Únable to delete old user due to ACE issue ?
Hi All,
I'm running Exchange server 2013 standard edition, and I tried to remove some of the old AD account from accessing the shared mailbox, using the PowerShell command:
Get the SID: Get-ADUser -Identity Kacung.Semprul
Remove the user: Remove-MailboxPermission -Identity Shared-MBX-1 -User "S-1-5-21-3684462478-10569
But somehow I can not go through due to this error:
can't remove the access control entry on the object because the ace doesn't exist on the object
I've tried:
https://social.technet.microsoft.com/wiki/contents/articles/31321.exchange-serveronline-the-ace-doesn-t-exist-on-the-object.aspx
http://clintboessen.blogspot.com.au/2015/04/unable-to-remove-mailbox-permission-in.html
But still not working for me.
I'm running Exchange server 2013 standard edition, and I tried to remove some of the old AD account from accessing the shared mailbox, using the PowerShell command:
Get the SID: Get-ADUser -Identity Kacung.Semprul
Remove the user: Remove-MailboxPermission -Identity Shared-MBX-1 -User "S-1-5-21-3684462478-10569
But somehow I can not go through due to this error:
can't remove the access control entry on the object because the ace doesn't exist on the object
I've tried:
https://social.technet.microsoft.com/wiki/contents/articles/31321.exchange-serveronline-the-ace-doesn-t-exist-on-the-object.aspx
http://clintboessen.blogspot.com.au/2015/04/unable-to-remove-mailbox-permission-in.html
But still not working for me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is this an Active user you are trying to remove or a user who is no more in your organization?
Also how do things look like from EAC: Are you able to remove the so-called account via EAC?
Also how do things look like from EAC: Are you able to remove the so-called account via EAC?
ASKER
This user is no longer work with our company.
the account has been disabled.
the account has been disabled.
How does things look like from EAC? If AD object exists then the user alias or email should be used to remove the said access. Are you still getting the error if you use the command I suggested?
ASKER
This is the warning Pop Up message when I do the manual removal from the EAC:
The user still exists in the AD and on this shared mailbox.
warning
Can't remove the access control entry on the object
"CN=Contract,OU=Users,OU=Division 1,DC=MyDomain,DC=com" for attribute "ExtendedRight (ObjectType: ab721a54-1e2f-11d0-9819-00aa0040529b)" because the ACE isn't present.
ok The user still exists in the AD and on this shared mailbox.
Can you goto properties of the Shared Mailbox and the Account you want to remove and check if the Allow Inherit Checkbox is Selected or Not.
Also if you could share the output of below please for a better understanding please
Get-MailboxPermission SharedMailbox -User MailboxyouwanttoRemove
Also if you could share the output of below please for a better understanding please
Get-MailboxPermission SharedMailbox -User MailboxyouwanttoRemove
ASKER
Sorry for the confusion, I just found out that the mailbox type is just normal user mailbox :-) not Shared Mailbox.
So where can I look for the "Inherit" checkbox ?
So where can I look for the "Inherit" checkbox ?
ASKER
Here it is:
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
DOMAIN.com/Division 1/Users/Contract DOMAIN\Kacung.Semprul {FullAccess} False False
I am referring to Active Directory Users and Computers and then searching the user and go to properties
Hi Senior IT System Engineer - Any luck with getting this resolved?
ASKER
Somehow I can remove the name of the person from the AD Users & Console.
Hopefully, this can be reflected on the Exchange subsystem as well.
Hopefully, this can be reflected on the Exchange subsystem as well.
ASKER