tiras gans
asked on
Remove-MailboxFolderPermission not working
User gone and disabled. But still shows up in:
Get-MailboxFolderPermissio n -Identity user@user.com:\calendar
RunspaceId : f88acd62-6876-4345-ae18-87 e1c7346861
FolderName : Calendar
User : NT User:DOMAIN\user
AccessRights : {Editor}
Identity : NT User:DOMAIN\user
IsValid : True
How can I completely remove it? I tried:
Remove-MailboxFolderPermis sion -Identity user@domain.com:\calendar -User user@domain.com
Gives me error:
The user "user@domain.com" is either not valid SMTP address, or there is no matching information.
+ CategoryInfo : NotSpecified: (0:Int32) [Remove-MailboxFolderPermi ssion], InvalidExternalUserIdExcep tion
+ FullyQualifiedErrorId : FF534F1B,Microsoft.Exchang e.Manageme nt.StoreTa sks.Remove MailboxFol derPermiss ion
Should I ignore it since the user is gone and disabled in AD anyways?
Get-MailboxFolderPermissio
RunspaceId : f88acd62-6876-4345-ae18-87
FolderName : Calendar
User : NT User:DOMAIN\user
AccessRights : {Editor}
Identity : NT User:DOMAIN\user
IsValid : True
How can I completely remove it? I tried:
Remove-MailboxFolderPermis
Gives me error:
The user "user@domain.com" is either not valid SMTP address, or there is no matching information.
+ CategoryInfo : NotSpecified: (0:Int32) [Remove-MailboxFolderPermi
+ FullyQualifiedErrorId : FF534F1B,Microsoft.Exchang
Should I ignore it since the user is gone and disabled in AD anyways?
ASKER
EMC only shows full Mailbox permissions. That user is not listed there.
It was only given permissions to the Calendar.
It was only given permissions to the Calendar.
Hi Tiras25,
Which Exchange are You using?
Thanks,
D.
Which Exchange are You using?
Thanks,
D.
ASKER
2010. Sorry forgot to mention that.
Check to ensure the user is not assigned as a delegate with 'send on behalf' permissions. This will gum things up. If not, you will need to use ADSIEDIT to remove the attribute.
Ok, so the commands are -
Remove-MailboxFolderPermis sion <mailbox>:\Calendar –User <Mailbox-that-will-be-remo ved-from-C alendar-Pe rmissions>
So this would look like - Remove-MailboxFolderPermis sion –identity John.Smith:calendar –user Tom.Smith
So without @domain i think. You will need to type in name, in format that is defined on server.
Thanks,
D.
Remove-MailboxFolderPermis
So this would look like - Remove-MailboxFolderPermis
So without @domain i think. You will need to type in name, in format that is defined on server.
Thanks,
D.
Grant yourself Owner access to the Calendar and then remove the disabled user through Outlook, much easier from a management perspective.
ASKER
[PS] C:\>Remove-MailboxFolderPe rmission mailbox:\Calendar -User name
Same thing:
Confirm
Are you sure you want to perform this action?
Removing mailbox folder permission on "mailbox:\Calendar" for user "first last".
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
There is no existing permission entry found for user: first last.
+ CategoryInfo : NotSpecified: (0:Int32) [Remove-MailboxFolderPermi ssion], Use
xception
+ FullyQualifiedErrorId : FC30BDD4,Microsoft.Exchang e.Manageme nt.StoreTa sks.Remove Mailb
Same thing:
Confirm
Are you sure you want to perform this action?
Removing mailbox folder permission on "mailbox:\Calendar" for user "first last".
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
There is no existing permission entry found for user: first last.
+ CategoryInfo : NotSpecified: (0:Int32) [Remove-MailboxFolderPermi
xception
+ FullyQualifiedErrorId : FC30BDD4,Microsoft.Exchang
Once again ...
You will need to use ADSIEDIT to remove the attribute. Can you safely ignore it? Yes. If the user is gone and there are no traces of the user in AD, then it will not cause you issues.
You will need to use ADSIEDIT to remove the attribute. Can you safely ignore it? Yes. If the user is gone and there are no traces of the user in AD, then it will not cause you issues.
I would do the same thing as VB_ITS said,
Would log in as admin/owner and go to Nav. pane, click Calendar, go to Proporties, Permissions, check user and remove it. Easy... Right.
Would log in as admin/owner and go to Nav. pane, click Calendar, go to Proporties, Permissions, check user and remove it. Easy... Right.
