Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, September 3, 2019 3:25 PM
I recently ran the following powershell command in an effort to see which users had rights to which mailboxes, excluding any default rights that each user would obviously have, as well as excluding any inherited rights. Ultimately, i'm asking the question: who has been granted rights to a mailbox that isnt their own, AND isnt getting those rights from being in an Exchange Admin group? I found this command to be the most helpful/efficient as i can export it to csv for easy viewing in Excel.
Get-Mailbox -RecipientType 'usermailbox' -ResultSize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}
Upon review of the results, i found a great many orhpaned SIDs with Full Access to many mailboxes (with at least one having Full Access to EVERY mailbox - i believe this was an old account used by Good for Enterprise - which have since removed from our environment). Is there an easy way to remove those orphaned SIDs access? The process would look something like this.
1. Get the first mailbox on our Exchange server.
2. Check the permissions on that mailbox.
3. If the SID "S-1-5-21-73586283-839522115-1185" has any access rights to that mailbox, remove those access rights (whatever they may be - however big or small) and write to a file that the access was removed from that mailbox (for change tracking).
4. Get the next mailbox on our Exchange server. If no more mailboxes, then go to step 6.
5. Repeat steps 2-4
6. Exit process and review file contents for a complete list of what was removed.
I think i know how to remove one permission from one mailbox at a time, but i have hundreds of mailboxes to go through. So any help would be appreciated.
All replies (2)
Wednesday, September 4, 2019 6:35 AM
Hi,
You can use command below to check which mailbox could be access by this "SID":
Get-Mailbox -ResultSize unlimited| where {$_.RecipientTypeDetails -eq "UserMailbox"}| Get-MailboxPermission | where{$_.user.tostring() -like "*S-1-5-21-73586283-839522115-1185*"} | fl Identity
Then you can use command below try to remove this "SID" from one of them:
Remove-MailboxPermission MailboxName -User "S-1-5-21-73586283-839522115-1185" -AccessRights FullAccess -Confirm:$false
If you can remove this “SID” from this mailbox, then you can use command below batch delete it:
Get-Mailbox -ResultSize unlimited | where {$_.RecipientTypeDetails -eq "UserMailbox"}| Get-MailboxPermission | where{$_.user.tostring() -like "*S-1-5-21-73586283-839522115-1185*"} | Remove-MailboxPermission -User "S-1-5-21-73586283-839522115-1185" -AccessRights FullAccess -Confirm:$false
Regards,
Kyle Xu
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, September 6, 2019 9:55 AM
Hi,
I am writing here to confirm with you how thing going now?
If the above suggestion helps, please be free to mark it as an answer for helping more people.
Regards,
Kyle Xu
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].