On all mailboxes I have a deleted SID show up for Manage Full Access Permission. I know there is a simple powershell script to delete this old account to clean things up. However, my question is how do I prevent this deleted account from being added in the future? I've seen it suggested to create a powershell script and schedule a nightly task to delete the account which seems clunky. I've also had it suggested to look in ADUC OU objects and find the SID listed in the security tab. When I've done this I have not been able to find the spot where this rogue SID is listed. Is there a default OU or location where I can edit the security tab so that new users don't have the deleted account show up? Thanks

There are any number of places it could be set. Turn on Advanced Features in ADUC from the View menu, then walk up the OU tree looking at the Security tab on the properties page and find the top level where it is inherited from. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Hi Seth, Do you mean that the SID would also showed in the new users' security tab? So, any configuration apply on the new user, did you remove the all old object related information? I would user adsiedit to remove all the information, so, it will not turn out for the new users. Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the response. I did exactly this but never found the SID. I don't even see the SID listed on a ADUC user object that has the rogue SID listed in the EMC. Guess it doesn't hurt anything so I'll leave it alone

That means it must be an Exchange setting that is doing it. Was this a migration from Exchange 2003? Another thing it could be is a setting on the database or server. get-mailboxdatabase | get-adpermission or get-mailboxserver | get-adpermission You may want to dump that out to a CSV file instead of to the screen, as there will be quite a list. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

It is indeed an Exchange setting. After running those commands I can see the SID listed in both the mailboxdatabase and mailboxserver as an inherited permission. Since I've managed this server it's been on 2007 so I don't know the migration path. It could have been a mailbox transfer process to a new server, but I see no signs of an in place upgrade. Is there a safe way to clean up the old SID via GUI or PowerShell? I'm guessing I'd have to use Remove-MailboxPermission http://technet.microsoft.com/en-us/library/bb125153.aspx. That being said, since it's inherited I would think I'd need to go up another level somehow, but I don't know to do something messy for something that's just an annoyance

You can't in-place upgrade Exchange 2003 to 2007. However as you are seeing it on both database and server, that would tend to point to it being listed at the Org level. That was quite a common thing to do in Exchange 2003. Take a look at the properties of the Exchange org, right at the top of the tree in EMC. See if the SID account is listed there. Simon. Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

checked under Organization Configuration and see several identities listed as Exchange Administrators at the top level, but not the one in question. Any other places to look under Organization configuration? In total there are 16 rights assigned to this SID when running get-mailboxserver, all inherited. Thx

Hi Seth, Per your description, you could find the sid showed in the full accress permission tab of some mailbox, right? I would do as below: 1. user get-mailbox |get-mailboxpermission |fl, and then you could check out which mailbox has the sid, 2. and then we could collect the mailbox, analyze the result, are there some special same propertity or other things 3. and then we could discover the top level configuration 4. use LDP tool to check the sid in the DC, confirm whether there are some information related with it 5. confirm the account and the related mailbox all deleted in your exchange org Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Just circling back to this case and wanted to update with how I resolved this issue. As stated, the permission is at the organization level, but can't be modified via EMC. Instead, I used ADSI Edit and selected Configuration under Naming Context as my Connection Point. From there, navigate to CN=Services --> CN=Microsoft Exchange --> CN=<org name>. Right-click on that object and remove the rogue SID from the security tab. From a PowerShell, you can do something similar by specifying Get-OrganizationConfig | Remove-ADPermission -User <SID> -AccessRights GenericAll However, that didn't remove every AccessRight because some were inherited permissions, thus the need for ADSI Edit.