Thursday, February 12, 2009

Removing Legacy Permissions from Pure Exchange 2007 Environment

First let me explain the context of the issue. We had an exchange admin who over the years upgraded our exchange from 5.5 to 2000 to 2003. This person also had to occasionally add himself permissions to a mailbox in order to check on this or that and assist with issues, normal exchange admin stuff. This person decided to move onto another role inside the company, but now no longer should be an exchange admin. These permissions were removed sucessfully, and we then upgraded fully to Exchange 2007.
Later doing a full audit of mailbox permissions, we noticed that this person still had their "manually assingned mailbox rights" to about 50 users mailboxes. A simple powershell remove-mailboxpermission command and boom MOST of them were gone.
However some of them gave us a disturbing error:
========================================
Remove-MailboxPermission : Cannot remove ACE on object "CN=Mailbox.Name,OU=Resources,OU=Exchange,OU=Accounts,DC=Domain,DC=local
" for account "Domain\old.admin" because it is not present.
At line:1 char:25
========================================
After a VERY LONG call to Microsoft to just confirm we had an issue and i'm not a moron, they were completely out of ideas. I tried some vbscripts to "output" our permissions. One from this blog http://gsexdev.blogspot.com/2005/04/reverse-msexchmailboxsecuritydescripto.html was useful, but didn't quite get me there, Also modifying Greg's Script, I was able to remove permissions to msExchMailboxSecurityDescriptor (with this help http://msdn.microsoft.com/en-us/library/aa705958(VS.85).aspx), but unfortunatley this permission still existed inside of powershell and in reality. ADSI Edit had nothing that could help me, there simply wasn't a permission anywhere you can modify it. Microsoft suggested I add the permission back to the user, but I got the error the permission was already there. They also suggested I give the old IT user Domain admin permissions, shockingly that did nothing. They also said I should detach both the old IT admin's mailbox, and one of the mailboxes with the permissions, this also did nothing, once they were re-attached the permissions were still there.

Ultimately, I tried the easist thing in the world, which of course worked. I got on my old XP desktop with Exchange 2003 admin tools installed. This worked like a champ, went into the properties of the users who needed to be modified, went to "Exchange Advanced" then "Mailbox Rights" and removed the old IT admin from the permissions.

I personally consider this a bug with Exchange 2007 admin tools/powershell. but we'll see how Microsoft sees it.

5 comments:

Makram said...

Hello Brian,

i encounter the same issue with remove-mailbox permission but in my case I have not EMC 2003 installed and when install it does not show me Exchange attribute.
Could you please inform me if you received any answer from Microsoft about this issue?

Thank you for your help

Brian Smith said...

The answer I received from microsoft was the use the 2003 tools like I did. I think the tools has an "advanced" option somewhere, I have since uninstalled my machine with 2003 tools so I can't look and tell you exactly where, but that is the correct solution.
GOOD LUCK.

Makram said...

thank you for the answer Brian

i'll try it this weekend

Alexis said...

This morning I opened ms exchange server and was disappointed because of all my data had been lost. My sorrow quickly finished reason of one tool. Which was rescued me for some minutes and proved that it might cope with any hopeless problem - recovery exchange 2003.

Chris said...

I've installed the 2003 tools but when I go to mailbox rights under Exchange Advanced I get an error saying the exchange information store is unavailable.