locked
Removing old SIDs from Full Access & Send As permissions? RRS feed

  • Question

  • With Exchange 2010 if I look in the EMC at the Full Access and Send As permissions on some mailboxes I see invalid SIDs from where employees have left and their accounts deleted from AD.

    Is there a way to programatically remove these from mailboxes?

    Thanks.

    Saturday, July 30, 2011 8:36 PM

Answers

All replies

  • Sure.  Just enumerate the permissions using get-mailboxpermssion, exclude any of them that are inherited, and then use a regex match to the SID pattern to find the ones that didn't resolve, and use remove-mailbox permission to remove them.
    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Saturday, July 30, 2011 8:43 PM
  • Hi Paul,

    Any update on the issue?
    You can remove those Unresolved/Invalid SID's from ADUC/Adsiedit.msc also...>Go to the user properties and security...And remove it. 


    Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com
    Sunday, July 31, 2011 6:16 AM
  • The thing is with using ADSIEdit or EMC is that I need to look at each user to see which have invalid SIDs on them.  It would be nice if there was a way to do this from EMS.  I think that's what mjolinor is proposing but just that code example in isolation doesn't mean much to me, if anyone's able to expand upon it.
    Sunday, July 31, 2011 8:44 AM
  • Sunday, July 31, 2011 8:55 AM
  • Thanks Gulab, that second Exchangepedia link is perfect.

    I can use this ems cmdlet to get a list of all mailbox and permissions, and then just go through the file and see the accounts with invalid SIDS:

    Get-Mailbox | Get-MailboxPermission | where { ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | fl identity, user | Out-File c:\temp\perms.txt

    Which gives this sort of output in perms.txt:

    Identity : domain.com/Users/Disabled Users/Joe Bloggs

    User     : S-1-5-21-88542338-314144238-68360779-2163

    Sunday, July 31, 2011 9:28 AM
  • Here is the command I used to enumerate the orphaned SIDs in Exchange Management Shell:

    Get-mailbox -resultsize unlimited | Get-MailboxPermission | where {$_.accessrights -eq "FullAccess" -and $_.user -like "S-1-5-21*"} | Select-object identity,user | export-csv UnresolvedSids.csv

    Once you get the comma-separated file from ESM open it in Excel and cull it of any that you don't want to remove (such as disabled users whose mailbox is within the deleted mailbox retention period).  You can use Excel to insert columns at appropriate points and build a series of oneliners to remove the offending entries from the Mailbox:

    get-mailbox -identity <Identity parameter> | remove-mailboxpermission -user <User parameter> -accessrights "FullAccess"

    Once the commands are built in Excel, save the .csv file and open it in Notepad (or just copy and paste).  In Notepad use the editing tools to remove the commas and the cell formatting from Excel, copy the whole document and paste it into ESM.


    Larry Baker

    • Proposed as answer by ManU PhiliP Friday, November 23, 2012 7:09 AM
    Monday, April 16, 2012 6:59 PM
  • Hi, I wrote this script to remove Orphaned SIDs.

    https://gallery.technet.microsoft.com/office/Remove-Orphaned-SIDs-6415b021

    Wednesday, January 25, 2017 7:02 PM
  • Something like this:

    Get-MailboxPermission -Identity sharedmailbox@contoso.com `
    | ? {($_.AccessRights -eq "FullAccess") -and ($_.IsInherited -ne $true) -and ($_.User -match "S-1-5")} `
    | % {remove-mailboxpermission -Identity $_.Identity -User $_.User -AccessRights FullAccess}



    Tony www.open-a-socket.com

    Thursday, July 26, 2018 10:41 PM