remove the delegate attribute or shared mailbox attribute from a user mailbox
Posted on 2016-07-27
We have an Exchange 2010 environment. We have a Barracuda Message Archiver.
A feature of barracuda archiver is the ability to search shared mailboxes, which is great for legitimate shared mailboxes, however there is a flaw in the design... if USER1 in outlook uses the "Delegate Access" tool to assign permissions to their calendar (leaving 'none' on the inbox) to USER2, the delegate USER2 automatically gets the ability to search everything in this users mailbox archive. USER1 didn't give USER2 permission to their emails, only to their calendar, and in outlook that's what USER2 can see, but in Barracuda they can search for everything back to the beginning of time. This is not good. The fix would be to remove USER2 from USER1's delegate list completely, and then grant USER 2 permission to the calendar folder in outlook (using folder permissions). I've contacted Barracuda Support and they said there isn't anything they can do at this time and that they'd look into adding it as a feature in the future, but for now the barracuda system simply looks for the LDAP attribute that specifies the mailbox as shared and to who, and for whatever reason outlook tags the user mailbox as a shared mailbox when the delegate access tool is used.
So here's the problem, when you remove the user from the delegate list, it also removes the users permission from the calendar folder (if that's what was previously granted), so you have to document the permissions before removing the user from the list and then manually re-add the appropriate folder permissions. This is fine for a couple mailboxes, but we have this issue on hundreds, so...
What I'd like to accomplish is a script or powershell command that would simply remove the "shared mailbox" or "delegate" attribute from the user mailbox leaving the folder permissions in place that were set by the delegate access tool.
I hope this makes sense.