• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

Removing Mailboxes along with ACL entries in Exchange 2010

I am using Exchange Server 2010 and I'm having an issue that is eating a lot of my time.  I'm not super savvy when it comes to PowerShell, but I'm working on it.

I have created several dynamic distribution lists.  I love ddl's, but I hate them.  I have removed approximately 20 mailboxes from the server in a purge effort.  I did this about three months ago.  Today, I was trying to add someone to the ACL on one of my DDLs, but I received the error that it could not find those users whose boxes I deleted, but were supposed to exist in the ACL of that list.

After searching, i re-created all 20 of the mailboxes I had purged, and was able to remove them from the ACL (because they don't appear in the ACL if they don't have a mailbox, though they clearly exist in the ACL).

The grand question is this:
Is there a way to remove a user mailbox that will also remove them from any DDL acl?  If only through Powershell, then I have another question.

What is the cleanest way to identify a single user's membership in DLs (dynamic or static), and any ACL entries they may have.
Shane Kahkola
Shane Kahkola
  • 2
1 Solution
Chris DentPowerShell DeveloperCommented:
There is no clean way to identify such permissions. You have to deal with it the unpleasant way where you audit every ACL you have available.

It's a bit of an unfortunate aspect of access control lists. Because they only hold a reference to an AD object (objectSID) the reference is not recorded anywhere else (like a back-link to it in AD) so it's very easy to create orphaned access control entries.

That said you audit everything (or at least everything in this scope) after something has been deleted.

For instance, we can run something like this for the file system which may hold orphaned SIDs:
Get-ChildItem | Where-Object { (Get-Acl $_.FullName).Access | Where-Object { -not $_.IsInherited -and $_.IdentityReference.ToString() -match '^S-1-5-\d+-\d{10}-\d{10}-\d{10}-\d{2,4}$'  } }

Open in new window

Given that it can be identified it should be feasible to apply the same approach to distribution lists. This bit comes with a caveat though. I don't have access to Exchange at the moment so I can't verify whether or not this will work (basically I'm making it up, I'd be fairly surprised if it worked without some tweaking).
Get-DistributionGroup | Where-Object { $_ | Get-ADPermission | Where-Object { -not $_.IsInherited -and $_.User.ToString() -match '^S-1-5-\d+-\d{10}-\d{10}-\d{10}-\d{2,4}$' } }

Open in new window

It should work in principal, but it'll need some testing to figure out if we're targeting the right fields, and if those fields hold what I expect.

Shane KahkolaDirector of I.T.Author Commented:
Thank you.  I will test this tomorrow and report back the results.  Bless you for taking a stab at this.
Shane KahkolaDirector of I.T.Author Commented:
I'm sorry it took so long to close this question.  Thank you or the starter on teh script.  That was a big help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now