Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

remove the delegate attribute or shared mailbox attribute from a user mailbox

Posted on 2016-07-27
8
Medium Priority
?
502 Views
Last Modified: 2016-08-17
We have an Exchange 2010 environment.  We have a Barracuda Message Archiver.

A feature of barracuda archiver is the ability to search shared mailboxes, which is great for legitimate shared mailboxes, however there is a flaw in the design... if USER1 in outlook uses the "Delegate Access" tool to assign permissions to their calendar (leaving 'none' on the inbox) to USER2, the delegate USER2 automatically gets the ability to search everything in this users mailbox archive.  USER1 didn't give USER2 permission to their emails, only to their calendar, and in outlook that's what USER2 can see, but in Barracuda they can search for everything back to the beginning of time.  This is not good.  The fix would be to remove USER2 from USER1's delegate list completely, and then grant USER 2 permission to the calendar folder in outlook (using folder permissions).  I've contacted Barracuda Support and they said there isn't anything they can do at this time and that they'd look into adding it as a feature in the future, but for now the barracuda system simply looks for the LDAP attribute that specifies the mailbox as shared and to who, and for whatever reason outlook tags the user mailbox as a shared mailbox when the delegate access tool is used.

So here's the problem, when you remove the user from the delegate list, it also removes the users permission from the calendar folder (if that's what was previously granted), so you have to document the permissions before removing the user from the list and then manually re-add the appropriate folder permissions.  This is fine for a couple mailboxes, but we have this issue on hundreds, so...

What I'd like to accomplish is a script or powershell command that would simply remove the "shared mailbox" or "delegate" attribute from the user mailbox leaving the folder permissions in place that were set by the delegate access tool.

I hope this makes sense.
Thanks,
Steve
0
Comment
Question by:Lambton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 43

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41731985
The attribute you're looking for is publicDelegates in AD. However, that may not be what their application is looking at. If it's looking at the exact mailbox permissions ACL you would need to go into powershell and remove the root permissions of the user, then grant them the permissions you would like.
0
 
LVL 12

Expert Comment

by:Tej Pratap Shukla ~Dexter
ID: 41732358
Hi
Just run below command for removing delegate attribute from user mailbox:
Remove-MailboxPermission -Identity shared-mailbox -User user-alias -AccessRights FullAccess -InheritanceType All

Open in new window

0
 

Author Comment

by:Lambton
ID: 41733016
@acbrown2010 - I believe that is the very attribute they look for, I don't believe they're looking for exact mailbox acl, however I've reopened the case with barracuda to confirm exactly what attribute they look for.

@ Tej/Dexter - thanks for that command, I'll create a test mailbox and try this out
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Lambton
ID: 41733077
Update from barracuda:
•      Shared Mailboxes –  Mailbox sharing is determined using the following attributes:
MSExchDelegateListLink
PublicDelegates

Based on this information, what could I do to remove the public delegate attribute from users that don't require it (powershell script/command preferred).
0
 

Author Comment

by:Lambton
ID: 41733308
So I've tested this theory, and If I edit the User1 PublicDelegates attribute in AD, and remove User2 from this attribute, the barracuda search no longer shows the User1 in the list of specific folders to search, (which is what I want), yet the User1 retains all the folder permissions they had before (calendar, contacts access etc) for User2.

So what I need is a script or command to edit (or clear) this attribute (PublicDelegates) on a list of users in AD.  Can anyone help with this?

Thanks very much!
/Steve
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 41752756
Sorry for the delay...Let me write a quick script up for you. I'll have to test it, just letting you know what's up.
0
 

Author Comment

by:Lambton
ID: 41759382
Hey there - sorry for the long pause...  other issues arose that trumped this one.

I ended up basically manually editing the PublicDelegates attribute on each affected user to remove this - it did the trick, it was a little tedious, but it worked and that's all that matters now  ;-)

Thanks!
0
 

Author Closing Comment

by:Lambton
ID: 41759387
Thanks Adam - removing the PublicDelegates attribute was the key.

Steve
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question