locked
How to remove orphaned permissions RRS feed

  • Question

  • Hello Everyone, 

    As always I assigned Full Access, Send on Behalf and or Send As on certain mailboxes.

    However I noticed if the account is not removed from these permissions, and the account is moved into our child domain, it is orphaned.  When I remove the access permissions I either get an error or when I re-open the properties it is still listed.

    For example, I have a mailbox named Registration@contoso.com and I assign user1@contoso.com to have Full Permissions.

    Then later I move user1 from the contoso.com domain to the child.contoso.com domain using the move-adobject cmdlet.  However if the full access permissions are not removed from the mailbox first it is orphaned on the account.

    Unfortunately I cannot move the account  back to the parent domain as I cannot disrupt the user1 account.

    Steps taken have been:

    Open Registration AD account Attribute Editor and remove the User1 account from the msExchDelegateListLink Attribute.  When I do this I see on the User1 Attribute Editor the  Registration AD account is removed from the msExchDelegateListBL Attribute.  However it is still listed in Full Permissions on the Exchange mailbox properties.

    If I remove the account from the msExchDelegateListLink then go and look in the account properties via ADSI it looks correct.

    Any ideas how remove these orphaned permissions?

    Thanks!

    Wednesday, August 21, 2019 3:11 PM

Answers

  • Hi igibason,

    After removing the User1 account from the msExchDelegateListLink Attribute in AdsiEdit, then try to remove it from the mailbox delegation page in EAC, what will happen ?

    Moreover, you can also try using the following command and check if any helps:

    Remove-MailboxPermission -User "the SID of User1" -Identity Registration -AccessRights FullAcess


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com

    • Proposed as answer by Niko.Cheng Monday, August 26, 2019 9:05 AM
    • Marked as answer by igibason Monday, August 26, 2019 12:56 PM
    Thursday, August 22, 2019 2:46 AM

All replies

  • Hi igibason,

    After removing the User1 account from the msExchDelegateListLink Attribute in AdsiEdit, then try to remove it from the mailbox delegation page in EAC, what will happen ?

    Moreover, you can also try using the following command and check if any helps:

    Remove-MailboxPermission -User "the SID of User1" -Identity Registration -AccessRights FullAcess


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com

    • Proposed as answer by Niko.Cheng Monday, August 26, 2019 9:05 AM
    • Marked as answer by igibason Monday, August 26, 2019 12:56 PM
    Thursday, August 22, 2019 2:46 AM
  • Thanks again for the cmd.  This does seem to be working successfully on the FullAcess. 

    However I see that I have some other accounts that are orphaned on Exchange 2013 Shared mailboxes.  I can run the cmdlet you referenced above to remove the FullAccess however I cannot seem to get the SendAs permissions removed.

    I have tried the following cmdlets.

    Get-Mailbox "mailboxname" | Remove-ADPermission -User "SID of User" -ExtendedRights "Send As"

    Get-Mailbox "mailboxname" | Remove-ADPermission -User "SIDHistory of User" -ExtendedRights "Send As"

    Get-Mailbox "mailboxname" | Remove-ADPermission -User "domain\user" -ExtendedRights "Send As"

    remove-MailboxPermission -Identity "mailboxname" -User "SID, SIDHistory, domailn\user" -AccessRights FullAccess -InheritanceType ALL

    Anything else I can try?

    Wednesday, August 28, 2019 2:34 PM
  • Hi igibason,

    You can try to remove the send as permission by using ADSIEdit tool and check if any helps.

    Like below:

    Find the User > Properties > Security > the account that have send as permission > Uncheck > Apply


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com

    Thursday, August 29, 2019 8:50 AM