remove the delegate attribute or shared mailbox attribute from a user mailbox

We have an Exchange 2010 environment.  We have a Barracuda Message Archiver.

A feature of barracuda archiver is the ability to search shared mailboxes, which is great for legitimate shared mailboxes, however there is a flaw in the design... if USER1 in outlook uses the "Delegate Access" tool to assign permissions to their calendar (leaving 'none' on the inbox) to USER2, the delegate USER2 automatically gets the ability to search everything in this users mailbox archive.  USER1 didn't give USER2 permission to their emails, only to their calendar, and in outlook that's what USER2 can see, but in Barracuda they can search for everything back to the beginning of time.  This is not good.  The fix would be to remove USER2 from USER1's delegate list completely, and then grant USER 2 permission to the calendar folder in outlook (using folder permissions).  I've contacted Barracuda Support and they said there isn't anything they can do at this time and that they'd look into adding it as a feature in the future, but for now the barracuda system simply looks for the LDAP attribute that specifies the mailbox as shared and to who, and for whatever reason outlook tags the user mailbox as a shared mailbox when the delegate access tool is used.

So here's the problem, when you remove the user from the delegate list, it also removes the users permission from the calendar folder (if that's what was previously granted), so you have to document the permissions before removing the user from the list and then manually re-add the appropriate folder permissions.  This is fine for a couple mailboxes, but we have this issue on hundreds, so...

What I'd like to accomplish is a script or powershell command that would simply remove the "shared mailbox" or "delegate" attribute from the user mailbox leaving the folder permissions in place that were set by the delegate access tool.

I hope this makes sense.
Thanks,
Steve
LambtonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
The attribute you're looking for is publicDelegates in AD. However, that may not be what their application is looking at. If it's looking at the exact mailbox permissions ACL you would need to go into powershell and remove the root permissions of the user, then grant them the permissions you would like.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tej Pratap Shukla ~DexterServer AdministratorCommented:
Hi
Just run below command for removing delegate attribute from user mailbox:
Remove-MailboxPermission -Identity shared-mailbox -User user-alias -AccessRights FullAccess -InheritanceType All

Open in new window

0
LambtonAuthor Commented:
@acbrown2010 - I believe that is the very attribute they look for, I don't believe they're looking for exact mailbox acl, however I've reopened the case with barracuda to confirm exactly what attribute they look for.

@ Tej/Dexter - thanks for that command, I'll create a test mailbox and try this out
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

LambtonAuthor Commented:
Update from barracuda:
•      Shared Mailboxes –  Mailbox sharing is determined using the following attributes:
MSExchDelegateListLink
PublicDelegates

Based on this information, what could I do to remove the public delegate attribute from users that don't require it (powershell script/command preferred).
0
LambtonAuthor Commented:
So I've tested this theory, and If I edit the User1 PublicDelegates attribute in AD, and remove User2 from this attribute, the barracuda search no longer shows the User1 in the list of specific folders to search, (which is what I want), yet the User1 retains all the folder permissions they had before (calendar, contacts access etc) for User2.

So what I need is a script or command to edit (or clear) this attribute (PublicDelegates) on a list of users in AD.  Can anyone help with this?

Thanks very much!
/Steve
0
Adam BrownSr Solutions ArchitectCommented:
Sorry for the delay...Let me write a quick script up for you. I'll have to test it, just letting you know what's up.
0
LambtonAuthor Commented:
Hey there - sorry for the long pause...  other issues arose that trumped this one.

I ended up basically manually editing the PublicDelegates attribute on each affected user to remove this - it did the trick, it was a little tedious, but it worked and that's all that matters now  ;-)

Thanks!
0
LambtonAuthor Commented:
Thanks Adam - removing the PublicDelegates attribute was the key.

Steve
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.