Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, August 21, 2019 3:11 PM
Hello Everyone,
As always I assigned Full Access, Send on Behalf and or Send As on certain mailboxes.
However I noticed if the account is not removed from these permissions, and the account is moved into our child domain, it is orphaned. When I remove the access permissions I either get an error or when I re-open the properties it is still listed.
For example, I have a mailbox named [email protected] and I assign [email protected] to have Full Permissions.
Then later I move user1 from the contoso.com domain to the child.contoso.com domain using the move-adobject cmdlet. However if the full access permissions are not removed from the mailbox first it is orphaned on the account.
Unfortunately I cannot move the account back to the parent domain as I cannot disrupt the user1 account.
Steps taken have been:
Open Registration AD account Attribute Editor and remove the User1 account from the msExchDelegateListLink Attribute. When I do this I see on the User1 Attribute Editor the Registration AD account is removed from the msExchDelegateListBL Attribute. However it is still listed in Full Permissions on the Exchange mailbox properties.
If I remove the account from the msExchDelegateListLink then go and look in the account properties via ADSI it looks correct.
Any ideas how remove these orphaned permissions?
Thanks!
All replies (3)
Thursday, August 22, 2019 2:46 AM âś…Answered
Hi igibason,
After removing the User1 account from the msExchDelegateListLink Attribute in AdsiEdit, then try to remove it from the mailbox delegation page in EAC, what will happen ?
Moreover, you can also try using the following command and check if any helps:
Remove-MailboxPermission -User "the SID of User1" -Identity Registration -AccessRights FullAcess
Best Regards,
Niko Cheng
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, August 28, 2019 2:34 PM
Thanks again for the cmd. This does seem to be working successfully on the FullAcess.
However I see that I have some other accounts that are orphaned on Exchange 2013 Shared mailboxes. I can run the cmdlet you referenced above to remove the FullAccess however I cannot seem to get the SendAs permissions removed.
I have tried the following cmdlets.
Get-Mailbox "mailboxname" | Remove-ADPermission -User "SID of User" -ExtendedRights "Send As"
Get-Mailbox "mailboxname" | Remove-ADPermission -User "SIDHistory of User" -ExtendedRights "Send As"
Get-Mailbox "mailboxname" | Remove-ADPermission -User "domain\user" -ExtendedRights "Send As"
remove-MailboxPermission -Identity "mailboxname" -User "SID, SIDHistory, domailn\user" -AccessRights FullAccess -InheritanceType ALL
Anything else I can try?
Thursday, August 29, 2019 8:50 AM
Hi igibason,
You can try to remove the send as permission by using ADSIEdit tool and check if any helps.
Like below:
Find the User > Properties > Security > the account that have send as permission > Uncheck > Apply
Best Regards,
Niko Cheng
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected]