Solved

Removing Mailboxes along with ACL entries in Exchange 2010

Posted on 2014-09-29
3
233 Views
Last Modified: 2014-11-15
I am using Exchange Server 2010 and I'm having an issue that is eating a lot of my time.  I'm not super savvy when it comes to PowerShell, but I'm working on it.

I have created several dynamic distribution lists.  I love ddl's, but I hate them.  I have removed approximately 20 mailboxes from the server in a purge effort.  I did this about three months ago.  Today, I was trying to add someone to the ACL on one of my DDLs, but I received the error that it could not find those users whose boxes I deleted, but were supposed to exist in the ACL of that list.

After searching, i re-created all 20 of the mailboxes I had purged, and was able to remove them from the ACL (because they don't appear in the ACL if they don't have a mailbox, though they clearly exist in the ACL).

The grand question is this:
Is there a way to remove a user mailbox that will also remove them from any DDL acl?  If only through Powershell, then I have another question.

What is the cleanest way to identify a single user's membership in DLs (dynamic or static), and any ACL entries they may have.
0
Comment
Question by:Shane Kahkola
  • 2
3 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 40351645
There is no clean way to identify such permissions. You have to deal with it the unpleasant way where you audit every ACL you have available.

It's a bit of an unfortunate aspect of access control lists. Because they only hold a reference to an AD object (objectSID) the reference is not recorded anywhere else (like a back-link to it in AD) so it's very easy to create orphaned access control entries.

That said you audit everything (or at least everything in this scope) after something has been deleted.

For instance, we can run something like this for the file system which may hold orphaned SIDs:
Get-ChildItem | Where-Object { (Get-Acl $_.FullName).Access | Where-Object { -not $_.IsInherited -and $_.IdentityReference.ToString() -match '^S-1-5-\d+-\d{10}-\d{10}-\d{10}-\d{2,4}$'  } }

Open in new window

Given that it can be identified it should be feasible to apply the same approach to distribution lists. This bit comes with a caveat though. I don't have access to Exchange at the moment so I can't verify whether or not this will work (basically I'm making it up, I'd be fairly surprised if it worked without some tweaking).
Get-DistributionGroup | Where-Object { $_ | Get-ADPermission | Where-Object { -not $_.IsInherited -and $_.User.ToString() -match '^S-1-5-\d+-\d{10}-\d{10}-\d{10}-\d{2,4}$' } }

Open in new window

It should work in principal, but it'll need some testing to figure out if we're targeting the right fields, and if those fields hold what I expect.

Chris
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 40352126
Thank you.  I will test this tomorrow and report back the results.  Bless you for taking a stab at this.
0
 
LVL 3

Author Closing Comment

by:Shane Kahkola
ID: 40444702
I'm sorry it took so long to close this question.  Thank you or the starter on teh script.  That was a big help.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now