Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Removing Mailboxes along with ACL entries in Exchange 2010

Posted on 2014-09-29
3
247 Views
Last Modified: 2014-11-15
I am using Exchange Server 2010 and I'm having an issue that is eating a lot of my time.  I'm not super savvy when it comes to PowerShell, but I'm working on it.

I have created several dynamic distribution lists.  I love ddl's, but I hate them.  I have removed approximately 20 mailboxes from the server in a purge effort.  I did this about three months ago.  Today, I was trying to add someone to the ACL on one of my DDLs, but I received the error that it could not find those users whose boxes I deleted, but were supposed to exist in the ACL of that list.

After searching, i re-created all 20 of the mailboxes I had purged, and was able to remove them from the ACL (because they don't appear in the ACL if they don't have a mailbox, though they clearly exist in the ACL).

The grand question is this:
Is there a way to remove a user mailbox that will also remove them from any DDL acl?  If only through Powershell, then I have another question.

What is the cleanest way to identify a single user's membership in DLs (dynamic or static), and any ACL entries they may have.
0
Comment
Question by:Shane Kahkola
  • 2
3 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 40351645
There is no clean way to identify such permissions. You have to deal with it the unpleasant way where you audit every ACL you have available.

It's a bit of an unfortunate aspect of access control lists. Because they only hold a reference to an AD object (objectSID) the reference is not recorded anywhere else (like a back-link to it in AD) so it's very easy to create orphaned access control entries.

That said you audit everything (or at least everything in this scope) after something has been deleted.

For instance, we can run something like this for the file system which may hold orphaned SIDs:
Get-ChildItem | Where-Object { (Get-Acl $_.FullName).Access | Where-Object { -not $_.IsInherited -and $_.IdentityReference.ToString() -match '^S-1-5-\d+-\d{10}-\d{10}-\d{10}-\d{2,4}$'  } }

Open in new window

Given that it can be identified it should be feasible to apply the same approach to distribution lists. This bit comes with a caveat though. I don't have access to Exchange at the moment so I can't verify whether or not this will work (basically I'm making it up, I'd be fairly surprised if it worked without some tweaking).
Get-DistributionGroup | Where-Object { $_ | Get-ADPermission | Where-Object { -not $_.IsInherited -and $_.User.ToString() -match '^S-1-5-\d+-\d{10}-\d{10}-\d{10}-\d{2,4}$' } }

Open in new window

It should work in principal, but it'll need some testing to figure out if we're targeting the right fields, and if those fields hold what I expect.

Chris
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 40352126
Thank you.  I will test this tomorrow and report back the results.  Bless you for taking a stab at this.
0
 
LVL 3

Author Closing Comment

by:Shane Kahkola
ID: 40444702
I'm sorry it took so long to close this question.  Thank you or the starter on teh script.  That was a big help.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
how to add IIS SMTP to handle application/Scanner relays into office 365.

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question