locked
cann't remove Full Access rights for one user??!!!! RRS feed

  • Question

  • Hi everybody,

    could you please help me to solve the below issue:


    I'm trying to remove Full Access rights for one user from an
    existing user's mailbox... Exchange 2007 SP1.  When I try to do so, I
    receive the following error message: 


    +++++++++++++++++++++++++++

    Summary: 1 item(s). 0 succeeded, 1 failed.
    Elapsed time: 00:00:00

    Error:
    Cannot remove ACE on object
    "CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX" for account
    "xxx\xxxxx.xxxx" because it is not present.

    Exchange Management Shell command attempted:
    Remove-MailboxPermission -Identity
    'CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX' -User
    'xxx\xxxxx.xxx' -InheritanceType 'All' -AccessRights 'FullAccess'

    please note that I can remove the "send as permission" for the same user on the same mailbox!!!


    thanks in advance...

    waleed

    Sunday, March 8, 2009 12:22 PM

Answers

  • Issue description: While managing access permission to one mailbox, you ran into an error while trying to perform the cmdlet “Remove-MailboxPermission”

    Explanation: As we know, permission management is implemented with the Access Control List (ACL) on the object. An ACL contains several Access Control Entries (ACE) which describe the permission settings in detail. According to output of Remove-MailboxPermission, the permission "Full Access" for user “xxxxx.xxxx” does not exist on mailbox “CN=XXX”

    Troubleshooting:

    1.       I suggest that we verify if the "Full Access" ACE does exist on the mailbox first. To do so, please follow the steps below:

    a.       Launch EMS, dump all ACE related to user “xxxxx.xxxx” on mailbox “CN=XXX”

    Get-MailboxPermission -Identity 'CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX' -User 'xxx\xxxxx.xxx' | FL > C:\MBPerm.log

    b.      Open the output file, check if there is an entry for “xxxxx.xxx” looks like below: AccessRIghts    :    {FullAccess}

    Deny            : False

    InheritanceType : All

    User            : Domain\jamesluo

    Identity        : Domain.com/Ex Team/Smith John

    IsInherited     : False

    IsValid         : True

    ObjectState     : Unchanged

    2.       Please try to remove the Full Access Permissions on mailbox “CN=XXX” via EMC. If we can’t, please look over if there have any warning or unusual sign. Please check the application log as well

    3.       Please try to move the mailbox of “CN=XXX” to another database, which will recreate the mailbox in the new database, the mailbox can be fixed during the process if there’s any logical errors

    Possible cause: After the source account (xxxxx.xxxx) is migrated with sIDHistory the account gets a new objectSID and a sIDHistory. The mailbox security descriptor for the target mailbox (CN=XXX) only contains the sIDHistory (of xxxxx.xxxx) but NOT the new objectSID. Remove-MailboxPermission only make a lookup for the objectSID of the account (xxxxx.xxxx) to be removed but it doesn't check if this account has a sIDHistory

    Workaround: Remove the mailbox permission for the migrated accounts with Exchange 2003 admin tools. When the exchange 2003 admin tools are installed we can remove the mailbox permission via ADUC -> Exchange Advanced -> Mailbox Rights

    Resources:

    How to Install the Exchange System Management Tools

    Administer Exchange 2003 from Windows XP SP1

    Removing Legacy Permissions from Pure Exchange 2007 Environment

    • Proposed as answer by Alan.Gim Thursday, March 12, 2009 1:55 AM
    • Marked as answer by Alan.Gim Monday, March 16, 2009 1:12 AM
    Tuesday, March 10, 2009 3:15 AM

All replies

  • Issue description: While managing access permission to one mailbox, you ran into an error while trying to perform the cmdlet “Remove-MailboxPermission”

    Explanation: As we know, permission management is implemented with the Access Control List (ACL) on the object. An ACL contains several Access Control Entries (ACE) which describe the permission settings in detail. According to output of Remove-MailboxPermission, the permission "Full Access" for user “xxxxx.xxxx” does not exist on mailbox “CN=XXX”

    Troubleshooting:

    1.       I suggest that we verify if the "Full Access" ACE does exist on the mailbox first. To do so, please follow the steps below:

    a.       Launch EMS, dump all ACE related to user “xxxxx.xxxx” on mailbox “CN=XXX”

