Remove-MailboxPermission remove completely rather than changing to deny

  • Thread starter Grubsy
  • Start date Views 4,127
Status
Not open for further replies.
G

Grubsy

I would like to completely remove an entry from the MailboxPermissions

I've tried the following command, but it seems to just change the Deny to True

Remove-MailboxPermission -Identity 'DOMAIN\user1' -User 'DOMAIN\user1' -AccessRights FullAccess -InheritanceType all

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ------------- --
domain.local... DOMAIN\user1 {FullAccess} False True

I added my own user account to " Manange Full Access Permission" via the EMC to my mailbox. This did one thing that I was hoping, it made my Online Archive show up in Outlook 2010, the downside was I had my mailbox folders listed twice. So I tried removing the account and then I didn't have access to my mailbox at all. I've compared the default permission of another mailbox to mine and the above line is the only difference. I'm guessing this is what is denying me access. I beleive the line below gives me the permissions I need

domain.local... NT AUTHORITY\SELF {FullAccess, ReadPermission} False False

Cheers
 
G

Grubsy

Can I possibly just copy the permissions from another mailbox?

The only permission listed different from a newly created mailbox is now:

domain.local/... DOMAIN\user1 {FullAccess, ReadPermission} False False

Currently I can use my email via OWA. Outlook doesn't seem to have access to update my mailbox.

Update: I've just re-created my Outlook profile and it is now working. I do have my mailbox listed twice and my online archive is also visible.

I've also noticed all mailboxes have an 2 entries:

domain.local/... DOMAIN\user1 {FullAccess} True True

domain.local/... DOMAIN\user1 {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True False

Is this because my account (user1) is a memeber of a certain group? Maybe Enterprise Admins?
 
G

Grubsy

Any suggestions? I currently still have the following when I open Outlook

user1@domain.com

Online Archive - User1 Lastname

User1 Lastname

I'm happy to just go back to how it was before with only user1@domain.com visible as I can view the Online Archive via OWA if needed.

Thanks
 
G

Gulab Mallah

Check in ADUC if you see Inheritance is blocked on your account or what?

If yes than check the box and try to access your mailbox and let us know if you still see two mailbox in outlook or owa.

-Gulab
 
G

Grubsy

Hi Gulab,

I found this the other day actually when I couldn't get my iPhone to connect properly. I briefly allowed the inheritance and the removed it again and this fixed the iPhone issue. I will leave it enabled now and see what happens.
I still find this part strange also:

> I've also noticed all mailboxes have an 2 entries:

> domain.local/... DOMAIN\user1 {FullAccess} True True

> domain.local/... DOMAIN\user1 {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True False

I'm trying to work out where they are inheriting these permissions from. Maybe the mail store itself? How do I check this?

Thanks
 
G

Grubsy

Looks to have worked. I now only see user1@domain.com & Online Archive - User1 Lastname in outlook.

I think these permissions might be doing something funny now:

> domain.local/... DOMAIN\user1 {FullAccess} True True

> domain.local/... DOMAIN\user1 {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True False

I have 2 mailboxes & their online achives listed in outlook & i can open them that I have removed my access to. I'm guessing the 2 permissions above that all mailboxes are inheriting are giving me access?

How can I find out where they are inheriting the permissions from?
 
G

Gulab Mallah

You can check the same thing on Mailbox Database but that will be from adsiedit.msc
You can check the permissions on all the objects from Adsiedit.msc

Cheers,
-Gulab
 
G

Grubsy

Hi Gulab, where do I find the Mailbox Database in ADSI Edit?

Thanks
 
G

Gulab Mallah

Configuration--->Service-->Microsoft Exchange--->My ORG Name...>Administrative Group...>Exchange Admin Group...>Database

Don't forget to Mark as Answer...LOL

Cheers,
-Gulab
 
G

Grubsy

Do you know how to do what I asked in the initial question? ;) i.e. I would like to completely remove an entry from the MailboxPermissions rather than changing it to deny?
 
G

Grubsy

> domain.local/... DOMAIN\user1 {FullAccess} True True

> domain.local/... DOMAIN\user1 {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True False

This is now fixed.

> Configuration--->Service-->Microsoft Exchange--->My ORG Name...>Administrative Group...>Exchange Admin Group...>Database

I found my user account was added to 'Microsoft Exchange' with full access. After removing it from there I also it was added to 'My ORG Name' with Deny Receive As & Deny Send As. I removed this and now all the mailboxes no longer have the 2 permissions above
 
G

Grubsy

If I run: Get-MailboxPermission -Identity user1 it still has a permission I would like to remove.

domain.local/... NT AUTHORITY\SELF {FullAccess, ReadPermission} False False
domain.local/... DOMAIN\user1 {FullAccess, ReadPermission} False False <- this one

Cheers
 
G

Grubsy

I've run a couple Remove-MailboxPermission commands and have now been able to remove the permission above. I guess because it was inheriting permissions before it was preventing me from removing it completely
 
Status
Not open for further replies.
Top