?
Solved

Exchange 2010 - List all deleted AD accounts with permissions to mailbox folders

Posted on 2015-02-18
10
Medium Priority
?
99 Views
Last Modified: 2015-02-24
Im trying to use Exchange 2010/PowerShell to list all deleted Active Directory accounts which are granted permissions to live Exchange mailbox folders.  I've tried using many different variations of the following, but can't seem to get it to work.

Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}
Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolder | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}
Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolderStatistics | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}

Open in new window


Basically, I want to get all mailboxes in <myOU>, pipe that to Get-MailboxFolderPermission where the username starts with "NT User:S-1-5", ie, is a deleted AD account.  So, I can see any folders in any live mailboxes which have permissions set for deleted AD accounts.

If I can get this to work, I would eventually like to pipe the output to "Remove-MailboxFolderPermissions" to remove them.

Thanks
0
Comment
Question by:Paul Huxham
  • 5
  • 3
  • 2
10 Comments
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40616632
Hi Huxham

Don't the deleted user account return only the SID.. i.e. S-1-5xxxxxBlah and not "NT User:...."?

So try
Get-Mailbox | Get-MailboxFolderPermission | Where {$_.User -Match "S-1-5*"}

Open in new window

0
 

Author Comment

by:Paul Huxham
ID: 40616764
Hi Guy

Apologies, I should have been clearer.  I've tested the "where" condition, and that works correctly with or without the "NT User" part.  The bit that's actually failing is piping the output from the "Get-Mailbox" to "Get-MailboxFolderPermission", etc.

Thanks
Paul
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616765
I would modify the script above slightly...See below...
Get-mailbox -ResultSize "unlimited" | Get-MailboxFolderPermission | ? {$_.User -like "S-1-5*"}

Open in new window


If I can get this to work, I would eventually like to pipe the output to "Remove-MailboxFolderPermissions" to remove them

Once you have tested this all you need to do is the following...
Get-mailbox -ResultSize "unlimited" | Remove-MailboxFolderPermission | ? {$_.User -like "S-1-5*"}

Open in new window


Will.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616791
The Get-MailboxFolderPermission does accept Pipeline info so there should be no issue piping from Get-mailbox | get-mailboxfolderpermission.

Will.
0
 

Author Comment

by:Paul Huxham
ID: 40616825
Hi Will

Thanks for your message.  Unfortunately, the Get-MailboxPermission command only returns the "Top of Information Store" folder unless the folder name is explicitly named or piped to it.  I want to list any folders rather than just the top level, hence why I had tried using the Get-MailboxFolder and Get-MailboxFolderStatistic commands to pipe to Get-FolderPermission but without success.

Thanks
Paul
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616906
Could you not use something like below...

Get-mailboxFolder -Identity name:\inbox -recurse | get-mailboxFolderPermission | fl

Will.
0
 

Author Comment

by:Paul Huxham
ID: 40616944
I wish it were that simple.  The Get-MailboxFolder cmdlet only runs against the currently logged in user. Yes, you can't run this cmdlet against another mailbox!
0
 

Accepted Solution

by:
Paul Huxham earned 0 total points
ID: 40618934
OK, I solved this one myself in the end by combining various other PowerShell scripts from lots of different sources.  Here's what I eventually used, and it seems to do exactly what I wanted to achieve.

ForEach($m in (Get-Mailbox -OrganizationalUnit '<MyOU>' -ResultSize Unlimited )) {
 ForEach($f in (Get-MailboxFolderStatistics $m.Alias)) {
  $fname = $m.Alias + ":" + $f.FolderPath.Replace("/","\");
  ForEach($p in (Get-MailboxFolderPermission $fname | Where {$_.User -Match "NT User:S-1-5*"} )) {
	$commandString = @('Remove-MailboxFolderPermission -Identity "' + $fname + '" -User "' + $p.Identity + '" -confirm:$false');
	&([scriptblock]::create($commandString));
    }
  }
}

Open in new window


IMPORTANT: Obviously, automating the Remove-MailboxFolderPermission cmdlet can be potentially disasterous, so if anybody else wants to use this code for their own purposes, I would highly recommend testing in a development environment first, and obviously you do so at your own risk!
0
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40618953
Nicely done Huxham
0
 

Author Closing Comment

by:Paul Huxham
ID: 40627795
This is the solution I achieved myself after hunting around and combining PowerShell scripts from different sources.  This is the only solution provided which answered my initial question.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
Organisation is organized in a pattern to flow the day to day business, every application and system is interdepended on each other and when very important “Exchange Server downtime” happened.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Loops Section Overview
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question