Error when running Remove-Mailboxpermission

  • Thread starter Alexei Segundo
  • Start date Views 10,229
Status
Not open for further replies.
A

Alexei Segundo

This should be straightforward, but I can't seem to get it right.

I want to remove ExternalAccount permissions on a specific mailbox. Here's the command I use to confirm that the permission is present:

Get-MailboxPermission user1 -domaincontroller dc1.contoso.com | ? {$_.accessrights -like " *ExternalAccount*" }

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- --
contoso.com/Use... Contoso\User1 {FullAccess, ExternalAccount, ReadPermission} False False

All good so far. Now I just want to remove the ExternalAccount permission assigned to Contoso\User1. Here's the command:

Remove-MailboxPermission -Identity User1 -User " Contoso\User1" -AccessRights ExternalAccount -domaincontroller dc1.contoso.com

The above command generates the following error:

Remove-MailboxPermission : Can't remove the access control entry on the object " CN=User1,OU=User Objects,DC=contoso,DC=com" f
or account " Contoso\User1" because the ACE doesn't exist on the object.
At line:1 char:25
+ Remove-MailboxPermission <<<< -Identity User1 -User " User1" -AccessRights ExternalAccount -domaincontroller dc1.contoso.com
+ CategoryInfo : InvalidOperation: (0:Int32) [Remove-MailboxPermission], InvalidOperationException
+ FullyQualifiedErrorId : 78249DD3,Microsoft.Exchange.Management.RecipientTasks.RemoveMailboxPermission

Any thoughts on this?

Alexei
 
M

Michel de Rooij

A

Alexei Segundo

Hi Michel

Thanks very much - you were right on the money!

The ACE entries were pointing at the sIDHistory value, but were being displayed via get-mailboxpermission as the target domain account. Confusing!

Anyway, I now have a script that runs Remove-Mailboxpermission using the sIDHistory value for the -user parameter. Works like a charm.

Alexei
 
Status
Not open for further replies.
Top