Powershell - Exchange - Remove almost all mailbox rights

1.9k views Asked by At

My original question was a bit complex. However some cool memebers did manage to help me.

I got the following piece of code from Vesper:

$mailbox=get-mailbox $username
$perms=get-mailboxpermission $mailbox | where {$_.isinherited -eq $false -and $_.user.toString() -ne "NT AUTHORITY\SELF"}
$perms | remove-mailboxpermission $mailbox -confirm:$false

When I run these commands in a Exchange powershell one by one it works beautifully. However when I try to run my complete script with that snippet in it I receive the following error:

Cannot process argument transformation on parameter 'Identity'. Cannot convert the "USERNAME" value of type
"Deserialized.Microsoft.Exchange.Data.Directory.Management.Mailbox" to type
"Microsoft.Exchange.Configuration.Tasks.MailboxIdParameter".
    + CategoryInfo          : InvalidData: (:) [Get-MailboxPermission], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-MailboxPermission
    + PSComputerName        : SERVER

Any idea how to solve this?

3

There are 3 answers

4
Vesper On

A quick and dirty solution can be like this:

$mailbox=get-mailbox $user #populate this first
$perms=get-mailboxpermissions $mailbox | where {$_.isinherited -eq $false -and $_.user.toString() -ne "NT AUTHORITY\SELF"}
$perms | remove-mailboxpermission $mailbox -whatif

Be warned, incorrect user of this script can ruin your Exchange organization, probably test that on a single mailbox. The script is NOT tested, although complies with manuals on both Exchange and Powershell.

Explanation: First line gets the mailbox in question. Second line first gets full ACL on Exchange mailbox object, then filters only those entries that are not inherited $_.IsInherited -eq $false and filters out NT AUTHORITY\SELF which is required to be present for someone to ever access the mailbox - this entry is not inherited. Everything else is deemed to be those permissions that you wish to remove (such rights are added on the mailboxes directly, and thus are not inherited). The third line removes the rights determined by calling Remove-MailboxPermission against a pipeline. Note the -whatif switch, which makes the cmdlet to display what's about to be done for the administrator to review before launching the script into production.

0
user3561713 On

John,

I'm running into the exact same problem.

I've made one change and it pushed the problem down but didn't solve it.


$Mailboxes = Get-Mailbox testmailbox

foreach($Mailbox in $Mailboxes)    {
$FixAutoMappings = Get-MailboxPermission $Mailbox.DisplayName |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}
    Foreach($FixAutoMapping in $FixAutoMappings){
    $FixAutoMapping | Remove-MailboxPermission $Mailbox.DisplayName
    $FixAutoMapping | Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $false
    }
}

I simply added the .DisplayName after $Mailbox, this solved the getting of permissions, but now I can't remove them. I'm stuck.

For everyone looking at this and asking why.

In Exchange 2010 Service Pack 1 (SP1) Exchange introduced a feature that [forces] allows Outlook 2007 and Outlook 2010 clients to automatically map to any mailbox to which a user has Full Access permissions. If a user is granted Full Access permissions to another user's mailbox or to a shared mailbox, Outlook automatically loads all mailboxes to which the user has full access.

https://technet.microsoft.com/en-us/library/hh529943(v=exchg.141).aspx

This lovely little feature is causing problems when you have mailboxes with permissions to mailboxes in a different forest.

0
user3561713 On

I figured it out

 foreach($Mailbox in $Mailboxes){
    $FixAutoMappings = Get-MailboxPermission $Mailbox.DisplayName |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}
    $FixAutoMappings 
        Foreach($FixAutoMapping in $FixAutoMappings){
        Remove-MailboxPermission -Identity $Mailbox.Identity -User $FixAutoMapping.User -AccessRights $FixAutoMapping.AccessRights -confirm:$false
        Add-MailboxPermission -Identity $Mailbox.Identity -User $FixAutoMapping.User -AccessRights:FullAccess -AutoMapping $false
        }
}

This seemed to work for me.