1. Here's a thread that needs an answer: Don't forward duplicate
    Dismiss Notice

Error when running Remove-Mailboxpermission

Discussion in 'Exchange Server Questions' started by Alexei Segundo, Jul 4, 2010.

  1. Alexei Segundo

    Alexei Segundo

    This should be straightforward, but I can't seem to get it right.

    I want to remove ExternalAccount permissions on a specific mailbox. Here's the command I use to confirm that the permission is present:

    Get-MailboxPermission user1 -domaincontroller dc1.contoso.com | ? {$_.accessrights -like " *ExternalAccount*" }

    Identity User AccessRights IsInherited Deny
    -------- ---- ------------ ----------- --
    contoso.com/Use... Contoso\User1 {FullAccess, ExternalAccount, ReadPermission} False False

    All good so far. Now I just want to remove the ExternalAccount permission assigned to Contoso\User1. Here's the command:

    Remove-MailboxPermission -Identity User1 -User " Contoso\User1" -AccessRights ExternalAccount -domaincontroller dc1.contoso.com

    The above command generates the following error:

    Remove-MailboxPermission : Can't remove the access control entry on the object " CN=User1,OU=User Objects,DC=contoso,DC=com" f
    or account " Contoso\User1" because the ACE doesn't exist on the object.
    At line:1 char:25
    + Remove-MailboxPermission <<<< -Identity User1 -User " User1" -AccessRights ExternalAccount -domaincontroller dc1.contoso.com
    + CategoryInfo : InvalidOperation: (0:Int32) [Remove-MailboxPermission], InvalidOperationException
    + FullyQualifiedErrorId : 78249DD3,Microsoft.Exchange.Management.RecipientTasks.RemoveMailboxPermission

    Any thoughts on this?

  2. Michel de Rooij

    Michel de Rooij

  3. Alexei Segundo

    Alexei Segundo

    Hi Michel

    Thanks very much - you were right on the money!

    The ACE entries were pointing at the sIDHistory value, but were being displayed via get-mailboxpermission as the target domain account. Confusing!

    Anyway, I now have a script that runs Remove-Mailboxpermission using the sIDHistory value for the -user parameter. Works like a charm.


Share This Page