Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Saturday, July 30, 2011 8:36 PM
With Exchange 2010 if I look in the EMC at the Full Access and Send As permissions on some mailboxes I see invalid SIDs from where employees have left and their accounts deleted from AD.
Is there a way to programatically remove these from mailboxes?
Thanks.
All replies (8)
Sunday, July 31, 2011 8:55 AM âś…Answered
Hi Paul,
Here is Get-MailboxPermission
http://technet.microsoft.com/en-us/library/aa998218.aspx
http://exchangepedia.com/2008/02/how-to-list-mailboxes-with-full-mailbox-access-permission-assigned.html
Here is Remove-MailboxPermission
http://smtp25.blogspot.com/2008/09/how-to-remove-mailbox-permissions-from.html
http://technet.microsoft.com/en-us/library/bb125153.aspx
http://www.exchange-powershell.com/2010/06/03/exchange-cannot-remove-ace-on-object-because-it-is-not-present/
BTW how many users do you have they having this Invalid SID?
Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com
Saturday, July 30, 2011 8:43 PM | 1 vote
Sure. Just enumerate the permissions using get-mailboxpermssion, exclude any of them that are inherited, and then use a regex match to the SID pattern to find the ones that didn't resolve, and use remove-mailbox permission to remove them.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Sunday, July 31, 2011 6:16 AM | 2 votes
Hi Paul,
Any update on the issue?
You can remove those Unresolved/Invalid SID's from ADUC/Adsiedit.msc also...>Go to the user properties and security...And remove it.
Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com
Sunday, July 31, 2011 8:44 AM
The thing is with using ADSIEdit or EMC is that I need to look at each user to see which have invalid SIDs on them. It would be nice if there was a way to do this from EMS. I think that's what mjolinor is proposing but just that code example in isolation doesn't mean much to me, if anyone's able to expand upon it.
Sunday, July 31, 2011 9:28 AM
Thanks Gulab, that second Exchangepedia link is perfect.
I can use this ems cmdlet to get a list of all mailbox and permissions, and then just go through the file and see the accounts with invalid SIDS:
Get-Mailbox | Get-MailboxPermission | where { ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | fl identity, user | Out-File c:\temp\perms.txt
Which gives this sort of output in perms.txt:
Identity : domain.com/Users/Disabled Users/Joe Bloggs
User : S-1-5-21-88542338-314144238-68360779-2163
Monday, April 16, 2012 6:59 PM
Here is the command I used to enumerate the orphaned SIDs in Exchange Management Shell:
Get-mailbox -resultsize unlimited | Get-MailboxPermission | where {$_.accessrights -eq "FullAccess" -and $_.user -like "S-1-5-21*"} | Select-object identity,user | export-csv UnresolvedSids.csv
Once you get the comma-separated file from ESM open it in Excel and cull it of any that you don't want to remove (such as disabled users whose mailbox is within the deleted mailbox retention period). You can use Excel to insert columns at appropriate points and build a series of oneliners to remove the offending entries from the Mailbox:
get-mailbox -identity <Identity parameter> | remove-mailboxpermission -user <User parameter> -accessrights "FullAccess"
Once the commands are built in Excel, save the .csv file and open it in Notepad (or just copy and paste). In Notepad use the editing tools to remove the commas and the cell formatting from Excel, copy the whole document and paste it into ESM.
Larry Baker
Wednesday, January 25, 2017 7:02 PM
Hi, I wrote this script to remove Orphaned SIDs.
https://gallery.technet.microsoft.com/office/Remove-Orphaned-SIDs-6415b021
Thursday, July 26, 2018 10:41 PM
Something like this:
Get-MailboxPermission -Identity [email protected] `
| ? {($_.AccessRights -eq "FullAccess") -and ($_.IsInherited -ne $true) -and ($_.User -match "S-1-5")} `
| % {remove-mailboxpermission -Identity $_.Identity -User $_.User -AccessRights FullAccess}