Exchange 2010 - List all deleted AD accounts with permissions to mailbox folders

Im trying to use Exchange 2010/PowerShell to list all deleted Active Directory accounts which are granted permissions to live Exchange mailbox folders.  I've tried using many different variations of the following, but can't seem to get it to work.

Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}
Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolder | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}
Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolderStatistics | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}

Open in new window


Basically, I want to get all mailboxes in <myOU>, pipe that to Get-MailboxFolderPermission where the username starts with "NT User:S-1-5", ie, is a deleted AD account.  So, I can see any folders in any live mailboxes which have permissions set for deleted AD accounts.

If I can get this to work, I would eventually like to pipe the output to "Remove-MailboxFolderPermissions" to remove them.

Thanks
Paul HuxhamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Guy LidbetterCommented:
Hi Huxham

Don't the deleted user account return only the SID.. i.e. S-1-5xxxxxBlah and not "NT User:...."?

So try
Get-Mailbox | Get-MailboxFolderPermission | Where {$_.User -Match "S-1-5*"}

Open in new window

0
Paul HuxhamAuthor Commented:
Hi Guy

Apologies, I should have been clearer.  I've tested the "where" condition, and that works correctly with or without the "NT User" part.  The bit that's actually failing is piping the output from the "Get-Mailbox" to "Get-MailboxFolderPermission", etc.

Thanks
Paul
0
Will SzymkowskiSenior Solution ArchitectCommented:
I would modify the script above slightly...See below...
Get-mailbox -ResultSize "unlimited" | Get-MailboxFolderPermission | ? {$_.User -like "S-1-5*"}

Open in new window


If I can get this to work, I would eventually like to pipe the output to "Remove-MailboxFolderPermissions" to remove them

Once you have tested this all you need to do is the following...
Get-mailbox -ResultSize "unlimited" | Remove-MailboxFolderPermission | ? {$_.User -like "S-1-5*"}

Open in new window


Will.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Will SzymkowskiSenior Solution ArchitectCommented:
The Get-MailboxFolderPermission does accept Pipeline info so there should be no issue piping from Get-mailbox | get-mailboxfolderpermission.

Will.
0
Paul HuxhamAuthor Commented:
Hi Will

Thanks for your message.  Unfortunately, the Get-MailboxPermission command only returns the "Top of Information Store" folder unless the folder name is explicitly named or piped to it.  I want to list any folders rather than just the top level, hence why I had tried using the Get-MailboxFolder and Get-MailboxFolderStatistic commands to pipe to Get-FolderPermission but without success.

Thanks
Paul
0
Will SzymkowskiSenior Solution ArchitectCommented:
Could you not use something like below...

Get-mailboxFolder -Identity name:\inbox -recurse | get-mailboxFolderPermission | fl

Will.
0
Paul HuxhamAuthor Commented:
I wish it were that simple.  The Get-MailboxFolder cmdlet only runs against the currently logged in user. Yes, you can't run this cmdlet against another mailbox!
0
Paul HuxhamAuthor Commented:
OK, I solved this one myself in the end by combining various other PowerShell scripts from lots of different sources.  Here's what I eventually used, and it seems to do exactly what I wanted to achieve.

ForEach($m in (Get-Mailbox -OrganizationalUnit '<MyOU>' -ResultSize Unlimited )) {
 ForEach($f in (Get-MailboxFolderStatistics $m.Alias)) {
  $fname = $m.Alias + ":" + $f.FolderPath.Replace("/","\");
  ForEach($p in (Get-MailboxFolderPermission $fname | Where {$_.User -Match "NT User:S-1-5*"} )) {
	$commandString = @('Remove-MailboxFolderPermission -Identity "' + $fname + '" -User "' + $p.Identity + '" -confirm:$false');
	&([scriptblock]::create($commandString));
    }
  }
}

Open in new window


IMPORTANT: Obviously, automating the Remove-MailboxFolderPermission cmdlet can be potentially disasterous, so if anybody else wants to use this code for their own purposes, I would highly recommend testing in a development environment first, and obviously you do so at your own risk!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Guy LidbetterCommented:
Nicely done Huxham
0
Paul HuxhamAuthor Commented:
This is the solution I achieved myself after hunting around and combining PowerShell scripts from different sources.  This is the only solution provided which answered my initial question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.