Solved

remove the delegate attribute or shared mailbox attribute from a user mailbox

Posted on 2016-07-27
8
137 Views
Last Modified: 2016-08-17
We have an Exchange 2010 environment.  We have a Barracuda Message Archiver.

A feature of barracuda archiver is the ability to search shared mailboxes, which is great for legitimate shared mailboxes, however there is a flaw in the design... if USER1 in outlook uses the "Delegate Access" tool to assign permissions to their calendar (leaving 'none' on the inbox) to USER2, the delegate USER2 automatically gets the ability to search everything in this users mailbox archive.  USER1 didn't give USER2 permission to their emails, only to their calendar, and in outlook that's what USER2 can see, but in Barracuda they can search for everything back to the beginning of time.  This is not good.  The fix would be to remove USER2 from USER1's delegate list completely, and then grant USER 2 permission to the calendar folder in outlook (using folder permissions).  I've contacted Barracuda Support and they said there isn't anything they can do at this time and that they'd look into adding it as a feature in the future, but for now the barracuda system simply looks for the LDAP attribute that specifies the mailbox as shared and to who, and for whatever reason outlook tags the user mailbox as a shared mailbox when the delegate access tool is used.

So here's the problem, when you remove the user from the delegate list, it also removes the users permission from the calendar folder (if that's what was previously granted), so you have to document the permissions before removing the user from the list and then manually re-add the appropriate folder permissions.  This is fine for a couple mailboxes, but we have this issue on hundreds, so...

What I'd like to accomplish is a script or powershell command that would simply remove the "shared mailbox" or "delegate" attribute from the user mailbox leaving the folder permissions in place that were set by the delegate access tool.

I hope this makes sense.
Thanks,
Steve
0
Comment
Question by:Lambton
  • 5
  • 2
8 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41731985
The attribute you're looking for is publicDelegates in AD. However, that may not be what their application is looking at. If it's looking at the exact mailbox permissions ACL you would need to go into powershell and remove the root permissions of the user, then grant them the permissions you would like.
0
 
LVL 11

Expert Comment

by:Tej Pratap Shukla ~Dexter
ID: 41732358
Hi
Just run below command for removing delegate attribute from user mailbox:
Remove-MailboxPermission -Identity shared-mailbox -User user-alias -AccessRights FullAccess -InheritanceType All

Open in new window

0
 

Author Comment

by:Lambton
ID: 41733016
@acbrown2010 - I believe that is the very attribute they look for, I don't believe they're looking for exact mailbox acl, however I've reopened the case with barracuda to confirm exactly what attribute they look for.

@ Tej/Dexter - thanks for that command, I'll create a test mailbox and try this out
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:Lambton
ID: 41733077
Update from barracuda:
•      Shared Mailboxes –  Mailbox sharing is determined using the following attributes:
MSExchDelegateListLink
PublicDelegates

Based on this information, what could I do to remove the public delegate attribute from users that don't require it (powershell script/command preferred).
0
 

Author Comment

by:Lambton
ID: 41733308
So I've tested this theory, and If I edit the User1 PublicDelegates attribute in AD, and remove User2 from this attribute, the barracuda search no longer shows the User1 in the list of specific folders to search, (which is what I want), yet the User1 retains all the folder permissions they had before (calendar, contacts access etc) for User2.

So what I need is a script or command to edit (or clear) this attribute (PublicDelegates) on a list of users in AD.  Can anyone help with this?

Thanks very much!
/Steve
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 41752756
Sorry for the delay...Let me write a quick script up for you. I'll have to test it, just letting you know what's up.
0
 

Author Comment

by:Lambton
ID: 41759382
Hey there - sorry for the long pause...  other issues arose that trumped this one.

I ended up basically manually editing the PublicDelegates attribute on each affected user to remove this - it did the trick, it was a little tedious, but it worked and that's all that matters now  ;-)

Thanks!
0
 

Author Closing Comment

by:Lambton
ID: 41759387
Thanks Adam - removing the PublicDelegates attribute was the key.

Steve
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question