none
Unable to remove permissions assigned to a dead SID on a MB RRS feed

  • Question

  • I was able to remove dead SIDs from Full Access to all Exchange mailboxes using Powershell. Prior to I tested removing users manually and got these 2 different results when attempting to remove users. Sometimes instead of running Remove-MailboxPermission Exchange would run Add-MailboxPermission and set it to Deny.

    Manually (right click on Full Access>Select Users and remove):

    1. Exchange Management Shell command completed:
    Add-MailboxPermission -Identity 'CN=xxx\, xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=com' -User 'S-1-5-21-2049527776-770322540-330569332-61796' -Deny -AccessRights 'FullAccess'

    Or

    2. Remove-MailboxPermission -Identity 'CN=xxx\, xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=com' -User 'S-1-5-21-2049527776-770322540-330569332-32909' -InheritanceType 'All' -AccessRights 'FullAccess'

    After removing all the dead SIDs (none show in Full Access dialog) I am stuck with the "Deny" SIDs and I am unable to remove them.

    PS> Get-MailboxPermission xxx

    AccessRights    : {FullAccess}
    Deny            : True
    InheritanceType : All
    User            : S-1-5-21-2049527776-770322540-330569332-61796
    Identity        : xxx/xxx/xxx/xxx
    IsInherited     : False
    IsValid         : True
    ObjectState     : Unchanged

    PS> C:\Windows\system32>Remove-MailboxPermission -user "S-1-5-21-2049527776-770322540-330569332-61796" -identity xxx -InheritanceType "All" -AccessRights 'FullAccess'

    Confirm
    Are you sure you want to perform this action?
    Removing mailbox permission "xxx" for user
    "S-1-5-21-2049527776-770322540-330569332-61796" with access rights "'FullAccess'".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
    (default is "Y"):a
    Remove-MailboxPermission : Cannot remove ACE on object "CN=xxx\, xxx,OU=xxx,
    OU=xxx,DC=xxx,DC=xxx,DC=com" for account "S-1-5-21-2049527776-7703
    22540-330569332-61796" because it is not present.

    I don't understand why I can't remove it if I see it? Ideas?

    Thanks.


    • Edited by Ziv Rivkis Thursday, January 17, 2013 4:58 AM
    Thursday, January 17, 2013 4:57 AM

Answers

  • After looking a little bit further into this issue I was able to resolve it. I attempted to remove the Full Access permissions and that failed. So I decided to remove the "Deny" on the Full Access. I ran this command:

    [PS] C:\Windows\system32>Remove-MailboxPermission -Identity XXX -user S-1-5-21-2049527776-770322540-330569332-63094 -Deny -InheritanceType 'all' -AccessRights 'fullaccess'

    Notice the "-Deny"

    This resolved the issue and removed the dead SID. I tested with all other dead SIDs and this works every time.

    • Marked as answer by Ziv Rivkis Tuesday, January 22, 2013 9:17 PM
    Tuesday, January 22, 2013 9:17 PM

All replies

  • Remove-MailboxPermission : Cannot remove ACE on object "CN=xxx\, xxx,OU=xxx,
    OU=xxx,DC=xxx,DC=xxx,DC=com" for account "S-1-5-21-2049527776-7703
    22540-330569332-61796" because it is not present.

    I don't understand why I can't remove it if I see it? Ideas?


    Hi,
    It might be that the permissions were configured on the Database Level.

    Can you see the SID on the databases?

    Check with:
    Get-MailboxDatabase | Get-ADPermission -User S-1-5-21-2049527776-770322540-330569332-61796 | ft Identity,ExtendedRights,AccessRights

    Martina Miskovic


    Thursday, January 17, 2013 6:20 AM
  • I ran the suggested command and it returned empty. I looked in ADSI and none of the SIDs in question exist on any Exchange related objects.
    Thursday, January 17, 2013 3:04 PM
  • Hii,Ziv,

    If I understand correctly you add -deny parameter in the cmdlet add-mailboxpermission that means you have grant the user "S-1-5-21-2049527776-770322540-330569332-61796" full access to the mailbox 'CN=xxx\,xx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=com'  but this user will not inherit the access permission which is granted for the group the user belongs to,so maybe you can remove the -InheritanceType "All" from the cmdlet Remove-MailboxPermission  and try again.

    And here is an old thread with similar error message for your reference

    http://social.technet.microsoft.com/forums/en-US/exchangesvrdeploylegacy/thread/50a94a45-903e-409e-ba5c-116d84bed7ff

    Regards,

    Sharon


    Sharon Shen
    TechNet Community Support

    ************************************************************************************************************************

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.


    Friday, January 18, 2013 7:47 AM
    Moderator
  • I did as you suggested and didn't include the -Inheritance param. This didn't change the result. Once again if I run the "Get-mailboxpermission" of a user mailbox I receive:

    [PS] C:\Windows\system32>Get-MailboxPermission xxx | select user

    User
    ----
    S-1-5-21-2049527776-770322540-330569332-61796
    S-1-5-21-2049527776-770322540-330569332-63094

    [PS] C:\Windows\system32>Get-MailboxPermission xxx

    Identity             User                 AccessRights        IsInherited Deny
    --------             ----                 ------------        ----------- ----
    xxx.xxx.c... S-1-5-21-20495277... {FullAccess}        False       True
    xxx.xxx.c... S-1-5-21-20495277... {FullAccess}        False       True

    [PS] C:\Windows\system32>Remove-MailboxPermission -Identity xxx -user S-1-5-
    21-2049527776-770322540-330569332-61796 -AccessRights "FullAccess"

    Confirm
    Are you sure you want to perform this action?
    Removing mailbox permission "xxx" for user
    "S-1-5-21-2049527776-770322540-330569332-61796" with access rights
    "'FullAccess'".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
    (default is "Y"):a
    Remove-MailboxPermission : Cannot remove ACE on object "CN=xxx\, xxx,OU=xxx,
    OU=xxx,DC=xxx,DC=xxx,DC=com" for account "S-1-5-21-2049527776-7703
    22540-330569332-61796" because it is not present.
    At line:1 char:25
    + Remove-MailboxPermission <<<<  -Identity xxx -user S-1-5-21-2049527776-77
    0322540-330569332-61796 -AccessRights "FullAccess"
        + CategoryInfo          : InvalidOperation: (0:Int32) [Remove-MailboxPermi
       ssion], InvalidOperationException
        + FullyQualifiedErrorId : 6E65CFA3,Microsoft.Exchange.Management.Recipient


    • Edited by Ziv Rivkis Sunday, January 20, 2013 8:04 PM
    Sunday, January 20, 2013 8:03 PM
  • Opened a ticket with MS Support to see if this can be resolved.
    Tuesday, January 22, 2013 4:48 PM
  • After looking a little bit further into this issue I was able to resolve it. I attempted to remove the Full Access permissions and that failed. So I decided to remove the "Deny" on the Full Access. I ran this command:

    [PS] C:\Windows\system32>Remove-MailboxPermission -Identity XXX -user S-1-5-21-2049527776-770322540-330569332-63094 -Deny -InheritanceType 'all' -AccessRights 'fullaccess'

    Notice the "-Deny"

    This resolved the issue and removed the dead SID. I tested with all other dead SIDs and this works every time.

    • Marked as answer by Ziv Rivkis Tuesday, January 22, 2013 9:17 PM
    Tuesday, January 22, 2013 9:17 PM