Remove Orphaned SID from Mailbox Full Access ACL RRS feed

  • Question

  • Hi all,

    experiencing a strange problem, whereby I am unable to remove Orphaned SIDs from the Full Access ACL in Exchange 2007.

    When I attempt to remove the entry via the GUI, I get the following error:

    Failed to resolve the specified user or group "S-1-5-21-1234567890-1234567890-1234567890-1234." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust."

    The trust relationship between the primary domain and the trusted domain failed.

    Exchange Management Shell command attempted:
    Remove-MailboxPermission -Identity 'CN=SomeUser,OU=SomeOU,DC=SomeDomain,DC=com,DC=au' -User 'S-1-5-21-1234567890-1234567890-1234567890-1234' -InheritanceType 'All' -AccessRights 'FullAccess'

    I have followed various threads regarding using ADSIEdit, but the Mailbox Store does not seem to have any top level permissions. I've also checked the Organisation Configuration page and the SID is not showing up in there.

    I've tried to remove the SID from the Security tab of the User Object in AD, but it is not having any effect on the mailbox.

    Any ideas?


    Friday, November 23, 2012 7:00 AM

All replies

  • Ian,

    First, find the orphaned SIDs in Exchange Management Shell:

    Get-mailbox -resultsize unlimited | Get-MailboxPermission | where {$_.accessrights -eq "FullAccess" -and $_.user -eq "S-1-5-21-1234567890-1234567890-1234567890-1234"} | Select-object identity,user | export-csv SID.csv

    Open SID.csv to find the permission on the mailbox. Remove those one by one:

    get-mailbox -identity "S-1-5-21-1234567890-1234567890-1234567890-1234" | remove-mailboxpermission -user <User parameter from sid.csv> -accessrights "FullAccess"

    Regards from ExchangeOnline

    Friday, November 23, 2012 7:15 AM
  • Hi,

    yes I have obtained the list of SIDs to remove, I just can't seem to remove them and wondering why. I have Exchange Org Admin rights, so should be able to.




    Friday, November 23, 2012 7:18 AM
  • Ian,

    Are you able to find the entries at ADSIEDIT.MSC? Try to delete from there

    Regards from ExchangeOnline

    Friday, November 23, 2012 8:24 AM
  • Hi,

    yes as stated in my original post, I have tried ADSIEdit but cannot see any permissions that need removing.


    Friday, November 23, 2012 8:46 AM
  • I suspect that the SIDs being shown are for another domain, and that the error is actually correct.

    If this is the case, is there a way to resolve the SID without having to jump on another domain's DC?


    Friday, November 23, 2012 8:55 AM
  • Hi ,

    Please try remove discovery search mailbox and recreate them via prepare AD .

    Prepare Active Directory and Domains:

    Wendy Liu
    TechNet Community Support

    Monday, November 26, 2012 7:43 AM