    Get-MailboxPermission -Identity 'CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX' -User 'xxx\xxxxx.xxx' | FL > C:\MBPerm.log

    b.      Open the output file, check if there is an entry for “xxxxx.xxx” looks like below: AccessRIghts    :    {FullAccess}

    Deny            : False

    InheritanceType : All

    User            : Domain\jamesluo

    Identity        : Domain.com/Ex Team/Smith John

    IsInherited     : False

    IsValid         : True

    ObjectState     : Unchanged

    2.       Please try to remove the Full Access Permissions on mailbox “CN=XXX” via EMC. If we can’t, please look over if there have any warning or unusual sign. Please check the application log as well

    3.       Please try to move the mailbox of “CN=XXX” to another database, which will recreate the mailbox in the new database, the mailbox can be fixed during the process if there’s any logical errors

    Possible cause: After the source account (xxxxx.xxxx) is migrated with sIDHistory the account gets a new objectSID and a sIDHistory. The mailbox security descriptor for the target mailbox (CN=XXX) only contains the sIDHistory (of xxxxx.xxxx) but NOT the new objectSID. Remove-MailboxPermission only make a lookup for the objectSID of the account (xxxxx.xxxx) to be removed but it doesn't check if this account has a sIDHistory

    Workaround: Remove the mailbox permission for the migrated accounts with Exchange 2003 admin tools. When the exchange 2003 admin tools are installed we can remove the mailbox permission via ADUC -> Exchange Advanced -> Mailbox Rights

    Resources:

    How to Install the Exchange System Management Tools

    Administer Exchange 2003 from Windows XP SP1

    Removing Legacy Permissions from Pure Exchange 2007 Environment

    • Proposed as answer by Alan.Gim Thursday, March 12, 2009 1:55 AM
    • Marked as answer by Alan.Gim Monday, March 16, 2009 1:12 AM
    Tuesday, March 10, 2009 3:15 AM
  • If you ran a domain migration...the sid history object is actually what you are seeing. Run the script below from Exchange PShell using your old domain as shown below:

    remove-mailboxpermission -identity "In here enter mailbox name" -user "In here are old domain and username domain\username" -accessrights fullaccess

    Leave the quotes and fill in the information needed. Worked for us. We went througha domain migration and had to use this to remove the rights on some mailboxes.
    • Proposed as answer by SpaceMonkeysMom Wednesday, October 12, 2011 2:43 AM
    Wednesday, September 30, 2009 7:53 PM
  • Having a similar problem as OP. 

    I tried running the script from cbschween in EMS, but the results were the same as from EMC

    WARNING: Can't remove the access control entry on the object "CN=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx" for account "xxx\xxx" because the ACE doesn't exist on the object.

    I do need to add that I was able to add and remove a test account from the mailbox, but not the account in question.

     


    • Edited by JBrentG Tuesday, December 13, 2011 2:36 PM
    Tuesday, December 13, 2011 2:35 PM
  • Ran into similar issue. EMC would not remove Full mailbox access permission, stating that it does not exist for that user. ADUC succeeded in removing the permission.
    Friday, November 16, 2012 10:33 AM
  • I've tried to do this, but I can't. After I install the Exchange 2003 tools, open up ADUC, go to the user, open the Exchange Advanced tab and click Mailbox Rights, I get an error:

    "The action could not be completed because the Microsoft Exchange Information Store service is unavailable. Be sure the service is running and you have connectivity to the Microsoft Exchange Server computer."

    Wednesday, June 26, 2013 7:59 PM
  • Hi All,

    Fixed this issue....

    If you have moved your mailboxes from legacy environment this issue will occur.

    To fix this....make sure you have Exchange 2003 system manager installed with Administrative Tools...Select AD users and computers....Search Source Mailbox...Select Exchange Advanced...Remove the mailbox permission.

    This will automatically remove the user object from 2007/2010 EMC.

    Thanks,

    Monday, September 29, 2014 1:44 PM
  • I am having the same issue and followed the steps recommended here without success.

    Sunday, October 12, 2014 2:19 PM
  • I am getting the below error when running ADUC

    "The action could not be completed because the Microsoft Exchange Information Store service is unavailable. Be sure the service is running and you have connectivity to the Microsoft Exchange Server computer."

    Anyone knows why?

    Sunday, October 12, 2014 8:13 PM