Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2010 - List all deleted AD accounts with permissions to mailbox folders

Posted on 2015-02-18
10
Medium Priority
?
94 Views
Last Modified: 2015-02-24
Im trying to use Exchange 2010/PowerShell to list all deleted Active Directory accounts which are granted permissions to live Exchange mailbox folders.  I've tried using many different variations of the following, but can't seem to get it to work.

Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}
Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolder | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}
Get-MailBox -OrganizationalUnit '<myOU>' | Get-MailboxFolderStatistics | Get-MailboxFolderPermission | Where {$_.User -Match "NT User:S-1-5*"}

Open in new window


Basically, I want to get all mailboxes in <myOU>, pipe that to Get-MailboxFolderPermission where the username starts with "NT User:S-1-5", ie, is a deleted AD account.  So, I can see any folders in any live mailboxes which have permissions set for deleted AD accounts.

If I can get this to work, I would eventually like to pipe the output to "Remove-MailboxFolderPermissions" to remove them.

Thanks
0
Comment
Question by:Paul Huxham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40616632
Hi Huxham

Don't the deleted user account return only the SID.. i.e. S-1-5xxxxxBlah and not "NT User:...."?

So try
Get-Mailbox | Get-MailboxFolderPermission | Where {$_.User -Match "S-1-5*"}

Open in new window

0
 

Author Comment

by:Paul Huxham
ID: 40616764
Hi Guy

Apologies, I should have been clearer.  I've tested the "where" condition, and that works correctly with or without the "NT User" part.  The bit that's actually failing is piping the output from the "Get-Mailbox" to "Get-MailboxFolderPermission", etc.

Thanks
Paul
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616765
I would modify the script above slightly...See below...
Get-mailbox -ResultSize "unlimited" | Get-MailboxFolderPermission | ? {$_.User -like "S-1-5*"}

Open in new window


If I can get this to work, I would eventually like to pipe the output to "Remove-MailboxFolderPermissions" to remove them

Once you have tested this all you need to do is the following...
Get-mailbox -ResultSize "unlimited" | Remove-MailboxFolderPermission | ? {$_.User -like "S-1-5*"}

Open in new window


Will.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616791
The Get-MailboxFolderPermission does accept Pipeline info so there should be no issue piping from Get-mailbox | get-mailboxfolderpermission.

Will.
0
 

Author Comment

by:Paul Huxham
ID: 40616825
Hi Will

Thanks for your message.  Unfortunately, the Get-MailboxPermission command only returns the "Top of Information Store" folder unless the folder name is explicitly named or piped to it.  I want to list any folders rather than just the top level, hence why I had tried using the Get-MailboxFolder and Get-MailboxFolderStatistic commands to pipe to Get-FolderPermission but without success.

Thanks
Paul
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40616906
Could you not use something like below...

Get-mailboxFolder -Identity name:\inbox -recurse | get-mailboxFolderPermission | fl

Will.
0
 

Author Comment

by:Paul Huxham
ID: 40616944
I wish it were that simple.  The Get-MailboxFolder cmdlet only runs against the currently logged in user. Yes, you can't run this cmdlet against another mailbox!
0
 

Accepted Solution

by:
Paul Huxham earned 0 total points
ID: 40618934
OK, I solved this one myself in the end by combining various other PowerShell scripts from lots of different sources.  Here's what I eventually used, and it seems to do exactly what I wanted to achieve.

ForEach($m in (Get-Mailbox -OrganizationalUnit '<MyOU>' -ResultSize Unlimited )) {
 ForEach($f in (Get-MailboxFolderStatistics $m.Alias)) {
  $fname = $m.Alias + ":" + $f.FolderPath.Replace("/","\");
  ForEach($p in (Get-MailboxFolderPermission $fname | Where {$_.User -Match "NT User:S-1-5*"} )) {
	$commandString = @('Remove-MailboxFolderPermission -Identity "' + $fname + '" -User "' + $p.Identity + '" -confirm:$false');
	&([scriptblock]::create($commandString));
    }
  }
}

Open in new window


IMPORTANT: Obviously, automating the Remove-MailboxFolderPermission cmdlet can be potentially disasterous, so if anybody else wants to use this code for their own purposes, I would highly recommend testing in a development environment first, and obviously you do so at your own risk!
0
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40618953
Nicely done Huxham
0
 

Author Closing Comment

by:Paul Huxham
ID: 40627795
This is the solution I achieved myself after hunting around and combining PowerShell scripts from different sources.  This is the only solution provided which answered my initial question.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question