Solved

Removing Mailboxes along with ACL entries in Exchange 2010

Posted on 2014-09-29
3
240 Views
Last Modified: 2014-11-15
I am using Exchange Server 2010 and I'm having an issue that is eating a lot of my time.  I'm not super savvy when it comes to PowerShell, but I'm working on it.

I have created several dynamic distribution lists.  I love ddl's, but I hate them.  I have removed approximately 20 mailboxes from the server in a purge effort.  I did this about three months ago.  Today, I was trying to add someone to the ACL on one of my DDLs, but I received the error that it could not find those users whose boxes I deleted, but were supposed to exist in the ACL of that list.

After searching, i re-created all 20 of the mailboxes I had purged, and was able to remove them from the ACL (because they don't appear in the ACL if they don't have a mailbox, though they clearly exist in the ACL).

The grand question is this:
Is there a way to remove a user mailbox that will also remove them from any DDL acl?  If only through Powershell, then I have another question.

What is the cleanest way to identify a single user's membership in DLs (dynamic or static), and any ACL entries they may have.
0
Comment
Question by:Shane Kahkola
  • 2
3 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 40351645
There is no clean way to identify such permissions. You have to deal with it the unpleasant way where you audit every ACL you have available.

It's a bit of an unfortunate aspect of access control lists. Because they only hold a reference to an AD object (objectSID) the reference is not recorded anywhere else (like a back-link to it in AD) so it's very easy to create orphaned access control entries.

That said you audit everything (or at least everything in this scope) after something has been deleted.

For instance, we can run something like this for the file system which may hold orphaned SIDs:
Get-ChildItem | Where-Object { (Get-Acl $_.FullName).Access | Where-Object { -not $_.IsInherited -and $_.IdentityReference.ToString() -match '^S-1-5-\d+-\d{10}-\d{10}-\d{10}-\d{2,4}$'  } }

Open in new window

Given that it can be identified it should be feasible to apply the same approach to distribution lists. This bit comes with a caveat though. I don't have access to Exchange at the moment so I can't verify whether or not this will work (basically I'm making it up, I'd be fairly surprised if it worked without some tweaking).
Get-DistributionGroup | Where-Object { $_ | Get-ADPermission | Where-Object { -not $_.IsInherited -and $_.User.ToString() -match '^S-1-5-\d+-\d{10}-\d{10}-\d{10}-\d{2,4}$' } }

Open in new window

It should work in principal, but it'll need some testing to figure out if we're targeting the right fields, and if those fields hold what I expect.

Chris
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 40352126
Thank you.  I will test this tomorrow and report back the results.  Bless you for taking a stab at this.
0
 
LVL 3

Author Closing Comment

by:Shane Kahkola
ID: 40444702
I'm sorry it took so long to close this question.  Thank you or the starter on teh script.  That was a big help.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
A brief introduction to what I consider to be the best editor for PowerShell.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now