Automated way to remove "NT User:xxx" (Deleted users) from Exchange 2007/2010 Public Folders?

RobertSeattle
RobertSeattle used Ask the Experts™
on
I'm well aware of PFDAVAdmin and ExFolders but I've got 1000's of folders to delete these from and the manual way would take days.  I'd like some kind of script that would go through my entire Public Folder tree and delete any permission entity that's name starts with "NT User".  Any suggestions?  Powershell commands only works with valid user accounts.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
you would need to run two scripts
the first would need to generate a list of folders and permissions that meet this criteria

$public = Get-PublicFolder -Recurse | Get-PublicFolderClientPermission | where  { $_.User.ToString().Contains("NT User") -eq $true } | select Identity,User,AccessRights

then run thru each removing the permission
foreach($p in $public) { Get-PublicFolder $t.identity | Remove-PublicFolderClientPermission -User $t.User -AccessRights $t.AccessRights -Confirm:$false }

i would run the first part to verify the list is accurate before running the second, you can also remove the confirm:$false to verify the first few then Ctrl+C to break

Author

Commented:
endital1097,

I will try this, but I'm almost 100% the Exchange Powershell commands "pre verify" the user identity so when that fails, the command fails.
you are right
Public folder user "9AABDD56-LGU000000" doesn't exist. A valid public folder user should be a mail-enabled user, mailbo
x, or distribution group.
    + CategoryInfo          : NotSpecified: (0:Int32) [Remove-PublicFolderClientPermission], ManagementObjectNotFoundE
   xception
    + FullyQualifiedErrorId : 6CC199DB,Microsoft.Exchange.Management.MapiTasks.RemovePublicFolderClientPermission

i am trying something else now
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

i found the following and it doesn't appear to be possible
http://clintboessen.blogspot.com/2009/07/zombie-user-accounts-and-exchange.html
then again this may be possible, but definitely should be tested first
i ran this in my lab and it worked, here is the example

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Bin>$perms = Get-PublicFolder "\folder1" | Get-PublicFolderClientPermission
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Bin>$perms

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : Default
AccessRights : {Author}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : contoso.com/LoadGen Objects/Users/RDC1/Mailbox Database 1950124506/RDC1 9AABDD56-LGU000007
AccessRights : {Editor}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : NT User:S-1-5-21-1749918459-1584074982-4111601573-1130
AccessRights : {Owner}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : contoso.com/Users/Administrator
AccessRights : {Owner}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : Anonymous
AccessRights : {CreateItems}


[PS] C:\Program Files\Microsoft\Exchange Server\V14\Bin>Get-PublicFolder "\folder1" | Get-PublicFolderClientPermission |
 Remove-PublicFolderClientPermission -Confirm:$false

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Bin>Get-PublicFolder "\folder1" | Get-PublicFolderClientPermission

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : Default
AccessRights : {None}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : Anonymous
AccessRights : {None}

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Bin>foreach($p in $perms) { Get-PublicFolder $p.Identity | Add-PublicFolderClientPermission -User $p.User -AccessRights $p.AccessRights }


RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : Default
AccessRights : {Author}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : contoso.com/LoadGen Objects/Users/RDC1/Mailbox Database 1950124506/RDC1 9AABDD56-LGU000007
AccessRights : {Editor}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : contoso.com/Users/Administrator
AccessRights : {Owner}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : Anonymous
AccessRights : {CreateItems}

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Bin>Get-PublicFolder "\folder1" | Get-PublicFolderClientPermission


RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : Default
AccessRights : {Author}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : Anonymous
AccessRights : {CreateItems}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : contoso.com/Users/Administrator
AccessRights : {Owner}

RunspaceId   : c54aedcb-4235-4540-9451-9a0dea56140b
Identity     : \Folder1
User         : contoso.com/LoadGen Objects/Users/RDC1/Mailbox Database 1950124506/RDC1 9AABDD56-LGU000007
AccessRights : {Editor}

 

Author

Commented:
OK, you got me really close enough to go over the top... Here is the solution I was looking for:

Get-PublicFolder <TopOfFolderPathToStart>  -recurse  | Get-PublicFolderClientPermission | Where-Object {$_.User -like "NT User:*"} | Remove-PublicFolderClientPermission -Confirm:$false

This seems to be working against a folder tree of 1000's of subfolders!!!    Not the faster powershell I've ever executed, but will saving dozens of hours against the "manual" way.  Thanks!
comment 33121064 basically took the two lines provide in comment 33119956 and put them in the same line

Author

Commented:
Your solutions were only partial as:
1. It deleted all permissions, not NT User accounts
2. It crashed alot.  
3. It wasn't recursive, it only did one folder.

It was helpful, but just didn't completetely answer what my objective was.

Author

Commented:
Did not solve the problem, just go me closer to the correct solution

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial