Solved

Exchange 2010 - List all deleted AD accounts with permissions to mailbox folders

Posted on 2015-02-18
10
93 Views
Last Modified: 2015-02-24
Im trying to use Exchange 2010/PowerShell to list all deleted Active Directory accounts which are granted permissions to live Exchange mailbox folders.  I've tried using many different variations of the following, but can't seem to get it to work.

Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}
Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolder | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}
Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolderStatistics | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}

Open in new window


Basically, I want to get all mailboxes in <myOU>, pipe that to Get-MailboxFolderPermission where the username starts with "NT User:S-1-5", ie, is a deleted AD account.  So, I can see any folders in any live mailboxes which have permissions set for deleted AD accounts.

If I can get this to work, I would eventually like to pipe the output to "Remove-MailboxFolderPermissions" to remove them.

Thanks
0
Comment
Question by:Paul Huxham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40616632
Hi Huxham

Don't the deleted user account return only the SID.. i.e. S-1-5xxxxxBlah and not "NT User:...."?

So try
Get-Mailbox | Get-MailboxFolderPermission | Where {$_.User -Match "S-1-5*"}

Open in new window

0
 

Author Comment

by:Paul Huxham
ID: 40616764
Hi Guy

Apologies, I should have been clearer.  I've tested the "where" condition, and that works correctly with or without the "NT User" part.  The bit that's actually failing is piping the output from the "Get-Mailbox" to "Get-MailboxFolderPermission", etc.

Thanks
Paul
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616765
I would modify the script above slightly...See below...
Get-mailbox -ResultSize "unlimited" | Get-MailboxFolderPermission | ? {$_.User -like "S-1-5*"}

Open in new window


If I can get this to work, I would eventually like to pipe the output to "Remove-MailboxFolderPermissions" to remove them

Once you have tested this all you need to do is the following...
Get-mailbox -ResultSize "unlimited" | Remove-MailboxFolderPermission | ? {$_.User -like "S-1-5*"}

Open in new window


Will.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616791
The Get-MailboxFolderPermission does accept Pipeline info so there should be no issue piping from Get-mailbox | get-mailboxfolderpermission.

Will.
0
 

Author Comment

by:Paul Huxham
ID: 40616825
Hi Will

Thanks for your message.  Unfortunately, the Get-MailboxPermission command only returns the "Top of Information Store" folder unless the folder name is explicitly named or piped to it.  I want to list any folders rather than just the top level, hence why I had tried using the Get-MailboxFolder and Get-MailboxFolderStatistic commands to pipe to Get-FolderPermission but without success.

Thanks
Paul
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616906
Could you not use something like below...

Get-mailboxFolder -Identity name:\inbox -recurse | get-mailboxFolderPermission | fl

Will.
0
 

Author Comment

by:Paul Huxham
ID: 40616944
I wish it were that simple.  The Get-MailboxFolder cmdlet only runs against the currently logged in user. Yes, you can't run this cmdlet against another mailbox!
0
 

Accepted Solution

by:
Paul Huxham earned 0 total points
ID: 40618934
OK, I solved this one myself in the end by combining various other PowerShell scripts from lots of different sources.  Here's what I eventually used, and it seems to do exactly what I wanted to achieve.

ForEach($m in (Get-Mailbox -OrganizationalUnit '<MyOU>' -ResultSize Unlimited )) {
 ForEach($f in (Get-MailboxFolderStatistics $m.Alias)) {
  $fname = $m.Alias + ":" + $f.FolderPath.Replace("/","\");
  ForEach($p in (Get-MailboxFolderPermission $fname | Where {$_.User -Match "NT User:S-1-5*"} )) {
	$commandString = @('Remove-MailboxFolderPermission -Identity "' + $fname + '" -User "' + $p.Identity + '" -confirm:$false');
	&([scriptblock]::create($commandString));
    }
  }
}

Open in new window


IMPORTANT: Obviously, automating the Remove-MailboxFolderPermission cmdlet can be potentially disasterous, so if anybody else wants to use this code for their own purposes, I would highly recommend testing in a development environment first, and obviously you do so at your own risk!
0
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40618953
Nicely done Huxham
0
 

Author Closing Comment

by:Paul Huxham
ID: 40627795
This is the solution I achieved myself after hunting around and combining PowerShell scripts from different sources.  This is the only solution provided which answered my initial question.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question