daknetworks.com

In performing a periodic check on permissions on mailboxes in EXCHANGE 2013, I saw that there are some permissions that would not remove.

Here's how to check for additional permissions across all mailboxes:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv

There are some entries that did not belong that look like this:

RunspaceId: 03d29daa-2ca3-4428-bbe4-4ebc1102b86e
AccessRights: {FullAccess}
Deny: True
InheritanceType: All
User: DOMAIN:foo.user2
Identity: DOMAIN/Users/foo.user
IsInherited: False
IsValid: True
ObjectState: Unchanged

When I tried to remove them, I used this command:

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

But that didn't work, the permission remained the same. I could see that the permission is not-inherited and that the permission is to DENY.

To get it to work, I had to remove the DENY permission, like this:

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess -InheritanceType All -deny

The MS doc site shows like the following but I had no idea what <switchparameter> options were.

[-Deny <SwitchParameter>]

NOTES:

I've run into this more than one, as I created another post: http://www.daknetworks.com/blog/439-shared-mailbox-wont-disconnect-from-outlook