mullenm
asked on
Exchange 2007 unable to remove some users with "FullAccess" from a few Mailboxes
In the Exchange Management Console, in the "Manage Full Access Permission" Wizard, I have a few users with a question mark next to their logo. I couldn't find out what it means but I suppose it is linked to my problem. When I try to remove these users from the mailbox I get following message:
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
FREU\PorrasD
Failed
Error:
Cannot remove ACE on object "CN=FRIB-Roboguide,OU=Dumm y,OU=Users AndCompute rs,OU=FRIB ,OU=ALL SUBS,DC=fanucrobotics,DC=e u" for account "FREU\PorrasD" because it is not present.
Exchange Management Shell command attempted:
Remove-MailboxPermission -Identity 'CN=FRIB-Roboguide,OU=Dumm y,OU=Users AndCompute rs,OU=FRIB ,OU=ALL SUBS,DC=fanucrobotics,DC=e u' -User 'FREU\PorrasD' -InheritanceType 'All' -AccessRights 'FullAccess'
Elapsed Time: 00:00:00
or in EMS
Get-MailboxPermission -identity "FRIB-Roboguide" | where {$_.User -match "Porras"} | select *
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : FREU\PorrasD
Identity : fanucrobotics.eu/ALL SUBS/FRIB/UsersAndComputer s/Dummy/FR IB-Robogui de
IsInherited : False
IsValid : True
ObjectState : Unchanged
remove-MailboxPermission -identity "FRIB-Roboguide" -user "PorrasD" -accessrights fullaccess
Confirm
Are you sure you want to perform this action?
Removing mailbox permission "FRIB-Roboguide" for user "PorrasD" with access rights "'FullAccess'".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
Remove-MailboxPermission : Cannot remove ACE on object "CN=FRIB-Roboguide,OU=Dumm y,OU=Users AndCompute rs,OU=FRIB ,OU=ALL SUBS,DC=fanucrobotics,DC=e u" f
or account "FREU\PorrasD" because it is not present.
At line:1 char:25
+ remove-MailboxPermission <<<< -identity "FRIB-Roboguide" -user "PorrasD" -accessrights fullaccess
Any Idea will be welcome
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
FREU\PorrasD
Failed
Error:
Cannot remove ACE on object "CN=FRIB-Roboguide,OU=Dumm
Exchange Management Shell command attempted:
Remove-MailboxPermission -Identity 'CN=FRIB-Roboguide,OU=Dumm
Elapsed Time: 00:00:00
or in EMS
Get-MailboxPermission -identity "FRIB-Roboguide" | where {$_.User -match "Porras"} | select *
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : FREU\PorrasD
Identity : fanucrobotics.eu/ALL SUBS/FRIB/UsersAndComputer
IsInherited : False
IsValid : True
ObjectState : Unchanged
remove-MailboxPermission -identity "FRIB-Roboguide" -user "PorrasD" -accessrights fullaccess
Confirm
Are you sure you want to perform this action?
Removing mailbox permission "FRIB-Roboguide" for user "PorrasD" with access rights "'FullAccess'".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
Remove-MailboxPermission : Cannot remove ACE on object "CN=FRIB-Roboguide,OU=Dumm
or account "FREU\PorrasD" because it is not present.
At line:1 char:25
+ remove-MailboxPermission <<<< -identity "FRIB-Roboguide" -user "PorrasD" -accessrights fullaccess
Any Idea will be welcome
ASKER
Hi !
Yes I see the user, it is a shared mailbox and it is disabled.
Just in case:
If I go to the EMC, under "Manager Full Access Permissions," I can add "PorrasD" a second time, checking in EMS both users have the same rights and even look the same, but I can only remove the one which has no question mark in the EMC even if I remove it with EMS, same stuff !
Funny hey ?!
Legend:
EMC: Exchange Management Console
EMS: Exchange Management Shell
Yes I see the user, it is a shared mailbox and it is disabled.
Just in case:
If I go to the EMC, under "Manager Full Access Permissions," I can add "PorrasD" a second time, checking in EMS both users have the same rights and even look the same, but I can only remove the one which has no question mark in the EMC even if I remove it with EMS, same stuff !
Funny hey ?!
Legend:
EMC: Exchange Management Console
EMS: Exchange Management Shell
Humm please enable and try removing it would work....
Why it shows a ? could be because the AD account is disabled and it cannot read or function with its ACL's.
ASKER
Already tried that ;)
A shared Mailbox is disabled by default, and as I mentioned before I can add and remove some other account, even the same once; the nly once making problem are the one with the (?) next to their names.
See attached a picture to clarify that (?) story.
A shared Mailbox is disabled by default, and as I mentioned before I can add and remove some other account, even the same once; the nly once making problem are the one with the (?) next to their names.
See attached a picture to clarify that (?) story.
Could you show me the Screeshot ?
Is this issue with one mailbox or multiple ?
ASKER
Here the user is there once with a (?)
ManageFullAccess27-05-2009-15-27.png
ManageFullAccess27-05-2009-15-27.png
ASKER
And here the user is there twice, but the only one I can remove is the on without (?)
ManageFullAccess27-05-2009-15-58.png
ManageFullAccess27-05-2009-15-58.png
How many mailbox have this issue ?
ASKER
@Rancy
I have that with a few mailboxes even with user mailboxes.
The system has been migrated before my time from a Exchange 2003 distributed to Exchange 2007 centralized environement.
I have that with a few mailboxes even with user mailboxes.
The system has been migrated before my time from a Exchange 2003 distributed to Exchange 2007 centralized environement.
ASKER
Difficult to say !
I am working on removing the rights to users from the mailboxes and setting them to group rights.
From 10 I transformed yesterday 6 have that problem.
And there are at least 55 left ... !
I am working on removing the rights to users from the mailboxes and setting them to group rights.
From 10 I transformed yesterday 6 have that problem.
And there are at least 55 left ... !
The reason i asked was that we could Disable a mailbox (meaning that we would disconnect a mailbox and AD account) and then again reconnect.
Humm can you verify the same on the old server and in the ADUC on the user properties you would see Exchange tab and also the Mailbox Rights button.
Also would like to know if this TrabalD and PorrasD has been moved to the Exchange 2007 ?
Also would like to know if this TrabalD and PorrasD has been moved to the Exchange 2007 ?
ASKER
No I cannot verify it on the old Servers because they're gone... (since summer 2007 - long before my time)
TrabalD & PorrasD as well as FRIB-Roboguide have been moved from 2003 -> 2007
In ADUC there's no TrabalD and no PorrasD in the security tab...
AD-Security27-05-2009-16-17-52.png
TrabalD & PorrasD as well as FRIB-Roboguide have been moved from 2003 -> 2007
In ADUC there's no TrabalD and no PorrasD in the security tab...
AD-Security27-05-2009-16-17-52.png
We are looking at the security tab .... can you try enabling the Advance features and check ...
Exchange Advance -> Mailbox Rights if we see the exchange tabs after enabling Advance Features.
Exchange Advance -> Mailbox Rights if we see the exchange tabs after enabling Advance Features.
ASKER
... If the "Security Tab" is visible.... the advanced features are enabled....
No exchange 2003... no Exchange advance Tab...
Sorry.
No exchange 2003... no Exchange advance Tab...
Sorry.
ASKER
Here is what I can deliver about rights on that Mailbox:
Get-ADPermission -identity "FRIB-Roboguide" | select user, accessrights, IsInherited
User AccessRights IsInherited
---- ------------ -----------
NT AUTHORITY\SELF {GenericRead} False
NT AUTHORITY\Authenticated Users {ReadControl} False
NT AUTHORITY\SYSTEM {GenericAll} False
S-1-5-32-548 {GenericAll} False
FREU\Domain Admins {GenericAll} False
Everyone {ExtendedRight} False
NT AUTHORITY\SELF {ReadProperty, WriteProperty} False
NT AUTHORITY\SELF {ExtendedRight} False
NT AUTHORITY\SELF {ReadProperty, WriteProperty} False
NT AUTHORITY\SELF {ExtendedRight} False
NT AUTHORITY\SELF {ExtendedRight} False
NT AUTHORITY\SELF {ReadProperty, WriteProperty} False
NT AUTHORITY\Authenticated Users {ReadProperty} False
NT AUTHORITY\Authenticated Users {ReadProperty} False
NT AUTHORITY\Authenticated Users {ReadProperty} False
NT AUTHORITY\Authenticated Users {ReadProperty} False
S-1-5-32-560 {ReadProperty} False
S-1-5-32-561 {ReadProperty, WriteProperty} False
FREU\Cert Publishers {ReadProperty, WriteProperty} False
FREU\RAS and IAS Servers {ReadProperty} False
FREU\RAS and IAS Servers {ReadProperty} False
FREU\RAS and IAS Servers {ReadProperty} False
FREU\RAS and IAS Servers {ReadProperty} False
FREU\MB-Roboguide@fanucrob otics.XX-S endAs {ExtendedRight} False
S-1-5-32-554 {ReadProperty} True
S-1-5-32-554 {ReadProperty} True
S-1-5-32-554 {ReadProperty} True
FREU\Exchange Servers {ExtendedRight} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Enterprise Servers {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Enterprise Servers {WriteProperty} True
FREU\Exchange Enterprise Servers {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Enterprise Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Enterprise Servers {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {GenericAll} True
FREU\Exchange Servers {WriteDacl} True
FREU\Exchange Enterprise Servers {GenericRead} True
FREU\Exchange Enterprise Servers {GenericRead} True
FREU\Exchange Enterprise Servers {GenericRead, WriteDacl} True
S-1-5-32-554 {GenericRead} True
S-1-5-32-554 {GenericRead} True
NT AUTHORITY\NETWORK SERVICE {ReadProperty} True
NT AUTHORITY\Authenticated Users {ReadProperty} True
NT AUTHORITY\SELF {ReadProperty, WriteProperty, ExtendedRight} True
FREU\Exchange Enterprise Servers {ListChildren} True
FREU\Exchange Recipient Administrators {GenericRead} True
FREU\Enterprise Admins {GenericAll} True
S-1-5-32-554 {ListChildren} True
BUILTIN\Administrators {CreateChild, Self, WriteProperty, ExtendedRig... True
Get-ADPermission -identity "FRIB-Roboguide" | select user, accessrights, IsInherited
User AccessRights IsInherited
---- ------------ -----------
NT AUTHORITY\SELF {GenericRead} False
NT AUTHORITY\Authenticated Users {ReadControl} False
NT AUTHORITY\SYSTEM {GenericAll} False
S-1-5-32-548 {GenericAll} False
FREU\Domain Admins {GenericAll} False
Everyone {ExtendedRight} False
NT AUTHORITY\SELF {ReadProperty, WriteProperty} False
NT AUTHORITY\SELF {ExtendedRight} False
NT AUTHORITY\SELF {ReadProperty, WriteProperty} False
NT AUTHORITY\SELF {ExtendedRight} False
NT AUTHORITY\SELF {ExtendedRight} False
NT AUTHORITY\SELF {ReadProperty, WriteProperty} False
NT AUTHORITY\Authenticated Users {ReadProperty} False
NT AUTHORITY\Authenticated Users {ReadProperty} False
NT AUTHORITY\Authenticated Users {ReadProperty} False
NT AUTHORITY\Authenticated Users {ReadProperty} False
S-1-5-32-560 {ReadProperty} False
S-1-5-32-561 {ReadProperty, WriteProperty} False
FREU\Cert Publishers {ReadProperty, WriteProperty} False
FREU\RAS and IAS Servers {ReadProperty} False
FREU\RAS and IAS Servers {ReadProperty} False
FREU\RAS and IAS Servers {ReadProperty} False
FREU\RAS and IAS Servers {ReadProperty} False
FREU\MB-Roboguide@fanucrob
S-1-5-32-554 {ReadProperty} True
S-1-5-32-554 {ReadProperty} True
S-1-5-32-554 {ReadProperty} True
FREU\Exchange Servers {ExtendedRight} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Servers {ReadProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Enterprise Servers {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Enterprise Servers {WriteProperty} True
FREU\Exchange Enterprise Servers {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Enterprise Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Enterprise Servers {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Servers {WriteProperty} True
FREU\Exchange Recipient Administrators {WriteProperty} True
FREU\Exchange Recipient Administrators {GenericAll} True
FREU\Exchange Servers {WriteDacl} True
FREU\Exchange Enterprise Servers {GenericRead} True
FREU\Exchange Enterprise Servers {GenericRead} True
FREU\Exchange Enterprise Servers {GenericRead, WriteDacl} True
S-1-5-32-554 {GenericRead} True
S-1-5-32-554 {GenericRead} True
NT AUTHORITY\NETWORK SERVICE {ReadProperty} True
NT AUTHORITY\Authenticated Users {ReadProperty} True
NT AUTHORITY\SELF {ReadProperty, WriteProperty, ExtendedRight} True
FREU\Exchange Enterprise Servers {ListChildren} True
FREU\Exchange Recipient Administrators {GenericRead} True
FREU\Enterprise Admins {GenericAll} True
S-1-5-32-554 {ListChildren} True
BUILTIN\Administrators {CreateChild, Self, WriteProperty, ExtendedRig... True
Is it possible to try the task of
Disabling a mailbox in EMC and the again reconnect, but before that is the AD replication fine ?
Disabling a mailbox in EMC and the again reconnect, but before that is the AD replication fine ?
ASKER
or here:
Where PorrasD and TrabalD are visible (PorrasD even twice because I didn't remove him since before)
Get-MailboxPermission -Identity "FRIB-Roboguide" | select User,accessrights,isinheri ted
User AccessRights IsInherited
---- ------------ -----------
S-1-5-21-139397343-1590167 473-158656 3796-1980 {FullAccess} False
S-1-5-21-139397343-1590167 473-158656 3796-1981 {FullAccess} False
S-1-5-21-1002702033-524385 39-1757479 407-2039 {FullAccess} False
S-1-5-21-1002702033-524385 39-1757479 407-2040 {FullAccess} False
S-1-5-21-1234049153-625218 297-134991 6565-1232 {FullAccess} False
S-1-5-21-1234049153-625218 297-134991 6565-1236 {FullAccess} False
S-1-5-21-1431704460-153839 8515-31255 2118-1256 {FullAccess} False
S-1-5-21-1431704460-153839 8515-31255 2118-1257 {FullAccess} False
S-1-5-21-1702326730-129303 6005-73224 7886-1542 {FullAccess} False
S-1-5-21-1702326730-129303 6005-73224 7886-1543 {FullAccess} False
S-1-5-21-2061765030-123239 789-184493 6127-1283 {FullAccess} False
S-1-5-21-2061765030-123239 789-184493 6127-1284 {FullAccess} False
NT AUTHORITY\SELF {FullAccess, SendAs, ExternalAccount, ReadPerm... False
FREU\PorrasD {FullAccess} False
FREU\MB-Roboguide@fanucrob otics.es {FullAccess} False
FREU\TrabalD {FullAccess} False
FREU\PorrasD {FullAccess} False
FREU\sys_frde-xprexcon {FullAccess} True
FREU\KeuperS {FullAccess} True
FREU\XMAIL$ {ReadPermission} True
FREU\KeuperS {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Exchange Servers {FullAccess} True
FREU\Exchange Domain Servers {FullAccess} True
FREU\Domain Admins {FullAccess} True
FREU\Enterprise Admins {FullAccess} True
FREU\Exchange Organization Administrators {FullAccess} True
FREU\RENNEBERG {FullAccess} True
FREU\Administrator {FullAccess} True
FREU\Exchange Servers {FullAccess} True
S-1-5-21-1234049153-625218 297-134991 6565-1232 {FullAccess} True
S-1-5-21-1431704460-153839 8515-31255 2118-1256 {FullAccess} True
S-1-5-21-2061765030-123239 789-184493 6127-1283 {FullAccess} True
S-1-5-21-1702326730-129303 6005-73224 7886-1542 {FullAccess} True
S-1-5-21-1002702033-524385 39-1757479 407-2039 {FullAccess} True
S-1-5-21-139397343-1590167 473-158656 3796-1980 {FullAccess} True
FREU\Exchange Domain Servers {FullAccess} True
S-1-5-21-1234049153-625218 297-134991 6565-512 {ReadPermission} True
S-1-5-21-1234049153-625218 297-134991 6565-500 {ReadPermission} True
S-1-5-21-1431704460-153839 8515-31255 2118-512 {ReadPermission} True
S-1-5-21-1431704460-153839 8515-31255 2118-500 {ReadPermission} True
S-1-5-21-1702326730-129303 6005-73224 7886-512 {ReadPermission} True
S-1-5-21-1702326730-129303 6005-73224 7886-500 {ReadPermission} True
S-1-5-21-1002702033-524385 39-1757479 407-512 {ReadPermission} True
S-1-5-21-1002702033-524385 39-1757479 407-500 {ReadPermission} True
FREU\Exchange Public Folder Administrators {ReadPermission} True
NT AUTHORITY\NETWORK SERVICE {ReadPermission} True
S-1-5-21-1234049153-625218 297-134991 6565-1232 {ReadPermission} True
S-1-5-21-1431704460-153839 8515-31255 2118-1256 {ReadPermission} True
S-1-5-21-2061765030-123239 789-184493 6127-1283 {ReadPermission} True
S-1-5-21-1702326730-129303 6005-73224 7886-1542 {ReadPermission} True
S-1-5-21-1002702033-524385 39-1757479 407-2039 {ReadPermission} True
S-1-5-21-139397343-1590167 473-158656 3796-1980 {ReadPermission} True
FREU\Exchange Servers {ReadPermission} True
FREU\Exchange Domain Servers {ReadPermission} True
FREU\Exchange View-Only Administrators {ReadPermission} True
S-1-5-21-82125038-353254-1 769025822- 14574 {ReadPermission} True
S-1-5-21-1234049153-625218 297-134991 6565-1236 {FullAccess, DeleteItem, ReadPermission, Chang... True
S-1-5-21-1431704460-153839 8515-31255 2118-1257 {FullAccess, DeleteItem, ReadPermission, Chang... True
S-1-5-21-2061765030-123239 789-184493 6127-1284 {FullAccess, DeleteItem, ReadPermission, Chang... True
S-1-5-21-1702326730-129303 6005-73224 7886-1543 {FullAccess, DeleteItem, ReadPermission, Chang... True
S-1-5-21-1002702033-524385 39-1757479 407-2040 {FullAccess, DeleteItem, ReadPermission, Chang... True
S-1-5-21-139397343-1590167 473-158656 3796-1981 {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Domain Admins {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Enterprise Admins {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Exchange Organization Administrators {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\RENNEBERG {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Exchange Services {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Administrator {FullAccess, DeleteItem, ReadPermission, Chang... True
Where PorrasD and TrabalD are visible (PorrasD even twice because I didn't remove him since before)
Get-MailboxPermission -Identity "FRIB-Roboguide" | select User,accessrights,isinheri
User AccessRights IsInherited
---- ------------ -----------
S-1-5-21-139397343-1590167
S-1-5-21-139397343-1590167
S-1-5-21-1002702033-524385
S-1-5-21-1002702033-524385
S-1-5-21-1234049153-625218
S-1-5-21-1234049153-625218
S-1-5-21-1431704460-153839
S-1-5-21-1431704460-153839
S-1-5-21-1702326730-129303
S-1-5-21-1702326730-129303
S-1-5-21-2061765030-123239
S-1-5-21-2061765030-123239
NT AUTHORITY\SELF {FullAccess, SendAs, ExternalAccount, ReadPerm... False
FREU\PorrasD {FullAccess} False
FREU\MB-Roboguide@fanucrob
FREU\TrabalD {FullAccess} False
FREU\PorrasD {FullAccess} False
FREU\sys_frde-xprexcon {FullAccess} True
FREU\KeuperS {FullAccess} True
FREU\XMAIL$ {ReadPermission} True
FREU\KeuperS {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Exchange Servers {FullAccess} True
FREU\Exchange Domain Servers {FullAccess} True
FREU\Domain Admins {FullAccess} True
FREU\Enterprise Admins {FullAccess} True
FREU\Exchange Organization Administrators {FullAccess} True
FREU\RENNEBERG {FullAccess} True
FREU\Administrator {FullAccess} True
FREU\Exchange Servers {FullAccess} True
S-1-5-21-1234049153-625218
S-1-5-21-1431704460-153839
S-1-5-21-2061765030-123239
S-1-5-21-1702326730-129303
S-1-5-21-1002702033-524385
S-1-5-21-139397343-1590167
FREU\Exchange Domain Servers {FullAccess} True
S-1-5-21-1234049153-625218
S-1-5-21-1234049153-625218
S-1-5-21-1431704460-153839
S-1-5-21-1431704460-153839
S-1-5-21-1702326730-129303
S-1-5-21-1702326730-129303
S-1-5-21-1002702033-524385
S-1-5-21-1002702033-524385
FREU\Exchange Public Folder Administrators {ReadPermission} True
NT AUTHORITY\NETWORK SERVICE {ReadPermission} True
S-1-5-21-1234049153-625218
S-1-5-21-1431704460-153839
S-1-5-21-2061765030-123239
S-1-5-21-1702326730-129303
S-1-5-21-1002702033-524385
S-1-5-21-139397343-1590167
FREU\Exchange Servers {ReadPermission} True
FREU\Exchange Domain Servers {ReadPermission} True
FREU\Exchange View-Only Administrators {ReadPermission} True
S-1-5-21-82125038-353254-1
S-1-5-21-1234049153-625218
S-1-5-21-1431704460-153839
S-1-5-21-2061765030-123239
S-1-5-21-1702326730-129303
S-1-5-21-1002702033-524385
S-1-5-21-139397343-1590167
FREU\Domain Admins {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Enterprise Admins {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Exchange Organization Administrators {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\RENNEBERG {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Exchange Services {FullAccess, DeleteItem, ReadPermission, Chang... True
FREU\Administrator {FullAccess, DeleteItem, ReadPermission, Chang... True
ASKER
Ok !
AD is replicated and fine.
What Mailbox do you want to disable and reconnect ?
AD is replicated and fine.
What Mailbox do you want to disable and reconnect ?
There are a lot of GUID values as well which is not good... Yeah they show with Full access False
ASKER
Disable-Mailbox -Identity "FRIB-Roboguide"
Confirm
Are you sure you want to perform this action?
Disabling Mailbox "FRIB-Roboguide" will remove the Exchange properties from the Windows user object and mark the mailbox in the database for removal.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is
Connect-Mailbox -Identity "FRIB-Roboguide" -Database "FRIB Storage Group 2\FRIB Mailbox Database 2" -User "FREU\FRIB-Roboguide"
Connect-Mailbox : The user account for a user mailbox must be enabled.
At line:1 char:16
+ Connect-Mailbox <<<< -Identity "FRIB-Roboguide" -Database "FRIB Storage Group 2\FRIB Mailbox Database 2" -User "FREU\FRIB-Roboguide"
Connect-Mailbox -Identity "FRIB-Roboguide" -Database "FRIB Storage Group 2\FRIB Mailbox Database 2" -User "FREU\FRIB-Roboguide"
Result of managing Full Access Permissions:
Summary: 3 item(s). 1 succeeded, 2 failed.
Elapsed time: 00:00:00
FREU\TrabalD
Failed
Error:
Cannot remove ACE on object "CN=FRIB-Roboguide,OU=Dumm y,OU=Users AndCompute rs,OU=FRIB ,OU=ALL SUBS,DC=fanucrobotics,DC=e u" for account "FREU\TrabalD" because it is not present.
Exchange Management Shell command attempted:
Remove-MailboxPermission -Identity 'CN=FRIB-Roboguide,OU=Dumm y,OU=Users AndCompute rs,OU=FRIB ,OU=ALL SUBS,DC=fanucrobotics,DC=e u' -User 'FREU\TrabalD' -InheritanceType 'All' -AccessRights 'FullAccess'
Elapsed Time: 00:00:00
FREU\PorrasD
Completed
Exchange Management Shell command completed:
Remove-MailboxPermission -Identity 'CN=FRIB-Roboguide,OU=Dumm y,OU=Users AndCompute rs,OU=FRIB ,OU=ALL SUBS,DC=fanucrobotics,DC=e u' -User 'FREU\PorrasD' -InheritanceType 'All' -AccessRights 'FullAccess'
Elapsed Time: 00:00:00
FREU\PorrasD
Failed
Error:
Cannot remove ACE on object "CN=FRIB-Roboguide,OU=Dumm y,OU=Users AndCompute rs,OU=FRIB ,OU=ALL SUBS,DC=fanucrobotics,DC=e u" for account "FREU\PorrasD" because it is not present.
Exchange Management Shell command attempted:
Remove-MailboxPermission -Identity 'CN=FRIB-Roboguide,OU=Dumm y,OU=Users AndCompute rs,OU=FRIB ,OU=ALL SUBS,DC=fanucrobotics,DC=e u' -User 'FREU\PorrasD' -InheritanceType 'All' -AccessRights 'FullAccess'
Elapsed Time: 00:00:00
Confirm
Are you sure you want to perform this action?
Disabling Mailbox "FRIB-Roboguide" will remove the Exchange properties from the Windows user object and mark the mailbox in the database for removal.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is
Connect-Mailbox -Identity "FRIB-Roboguide" -Database "FRIB Storage Group 2\FRIB Mailbox Database 2" -User "FREU\FRIB-Roboguide"
Connect-Mailbox : The user account for a user mailbox must be enabled.
At line:1 char:16
+ Connect-Mailbox <<<< -Identity "FRIB-Roboguide" -Database "FRIB Storage Group 2\FRIB Mailbox Database 2" -User "FREU\FRIB-Roboguide"
Connect-Mailbox -Identity "FRIB-Roboguide" -Database "FRIB Storage Group 2\FRIB Mailbox Database 2" -User "FREU\FRIB-Roboguide"
Result of managing Full Access Permissions:
Summary: 3 item(s). 1 succeeded, 2 failed.
Elapsed time: 00:00:00
FREU\TrabalD
Failed
Error:
Cannot remove ACE on object "CN=FRIB-Roboguide,OU=Dumm
Exchange Management Shell command attempted:
Remove-MailboxPermission -Identity 'CN=FRIB-Roboguide,OU=Dumm
Elapsed Time: 00:00:00
FREU\PorrasD
Completed
Exchange Management Shell command completed:
Remove-MailboxPermission -Identity 'CN=FRIB-Roboguide,OU=Dumm
Elapsed Time: 00:00:00
FREU\PorrasD
Failed
Error:
Cannot remove ACE on object "CN=FRIB-Roboguide,OU=Dumm
Exchange Management Shell command attempted:
Remove-MailboxPermission -Identity 'CN=FRIB-Roboguide,OU=Dumm
Elapsed Time: 00:00:00
ASKER
False is the value refers to "isinherited"
So have you disabled the Mailbox ?
Once disable and reconnect using EMC and for removing the AD rights use ADUC and if its inheriting you would have to check the Store properties and up the table to see from where its getting inherited.
ASKER
The Mailbox was disabled, I enabled it, did the disable/reconnect thing (see above) nothing changed.
By the way PorrasD and TrabalD do NOT have inherited rights
MB-Rights-P-T27-05-2009-17-10-46.png
By the way PorrasD and TrabalD do NOT have inherited rights
MB-Rights-P-T27-05-2009-17-10-46.png
For this if we go to the properties of the Mailbox in EMC and to the properties tab we can remove them from there.
In EMC go to mailbox properties and security tab and move them out and also verify do we still see them in Manage full access on the mailbox that we have disabled and reconnected.
ASKER
We are talking about Exchange 2007 !
There is no Security Tab
These has to be done check the post ID 24483645 above....
EMC-View27-05-2009-17-32-12.png
MBProperties27-05-2009-17-29-05.png
There is no Security Tab
These has to be done check the post ID 24483645 above....
EMC-View27-05-2009-17-32-12.png
MBProperties27-05-2009-17-29-05.png
For any permission that is inherited wee have to check the Parent objects.
ASKER
There are no inherited permissions !!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
OU=Dummy,OU=UsersAndComput
Do you see this user
FRIB-Roboguide