note: following the transfer of this domain to the new owners, per user requests this article was recovered from the internet archive wayback machine, but may not be complete.
I have run into a problem while doing some routine maintenance on some shared mailboxes for the company I work for. During the maintenance process, we audit the list of users that have full mailbox rights to any shared mailbox. In the process, I was trying to remove full permissions from several user accounts. Here is what the Manage Full Access Permission screen looked like.
If you notice, that last one on the list has a weird Icon associated with it. The icon is that of a user account with a small blue question mark in it.
But when you try to delete the message, you get the following screen that contains the following error
Summary: 1 item(s). 0 succeeded, 1 failed. Elapsed time: 00:00:00 [REMOVED]\dtaylor Failed Error: Cannot remove ACE on object “CN=MAIL ROOM,OU=Email Accounts,OU=[REMOVED]” for account “[REMOVED]\dtaylor” because it is not present. Exchange Management Shell command attempted: Remove-MailboxPermission -Identity ‘CN=MAIL ROOM,OU=Email Accounts,OU=[REMOVED]‘ -User ‘[REMOVED]\dtaylor’ -InheritanceType ‘All’ -AccessRights ‘FullAccess’ Elapsed Time: 00:00:00
Let me give you a little background. Several years ago, we had three domains. Two of the domains contained Exchange 2003 servers with mailboxes. We migrated all the mailboxes from the two domains to the domain that did not currently have an Exchange server in it. So basically we took three domains and consolidated to a single domain and migrated from Exchange 2003 to Exchange 2007. All three domains belonged to the same AD forest.
One way I found to get past this error was to copy the error message, and change the domain to the previous domain in the command. This would then delete the ACE for that user. This method works great, if the domain still exists in the organization so that it can do a SID lookup and then delete the ACE. (NOTE: I even tried to modify the command so instead of using [DOMAIN]\[USERNAME] I used the SID, but this did not work).
Exchange for some odd reason will always send the command to the Remove-MailboxPermission with the username in domain\username format. It will always do a lookup on the SID and then translate it to that format. So even by using the sid you get the same error. Here is an example:
>Remove-MailboxPermission -Identity ‘CN=MAIL ROOM,OU=Email Accounts,OU=[REMOVED]‘ -User ‘S-1-5-21-1398355167-[REMOVED]-15821′ -InheritanceType ‘All’ -AccessRights ‘FullAccess’
Confirm Are you sure you want to perform this action?
Removing mailbox permission “[REMOVED]/Corp/Email Accounts/MAIL ROOM” for user “S-1-5-21-1398355167-[REMOVED]-15821″ with access rights “‘FullAccess’”. [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”):y Remove-MailboxPermission : Cannot remove ACE on object “CN=MAIL ROOM,OU=Email Accounts,OU=[REMOVED]” for account “[REMOVED]\dtaylor” because it is not present. At line:1 char:25
Notice that the first line has the SID in the remove-mailboxPermission command, but in the failed text, it has replaced the SID with the username.
To get the sid to do this, I went into AD Users and Computers and then after selecting the advanced view did an Attribute Editor lookup on the sIDHistory field.
So what do you do to remove the ACE for this account? The problem is that no matter what input you give the remove-MailboxPermission cmdlet, it will always do a lookup and resolve the sid to a username format. But if the sid it does the lookup on is not the primary sid for that account it will fail. To solve this problem you have to remove the ability for the cmdlet to resolve the sid in the first place. To do this, you have to remove the sIDHistory from the AD account.
Microsoft has a script on their site called “How To Use Visual Basic Script to Clear SidHistory“. If you run this script, it will remove the sid history, then when you look at the FULL Permissions, you will see a unresolved SID instead of the username. The remove-mailboxpermission cmdlet can then remove the ACE from that mailbox.
NOTE: I would record the sid value in the sIDHistory field somewhere, because chances are you will find other accounts that now show that sid as having full mailbox rights. You will then want to have a history of the sid so you can then grant permission to the correct account when you see an unresolved sid.