Solved

Exchange 2010 - List all deleted AD accounts with permissions to mailbox folders

Posted on 2015-02-18
10
90 Views
Last Modified: 2015-02-24
Im trying to use Exchange 2010/PowerShell to list all deleted Active Directory accounts which are granted permissions to live Exchange mailbox folders.  I've tried using many different variations of the following, but can't seem to get it to work.

Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}
Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolder | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}
Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolderStatistics | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}

Open in new window


Basically, I want to get all mailboxes in <myOU>, pipe that to Get-MailboxFolderPermission where the username starts with "NT User:S-1-5", ie, is a deleted AD account.  So, I can see any folders in any live mailboxes which have permissions set for deleted AD accounts.

If I can get this to work, I would eventually like to pipe the output to "Remove-MailboxFolderPermissions" to remove them.

Thanks
0
Comment
Question by:Paul Huxham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40616632
Hi Huxham

Don't the deleted user account return only the SID.. i.e. S-1-5xxxxxBlah and not "NT User:...."?

So try
Get-Mailbox | Get-MailboxFolderPermission | Where {$_.User -Match "S-1-5*"}

Open in new window

0
 

Author Comment

by:Paul Huxham
ID: 40616764
Hi Guy

Apologies, I should have been clearer.  I've tested the "where" condition, and that works correctly with or without the "NT User" part.  The bit that's actually failing is piping the output from the "Get-Mailbox" to "Get-MailboxFolderPermission", etc.

Thanks
Paul
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616765
I would modify the script above slightly...See below...
Get-mailbox -ResultSize "unlimited" | Get-MailboxFolderPermission | ? {$_.User -like "S-1-5*"}

Open in new window


If I can get this to work, I would eventually like to pipe the output to "Remove-MailboxFolderPermissions" to remove them

Once you have tested this all you need to do is the following...
Get-mailbox -ResultSize "unlimited" | Remove-MailboxFolderPermission | ? {$_.User -like "S-1-5*"}

Open in new window


Will.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616791
The Get-MailboxFolderPermission does accept Pipeline info so there should be no issue piping from Get-mailbox | get-mailboxfolderpermission.

Will.
0
 

Author Comment

by:Paul Huxham
ID: 40616825
Hi Will

Thanks for your message.  Unfortunately, the Get-MailboxPermission command only returns the "Top of Information Store" folder unless the folder name is explicitly named or piped to it.  I want to list any folders rather than just the top level, hence why I had tried using the Get-MailboxFolder and Get-MailboxFolderStatistic commands to pipe to Get-FolderPermission but without success.

Thanks
Paul
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616906
Could you not use something like below...

Get-mailboxFolder -Identity name:\inbox -recurse | get-mailboxFolderPermission | fl

Will.
0
 

Author Comment

by:Paul Huxham
ID: 40616944
I wish it were that simple.  The Get-MailboxFolder cmdlet only runs against the currently logged in user. Yes, you can't run this cmdlet against another mailbox!
0
 

Accepted Solution

by:
Paul Huxham earned 0 total points
ID: 40618934
OK, I solved this one myself in the end by combining various other PowerShell scripts from lots of different sources.  Here's what I eventually used, and it seems to do exactly what I wanted to achieve.

ForEach($m in (Get-Mailbox -OrganizationalUnit '<MyOU>' -ResultSize Unlimited )) {
 ForEach($f in (Get-MailboxFolderStatistics $m.Alias)) {
  $fname = $m.Alias + ":" + $f.FolderPath.Replace("/","\");
  ForEach($p in (Get-MailboxFolderPermission $fname | Where {$_.User -Match "NT User:S-1-5*"} )) {
	$commandString = @('Remove-MailboxFolderPermission -Identity "' + $fname + '" -User "' + $p.Identity + '" -confirm:$false');
	&([scriptblock]::create($commandString));
    }
  }
}

Open in new window


IMPORTANT: Obviously, automating the Remove-MailboxFolderPermission cmdlet can be potentially disasterous, so if anybody else wants to use this code for their own purposes, I would highly recommend testing in a development environment first, and obviously you do so at your own risk!
0
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40618953
Nicely done Huxham
0
 

Author Closing Comment

by:Paul Huxham
ID: 40627795
This is the solution I achieved myself after hunting around and combining PowerShell scripts from different sources.  This is the only solution provided which answered my initial question.
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question