselect Modify Attributes 

    2.  Select you Domain from the Domain List 

    3.  Press the green button to populate the Organizational Unit (OU) list 

    4.  Select the OU where your users are located 

    5.  Click on Add to List -> 

    6.  Highlight all the users you want to modify 

    7.  Click Next  

    8.  Go to the Custom tab 

    9.  Check mark Make a customized attribute modification 

    10.  In the Attribute Name type msExchDelegateListLink 

    11.  In the Attribute Value type null 

    12.  Click on Go! 

    Thanks,

    Andy


    Thursday, September 20, 2012 5:57 AM
    Moderator

All replies

  • Hi

    I found a thread that with same error, perhaps the steps of the solution there could help you

    Add a resourcedelegate to a user mailbox

    http://social.technet.microsoft.com/Forums/en-IE/exchange2010/thread/3b647a47-abab-4438-8c16-56117d5ebbcc

    First confirm the mailboxes you would like to modify is a user mailbox or a resource mailbox.

    Hope that helps

    Cheers


    Zi Feng

    TechNet Community Support

    Tuesday, September 18, 2012 9:21 AM
    Moderator
  • Hi,

    these are all user mailboxes.  In the forum thread you send is mentionned to that it is impossible to add resourcedelegates to user mailboxes.  I get te same error.

    Figured out where these delegates come from;

    We are migrating from Lotus Notes, Quest Notes Migrator picked them up from Acces control List in Notes and added them to the delegates and not to the ACE's.

    Any idea how we can clean this resourcedelegate field without removing the correct delegates?

    regards

    Frederik


    Frederik

    Tuesday, September 18, 2012 3:30 PM
  • Hi Helles,

    Do you mean that after you grant the full access permission, the administrator would be listed in the value of the target mailbox's AD attribute msExchDelegateListLink ?

    If so, this could be normal and we could manually remove them in ADSI Edit one by one(Or you could follow the steps below to check if the administrators are listed in the same place, if so, you could remove them and see if the Quest Notes Migrator would still reconganize them as delegate):

      • Open AdsiEdit.msc.
      • Expand Default naming context to CN=Users.
      • Select the user account whose mailbox is being displayed as an additional mailbox in Outlook.
      • Right-click this account and click Properties.
      • Select the msExchDelegateListLink attribute and click Edit.
      • Select the account you want to remove (this is the account who sees the additional mailboxes displayed in Outlook) and click Remove.
      • Click OK twice.

    Or we could use ADModify to clear them on multiple users:

    This tool could be downloaded from here:

    ADModify.NET

    http://admodify.codeplex.com/releases/view/6065

    Steps to remove the value:

    1.  Start AD Modify andselect Modify Attributes 

    2.  Select you Domain from the Domain List 

    3.  Press the green button to populate the Organizational Unit (OU) list 

    4.  Select the OU where your users are located 

    5.  Click on Add to List -> 

    6.  Highlight all the users you want to modify 

    7.  Click Next  

    8.  Go to the Custom tab 

    9.  Check mark Make a customized attribute modification 

    10.  In the Attribute Name type msExchDelegateListLink 

    11.  In the Attribute Value type null 

    12.  Click on Go! 

    Thanks,

    Andy


    Thursday, September 20, 2012 5:57 AM
    Moderator
  • Hi Helles,

    Any update on this issue? Please feel free to let us know if you need any assistance.

    Thanks,

    Andy

    Tuesday, September 25, 2012 7:33 AM
    Moderator