ASKER
Hmm, not really that easy. Need to know users logins, or have a user near by. Need to fire up another Outlook.
I still wonder why the EMS doesn't work. Always removes no problems until now...
I still wonder why the EMS doesn't work. Always removes no problems until now...
try below KB it might be help you
https://www.experts-exchange.com/questions/27373981/Remove-permisions-to-a-calaendar.html
https://www.experts-exchange.com/questions/27373981/Remove-permisions-to-a-calaendar.html
It may sound stupid but are You using powershell in ELEVATED mode / run as ADMIN. If that is right, I guess You should be able to just type - Remove-MailboxFolderPermis sion -Identity dejan@homtail.com:\calenda r -User quest-tiras@ee.com
Thanks,
D.
Thanks,
D.
ASKER
Yes, Elevated doesn't help much. Same error.
The issue here is that there is no SID in AD for Exchange to reference. There will be a username in Exchange, but, when referenced against AD, it will not see the user, so it will not see a permission entry for that user, hence none will be displayed. Therefore, none of these methods will work. Unless you reanimate the tombstoned user (https://technet.microsoft.com/en-us/magazine/2007.09.tombstones.aspx) and/or restore it from the Active Directory Recycle Bin (need to be on at least a 2008 domain infrastructure level) you are going to beat your head against a wall trying to do this.
The other option is ADSIEDIT.
The other option is ADSIEDIT.
ASKER
The username is still in AD and Exchange mailbox exist. Just disabled in AD. So there is a SID if the username still there. Its not removed or deleted. Just disabled.
Hmm, not really that easy. Need to know users logins, or have a user near by. Need to fire up another Outlook.
Not necessarily.
- Grant your admin account full access to the mailbox through EMC/EMS
- Access the account through OWA using this URL: https://owa.company.com/owa/user@company.com
- Enter your admin account credentials if prompted (since we've granted it Full Access)
- Click on Calendar in the navigation pane
- Click on Share towards the top then Change Sharing Permissions...
- You should then be able to see the list of users who has access to the calendar. Highlight the unwanted entry and delete it
Just make sure you're using the OWA premium as opposed to OWA light. You'll need to use IE to do this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ah ok. The first line in your original post stated 'user gone and disabled'. I took that to mean deleted. Apologies for the misunderstanding.
In that case, I agree with VB_ITS as well.
In that case, I agree with VB_ITS as well.
ASKER
VB, yes just tried and it worked. Weird! I can swear to tried with other disabled users and it worked before. Not sure how is it different now.
Right, as I said, his way is easier...
Well, well done.
Well, well done.
Well done indeed!
ASKER
Yeah. Just hate when its still weird and unexplained. Should work with disabled account as well.
I remember that I had similar but not same problem with Exchange 2010, but I've migrated from 2007 to 2010, and after that it started...
I agree. However, if the user is a delegate with 'send on behalf' permissions, I have seen that cause issues in the past.
Alright, I can confirm that with a disabled account I wasn't able to add, set, or remove calendar permissions using EMS.
Here's the command I tried:
Here's the error I received:
Here's the command I tried:
Add-MailboxFolderPermission -Identity user@company.com:\Calendar -User "Disabled User" -AccessRights Editor
Here's the error I received:
The user "Disabled User" was found in Active Directory but isn't valid to use for permissions. Try an SMTP address instead.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], InvalidInternalUserIdExcep tion
+ FullyQualifiedErrorId : 27431183,Microsoft.Exchange.Manageme nt.StoreTa sks.AddMai lboxFolder Permission
ASKER
I see. I'll wait till I migrate to 2013 then :)
VB, were you also not able to remove from Outlook with the user account disabled?
I think he is able to remove it from Outlook.
And I've migrated to 2013 / No console, and etc. Had a rough time with 1st time.
And I've migrated to 2013 / No console, and etc. Had a rough time with 1st time.
Ah, I see. Thanks, Dejan.
Great catch VB!
Great catch VB!
ASKER
Thanks Roy!
Thanks guys.
And in reply to VB's last comment there is a link, with similar explanation which might help others with same or similar problem to understand it - link
Thanks to all once again.
And in reply to VB's last comment there is a link, with similar explanation which might help others with same or similar problem to understand it - link
Thanks to all once again.
Yessir. Thank you!
Tiras,
You're very welcome!
You're very welcome!
Likely, if you deleted the user through ADUC and not in Exchange (I usually disable mailboxes first and let it mark the user for deletion), then you will likely have to use ADSIEDIT to remove the attribute.
-Roy