locked
How can you remove User rights that were applied to a MailStore? RRS feed

  • Question

  • Hi All,

    I've inherited an Exchange 2010 SP3 environment and I'd like to do a bit of cleanup from legacy accounts such as Blackberry, Digiscope and others that were assigned rights directly to our MailStores.

    I see that Digiscope had rights applied like this:

    http://www.lucid8.com/download/documentation/DSWebHelp/SETUP/Granting_Access_to_Exchange_2010_Production_Databases_Mailboxes.htm

    I'd like to remove the access rights and then delete the legacy accounts.

    I'm thinking the following may work, but if you have alternative ideas, I'd really like to read them.

    1.        Remove-ADPermission –identity “Microsoft Exchange” –user MyDomain\DSAdministrators
    2.        Remove DSAdministrators from the “Public Folder Management”
    3.        Delete DSAdmin User Account
    4.        Delete DSAdministrators Group

    Thank you very much for your time,

    Mr Mister

    Tuesday, December 31, 2013 5:54 PM

Answers

  • I'd remove the permissions in the reverse order they were applied:

    Get-MailboxDatabase | Remove-ADPermission -User "Domain\DSAdministrators" -ExtendedRights Receive-As -InheritanceType All
    Remove-ADPermission -Identity “Microsoft Exchange” -User "Domain\DSAdministrators" -AccessRights GenericAll –InheritanceType All
    Remove-ADPermission –Identity “Microsoft Exchange” -User "Domain\DSAdministrators" -ExtendedRights Receive-As –InheritanceType All

    Steps 2 thru 4 are okay.


    --- Rich Matheisen MCSE&I, Exchange MVP

    • Marked as answer by Mr Mister Thursday, January 2, 2014 11:22 PM
    Tuesday, December 31, 2013 10:27 PM

All replies

  • I'd remove the permissions in the reverse order they were applied:

    Get-MailboxDatabase | Remove-ADPermission -User "Domain\DSAdministrators" -ExtendedRights Receive-As -InheritanceType All
    Remove-ADPermission -Identity “Microsoft Exchange” -User "Domain\DSAdministrators" -AccessRights GenericAll –InheritanceType All
    Remove-ADPermission –Identity “Microsoft Exchange” -User "Domain\DSAdministrators" -ExtendedRights Receive-As –InheritanceType All

    Steps 2 thru 4 are okay.


    --- Rich Matheisen MCSE&I, Exchange MVP

    • Marked as answer by Mr Mister Thursday, January 2, 2014 11:22 PM
    Tuesday, December 31, 2013 10:27 PM
  • Hi,

    I recommend you follow Rich's suggestion to check the result. If there is any updata, please feel free to post here for further research.

    Best regards,
    Belinda


    Belinda Ma
    TechNet Community Support

    Wednesday, January 1, 2014 5:17 AM
    Moderator
  • Rich,

    Thank you very much for your reply!  I'll be able to try this out this evening and report back.

    Thanks again,

    Mr Mister

    Thursday, January 2, 2014 2:46 PM