remove the delegate attribute or shared mailbox attribute from a user mailbox

Lambton
Lambton used Ask the Experts™
on
We have an Exchange 2010 environment.  We have a Barracuda Message Archiver.

A feature of barracuda archiver is the ability to search shared mailboxes, which is great for legitimate shared mailboxes, however there is a flaw in the design... if USER1 in outlook uses the "Delegate Access" tool to assign permissions to their calendar (leaving 'none' on the inbox) to USER2, the delegate USER2 automatically gets the ability to search everything in this users mailbox archive.  USER1 didn't give USER2 permission to their emails, only to their calendar, and in outlook that's what USER2 can see, but in Barracuda they can search for everything back to the beginning of time.  This is not good.  The fix would be to remove USER2 from USER1's delegate list completely, and then grant USER 2 permission to the calendar folder in outlook (using folder permissions).  I've contacted Barracuda Support and they said there isn't anything they can do at this time and that they'd look into adding it as a feature in the future, but for now the barracuda system simply looks for the LDAP attribute that specifies the mailbox as shared and to who, and for whatever reason outlook tags the user mailbox as a shared mailbox when the delegate access tool is used.

So here's the problem, when you remove the user from the delegate list, it also removes the users permission from the calendar folder (if that's what was previously granted), so you have to document the permissions before removing the user from the list and then manually re-add the appropriate folder permissions.  This is fine for a couple mailboxes, but we have this issue on hundreds, so...

What I'd like to accomplish is a script or powershell command that would simply remove the "shared mailbox" or "delegate" attribute from the user mailbox leaving the folder permissions in place that were set by the delegate access tool.

I hope this makes sense.
Thanks,
Steve
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Systems Admin
Top Expert 2010
Commented:
The attribute you're looking for is publicDelegates in AD. However, that may not be what their application is looking at. If it's looking at the exact mailbox permissions ACL you would need to go into powershell and remove the root permissions of the user, then grant them the permissions you would like.
Tej Pratap Shukla ~DexterServer Administrator

Commented:
Hi
Just run below command for removing delegate attribute from user mailbox:
Remove-MailboxPermission -Identity shared-mailbox -User user-alias -AccessRights FullAccess -InheritanceType All

Open in new window

Author

Commented:
@acbrown2010 - I believe that is the very attribute they look for, I don't believe they're looking for exact mailbox acl, however I've reopened the case with barracuda to confirm exactly what attribute they look for.

@ Tej/Dexter - thanks for that command, I'll create a test mailbox and try this out
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Update from barracuda:
•      Shared Mailboxes –  Mailbox sharing is determined using the following attributes:
MSExchDelegateListLink
PublicDelegates

Based on this information, what could I do to remove the public delegate attribute from users that don't require it (powershell script/command preferred).

Author

Commented:
So I've tested this theory, and If I edit the User1 PublicDelegates attribute in AD, and remove User2 from this attribute, the barracuda search no longer shows the User1 in the list of specific folders to search, (which is what I want), yet the User1 retains all the folder permissions they had before (calendar, contacts access etc) for User2.

So what I need is a script or command to edit (or clear) this attribute (PublicDelegates) on a list of users in AD.  Can anyone help with this?

Thanks very much!
/Steve
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Sorry for the delay...Let me write a quick script up for you. I'll have to test it, just letting you know what's up.

Author

Commented:
Hey there - sorry for the long pause...  other issues arose that trumped this one.

I ended up basically manually editing the PublicDelegates attribute on each affected user to remove this - it did the trick, it was a little tedious, but it worked and that's all that matters now  ;-)

Thanks!

Author

Commented:
Thanks Adam - removing the PublicDelegates attribute was the key.

Steve

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial