First let me explain the context of the issue. We had an exchange admin who over the years upgraded our exchange from 5.5 to 2000 to 2003. This person also had to occasionally add himself permissions to a mailbox in order to check on this or that and assist with issues, normal exchange admin stuff. This person decided to move onto another role inside the company, but now no longer should be an exchange admin. These permissions were removed sucessfully, and we then upgraded fully to Exchange 2007.
Later doing a full audit of mailbox permissions, we noticed that this person still had their "manually assingned mailbox rights" to about 50 users mailboxes. A simple powershell remove-mailboxpermission command and boom MOST of them were gone.
However some of them gave us a disturbing error:
Remove-MailboxPermission : Cannot remove ACE on object "CN=Mailbox.Name,OU=Resources,OU=Exchange,OU=Accounts,DC=Domain,DC=local
" for account "Domain\old.admin" because it is not present.
At line:1 char:25
After a VERY LONG call to Microsoft to just confirm we had an issue and i'm not a moron, they were completely out of ideas. I tried some vbscripts to "output" our permissions. One from this blog http://gsexdev.blogspot.com/2005/04/reverse-msexchmailboxsecuritydescripto.html was useful, but didn't quite get me there, Also modifying Greg's Script, I was able to remove permissions to msExchMailboxSecurityDescriptor (with this help http://msdn.microsoft.com/en-us/library/aa705958(VS.85).aspx), but unfortunatley this permission still existed inside of powershell and in reality. ADSI Edit had nothing that could help me, there simply wasn't a permission anywhere you can modify it. Microsoft suggested I add the permission back to the user, but I got the error the permission was already there. They also suggested I give the old IT user Domain admin permissions, shockingly that did nothing. They also said I should detach both the old IT admin's mailbox, and one of the mailboxes with the permissions, this also did nothing, once they were re-attached the permissions were still there.
Ultimately, I tried the easist thing in the world, which of course worked. I got on my old XP desktop with Exchange 2003 admin tools installed. This worked like a champ, went into the properties of the users who needed to be modified, went to "Exchange Advanced" then "Mailbox Rights" and removed the old IT admin from the permissions.
I personally consider this a bug with Exchange 2007 admin tools/powershell. but we'll see how Microsoft sees it.