ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Exchange script to find and remove permissions

    IT Discussion
    exchange permissions dashrender
    1
    1
    387
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender
      last edited by

      In my migration to M365, I've run across several accounts that still have delegations provided to users who no longer work here. I haven't dug in deeply enough yet to understand why/how these are still attached to Exchange objects, but for now I just need them gone.

      I found this post: https://answers.microsoft.com/en-us/msoffice/forum/all/a-corrupted-item-was-encountered-folder-acl-during/1c9c38ca-1b6e-4b2b-8588-facfa547cc92

      Unfortunately it doesn't work - seems to assume there's only ever one user with permissions on an object/folder, plus it set's a counter to 0 and then doesn't run if the counter is 0, with nothing possibly changing it until after the first run through, meaning it skips running a list of only one folder.

      Here's my modified version of that script (the delete script):

      $mbuser = "agrabowski"  # Mailbox User Name to Fix

$fldList= Get-MailboxFolderStatistics $mbuser -FolderScope tasks | Select-Object -Property identity | % { $mbuser+":"+$_.Identity.tostring().trimstart($mbuser) }
write-output 'found list'
$fldList
#Read-Host -Prompt "Press any key to continue"

$remUser='NT User:UROLOGY\ljforehead’   # Name of user to remove

$fnumber=0

ForEach ($folder in $fldList) {
    $folder = $folder -replace "","/" # Fix special charactor
    write-output 'folder name'
    $folder
    $zout=" $fnumber Checking Folder:  $folder "
    Write-output $zout
    if ($fnumber -ne 1){
         $fuser=Get-MailboxFolderPermission $folder
         Get-MailboxFolderPermission $folder
         ForEach ($User10 in $fuser) {
            $Output1 = "test '$User10.User.displayname'"
            write-host "display: " $User10.User.displayname
            $output = "does the above match this user:: $remUser"
            write-output $output
            if ($User10.User.displayname -eq $remUser) {
                $zout = "Removeing user:: '$remUser'"
                $zout
                remove-MailboxFolderPermission -Identity $folder -user $remUser -Confirm:$False 
                }
             }
        $zout = "Verifying Folder: '$folder'"
        $zout
        $fuser=Get-MailboxFolderPermission $folder
        ForEach ($user2 in $fuser){
            $user2.user
            }
   }     
    $fnumber++
}

      The posted find script works fine:

      #These commands will list all the mailbox folder permissions look for users that are gone or disabled.

$mbuser = "BObama" # <<< Mailbox name to check

$fldList= Get-MailboxFolderStatistics $mbuser -FolderScope Inbox | Select-Object -Property identity | % { $mbuser+":\inbox"+$_.Identity.tostring().trimstart($mbuser) }

# Note this will error out on the inbox\inbox and any folder names with special characters

$fldList|Get-MailboxFolderPermission
      1 Reply Last reply Reply Quote 1
      • 1 / 1
      • First post
        Last post