Solved

remove the delegate attribute or shared mailbox attribute from a user mailbox

Posted on 2016-07-27
8
223 Views
Last Modified: 2016-08-17
We have an Exchange 2010 environment.  We have a Barracuda Message Archiver.

A feature of barracuda archiver is the ability to search shared mailboxes, which is great for legitimate shared mailboxes, however there is a flaw in the design... if USER1 in outlook uses the "Delegate Access" tool to assign permissions to their calendar (leaving 'none' on the inbox) to USER2, the delegate USER2 automatically gets the ability to search everything in this users mailbox archive.  USER1 didn't give USER2 permission to their emails, only to their calendar, and in outlook that's what USER2 can see, but in Barracuda they can search for everything back to the beginning of time.  This is not good.  The fix would be to remove USER2 from USER1's delegate list completely, and then grant USER 2 permission to the calendar folder in outlook (using folder permissions).  I've contacted Barracuda Support and they said there isn't anything they can do at this time and that they'd look into adding it as a feature in the future, but for now the barracuda system simply looks for the LDAP attribute that specifies the mailbox as shared and to who, and for whatever reason outlook tags the user mailbox as a shared mailbox when the delegate access tool is used.

So here's the problem, when you remove the user from the delegate list, it also removes the users permission from the calendar folder (if that's what was previously granted), so you have to document the permissions before removing the user from the list and then manually re-add the appropriate folder permissions.  This is fine for a couple mailboxes, but we have this issue on hundreds, so...

What I'd like to accomplish is a script or powershell command that would simply remove the "shared mailbox" or "delegate" attribute from the user mailbox leaving the folder permissions in place that were set by the delegate access tool.

I hope this makes sense.
Thanks,
Steve
0
Comment
Question by:Lambton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 40

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41731985
The attribute you're looking for is publicDelegates in AD. However, that may not be what their application is looking at. If it's looking at the exact mailbox permissions ACL you would need to go into powershell and remove the root permissions of the user, then grant them the permissions you would like.
0
 
LVL 11

Expert Comment

by:Tej Pratap Shukla ~Dexter
ID: 41732358
Hi
Just run below command for removing delegate attribute from user mailbox:
Remove-MailboxPermission -Identity shared-mailbox -User user-alias -AccessRights FullAccess -InheritanceType All

Open in new window

0
 

Author Comment

by:Lambton
ID: 41733016
@acbrown2010 - I believe that is the very attribute they look for, I don't believe they're looking for exact mailbox acl, however I've reopened the case with barracuda to confirm exactly what attribute they look for.

@ Tej/Dexter - thanks for that command, I'll create a test mailbox and try this out
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Lambton
ID: 41733077
Update from barracuda:
•      Shared Mailboxes –  Mailbox sharing is determined using the following attributes:
MSExchDelegateListLink
PublicDelegates

Based on this information, what could I do to remove the public delegate attribute from users that don't require it (powershell script/command preferred).
0
 

Author Comment

by:Lambton
ID: 41733308
So I've tested this theory, and If I edit the User1 PublicDelegates attribute in AD, and remove User2 from this attribute, the barracuda search no longer shows the User1 in the list of specific folders to search, (which is what I want), yet the User1 retains all the folder permissions they had before (calendar, contacts access etc) for User2.

So what I need is a script or command to edit (or clear) this attribute (PublicDelegates) on a list of users in AD.  Can anyone help with this?

Thanks very much!
/Steve
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 41752756
Sorry for the delay...Let me write a quick script up for you. I'll have to test it, just letting you know what's up.
0
 

Author Comment

by:Lambton
ID: 41759382
Hey there - sorry for the long pause...  other issues arose that trumped this one.

I ended up basically manually editing the PublicDelegates attribute on each affected user to remove this - it did the trick, it was a little tedious, but it worked and that's all that matters now  ;-)

Thanks!
0
 

Author Closing Comment

by:Lambton
ID: 41759387
Thanks Adam - removing the PublicDelegates attribute was the key.

Steve
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Changing a few Outlook Options can help keep you organized!
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
This video discusses moving either the default database or any database to a new volume.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question