Removing Mailboxes along with ACL entries in Exchange 2010

I am using Exchange Server 2010 and I'm having an issue that is eating a lot of my time.  I'm not super savvy when it comes to PowerShell, but I'm working on it.

I have created several dynamic distribution lists.  I love ddl's, but I hate them.  I have removed approximately 20 mailboxes from the server in a purge effort.  I did this about three months ago.  Today, I was trying to add someone to the ACL on one of my DDLs, but I received the error that it could not find those users whose boxes I deleted, but were supposed to exist in the ACL of that list.

After searching, i re-created all 20 of the mailboxes I had purged, and was able to remove them from the ACL (because they don't appear in the ACL if they don't have a mailbox, though they clearly exist in the ACL).

The grand question is this:
Is there a way to remove a user mailbox that will also remove them from any DDL acl?  If only through Powershell, then I have another question.

What is the cleanest way to identify a single user's membership in DLs (dynamic or static), and any ACL entries they may have.
LVL 5
Eric GreeneDirector of TechnologyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:
There is no clean way to identify such permissions. You have to deal with it the unpleasant way where you audit every ACL you have available.

It's a bit of an unfortunate aspect of access control lists. Because they only hold a reference to an AD object (objectSID) the reference is not recorded anywhere else (like a back-link to it in AD) so it's very easy to create orphaned access control entries.

That said you audit everything (or at least everything in this scope) after something has been deleted.

For instance, we can run something like this for the file system which may hold orphaned SIDs:
Get-ChildItem | Where-Object { (Get-Acl $_.FullName).Access | Where-Object { -not $_.IsInherited -and $_.IdentityReference.ToString() -match '^S-1-5-\d+-\d{10}-\d{10}-\d{10}-\d{2,4}$'  } }

Open in new window

Given that it can be identified it should be feasible to apply the same approach to distribution lists. This bit comes with a caveat though. I don't have access to Exchange at the moment so I can't verify whether or not this will work (basically I'm making it up, I'd be fairly surprised if it worked without some tweaking).
Get-DistributionGroup | Where-Object { $_ | Get-ADPermission | Where-Object { -not $_.IsInherited -and $_.User.ToString() -match '^S-1-5-\d+-\d{10}-\d{10}-\d{10}-\d{2,4}$' } }

Open in new window

It should work in principal, but it'll need some testing to figure out if we're targeting the right fields, and if those fields hold what I expect.

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eric GreeneDirector of TechnologyAuthor Commented:
Thank you.  I will test this tomorrow and report back the results.  Bless you for taking a stab at this.
0
Eric GreeneDirector of TechnologyAuthor Commented:
I'm sorry it took so long to close this question.  Thank you or the starter on teh script.  That was a big help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.