Exchange Powershell question

NOC123
NOC123 used Ask the Experts™
on
So I'm trying to clean up permissions on the mailbox of one of our former employee, John Smith.  There's an SID listed as having "Send As" permissions to his mailbox that I'm trying to remove.  The command should be:

Remove-ADPermission -Identity "jsmith@domain.com" -User "S-0-0-00-0000000000-000000000000000000-0000" -ExtendedRights "Send As"

But that gives me a " 'jsmith@domain.com' wasn't found" error, as does any other variant of his identity (jsmith, 'smith, john', etc.).  His mailbox isn't hidden.  Any suggestions?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Paul MacDonaldDirector, Information Systems

Commented:
Is this a domain?  If so, -Identity should be the fully-qualified name of the user object:
Remove-MailboxPermission -Identity 'CN=John Smith,OU=Users,DC=MyDomain,DC=com' -User 'S-0-0-00-0000000000-000000000000000000-0000' -Deny -InheritanceType 'All' -AccessRights 'Send As'

Author

Commented:
So, checking AD, under the Attributes Tab, I note that his CN was listed as “John Smith”, so I tried the command using that for identity. The command accepted that, but ultimately failed for a different reason, saying the SID specified is an inherited access control entry. I suspect it’s for a retired account, back from when we had a Blackberry server and that was the system account that had Send As permissions for everyone. I deleted the account along time ago, but these permissions seem to remain on users that were here back then.

Edit:

I guess the issue now isn't so much with PowerShell as inherited permissions in AD.  That same SID has "Send As" permissions on certain users.
Director, Information Systems
Commented:
Given this account no longer exists and so cannot pose a threat to the mailbox, it seems likely you could just leave it as is.  

If it's important to you to remove this inherited user, you can do it with ADSI Edit.  Note that editing Active Directory with ADSI Edit can have profound and permanent consequences if you make a mistake:
     Configuration -> Services -> Microsoft Exchange -> YourOrgName -> Administrative Groups -> Exchange Administrative Group (SomeGUID) -> Servers -> Databases -> ThisUsersDatabase  
When you right-click and select Properties, on the Security tab you'll see all the accounts with permissions to the database.  One of them will be the "S-0-0-00-0000000000-000000000000000000-0000" account in question, which you can delete here.  If you have more than one database, it's possible this account is being inherited to them as well.

Good luck!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial