Unable to remove user account from Exchange Server 2010 Mailbox


I'm trying to delete old account from the existing shared mailbox using Exchange Management Console (2010 SP3), but somehow I always end up with this error:

Summary: 1 item(s). 1 succeeded, 0 failed.
Elapsed time: 00:00:00


Can't remove the access control entry on the object "CN=Receptionist,OU=Users,DC=DOMAIN,DC=com" for account "DOMAIN\admin1" because the ACE doesn't exist on the object.

Exchange Management Shell command completed:
Remove-MailboxPermission -Identity 'CN=Receptionist,OU=Users,DC=DOMAIN,DC=com' -User 'DOMAIN\admin1' -InheritanceType 'Descendents' -AccessRights 'FullAccess'

Elapsed Time: 00:00:00

Open in new window

Can anyone please assist me with this issue ?

LVL 11
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Senior IT System EngineerIT ProfessionalAuthor Commented:
I've tried with

-InheritanceType 'All' -AccessRights 'FullAccess' -Deny

Open in new window

but still no good, it ends up with the same issue.
Could you try to access the mailbox using the exchange management interface rather than using powershell cmdlets?
Senior IT System EngineerIT ProfessionalAuthor Commented:
Already did, hence I got the first error message.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Is domain\admin1 actually listed as having direct access versus having inherited access because of another group of which idomain\admin1 is a member?
Senior IT System EngineerIT ProfessionalAuthor Commented:
how to determine that ?

I'm not sure what you mean...
If you go to the shared mailbox, does it include domain\admin1 as an individual account that you can then remove it.

Searching for the error
"because the ACE doesn't exist "

The indication is that the access is granted through the AD and not through the mailbox.
A suggestion is to use the  remove-adpermission
Ref to the cmdlet.

Is domain\admin1 member of administrators,domain admin, etc.
Hello WorldCommented:

Please run below command to check the mailbox folder permission for this shared mailbox:
Get-MailboxPermission room | select user,accesslight
Get-MailboxFolderPermission “room:\calendar” | FL

If the user has been deleted in AD, all permissions and memberships associated with that user account are permanently deleted.  For your reference: https://technet.microsoft.com/en-us/library/cc779035(v=ws.10).aspx
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Ya Li,
this is another normal mailbox not a room:\calendar
Give Exchange Trusted Subsystem  account Full Control over the User account

Senior IT System EngineerIT ProfessionalAuthor Commented:
OK, I'll try that on Monday when I'm in the office.

So after that I can remove the account permission ?
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi JoeNSW,

somehow the trick didn't work.

I've granted the Exchange Trusted Subsystem Full permission on the account but still it didn't work as expeected with the same error message.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Yes from old exchange server 2007 to 2010.

But for the AD domain it remains one.
mohammad bazzariMicrosoft Infrastructure ExpertCommented:
After the source account  is migrated with sIDHistory the account gets a new objectSID and a sIDHistory. The mailbox security descriptor for the target mailbox only contains the sIDHistory of the account but NOT the new objectSID. Remove-MailboxPermission only make a lookup for the objectSID of the account to be removed but it doesn't check if this account has a sIDHistory

to solve the problem please install Exchange 2007 Management tools and try to remove it from there

Good Luck
Senior IT System EngineerIT ProfessionalAuthor Commented:
@mohammad: so installing the Exchange 2007 management console only in my spare laptop, is that safe in my current AD / production environment ?
mohammad bazzariMicrosoft Infrastructure ExpertCommented:
yes its just the management console it will not effect on your current system
Senior IT System EngineerIT ProfessionalAuthor Commented:
somehow I still can not remove the user account from using the Exchange Server 2007 management console ?
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thansk !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.