Error when running Remove-Mailboxpermission

  • Thread starter Alexei Segundo
  • Start date Views 10,229
Not open for further replies.

Alexei Segundo

This should be straightforward, but I can't seem to get it right.

I want to remove ExternalAccount permissions on a specific mailbox. Here's the command I use to confirm that the permission is present:

Get-MailboxPermission user1 -domaincontroller | ? {$_.accessrights -like " *ExternalAccount*" }

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- -- Contoso\User1 {FullAccess, ExternalAccount, ReadPermission} False False

All good so far. Now I just want to remove the ExternalAccount permission assigned to Contoso\User1. Here's the command:

Remove-MailboxPermission -Identity User1 -User " Contoso\User1" -AccessRights ExternalAccount -domaincontroller

The above command generates the following error:

Remove-MailboxPermission : Can't remove the access control entry on the object " CN=User1,OU=User Objects,DC=contoso,DC=com" f
or account " Contoso\User1" because the ACE doesn't exist on the object.
At line:1 char:25
+ Remove-MailboxPermission <<<< -Identity User1 -User " User1" -AccessRights ExternalAccount -domaincontroller
+ CategoryInfo : InvalidOperation: (0:Int32) [Remove-MailboxPermission], InvalidOperationException
+ FullyQualifiedErrorId : 78249DD3,Microsoft.Exchange.Management.RecipientTasks.RemoveMailboxPermission

Any thoughts on this?


Michel de Rooij


Alexei Segundo

Hi Michel

Thanks very much - you were right on the money!

The ACE entries were pointing at the sIDHistory value, but were being displayed via get-mailboxpermission as the target domain account. Confusing!

Anyway, I now have a script that runs Remove-Mailboxpermission using the sIDHistory value for the -user parameter. Works like a charm.

Not open for further replies.