Unable to remove a disabled account from permission on a Resource account

I have an "Equipment" resource account.  I see a listing of users with Access Rights when I run get-mailboxfolderpermission engcalendar:\calendar.  I see "Joe Doe" as having Editor permission.

[PS] C:\Windows\system32>get-mailboxfolderpermission engcalendar:\calendar

FolderName           User                 AccessRights
----------           ----                 ------------
Calendar             Default              {Reviewer}
Calendar             xxxxxx              {Editor}
Calendar             xxxxxxxx           {Editor}
Calendar             xxxxxxxxx         {Owner}
Calendar             xxxxxxxxxxxxx  {Editor}
Calendar             Joe Doe             {Editor}

When I try to remove his account I get an error message.

[PS] C:\Windows\system32>remove-mailboxfolderpermission engcalendar:\calendar -user doej

Confirm
Are you sure you want to perform this action?
Removing mailbox folder permission on "engcalendar:\calendar" for user "doej".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
There is no existing permission entry found for user: doej.
    + CategoryInfo          : NotSpecified: (:) [Remove-MailboxFolderPermission], UserNotFoundInPermissionEntryExcepti
   on
    + FullyQualifiedErrorId : [Server=MAIL2013,RequestId=d6a776c6-fdf6-4cb1-ac8a-db4f1ebfe60e,TimeStamp=6/1/2015 9:23:
   18 PM] [FailureCategory=Cmdlet-UserNotFoundInPermissionEntryException] 4976BF05,Microsoft.Exchange.Management.Stor
  eTasks.RemoveMailboxFolderPermission
    + PSComputerName        : mail2013.usa.org

Joe Doe's mailbox was disabled 4 months ago and his AD account was renamed and disabled, but yet he is listed as being an editor with his original name.  How can I get rid of him?  He is not a delegate on this mailbox, just has Editor privs, but yet is still getting delegate requests as well.

Any ideas?

Thanks

June 1st, 2015 5:45pm

Hi cwssab,

Thank you for your question.

With the value of the parameter -User, we could change alias into email address of Joe Doe to check if the issue persist.

In addition, before we run the command, we should assign permission to administrator, we could refer to the following link:

https://technet.microsoft.com/en-us/library/dd351181%28v=exchg.150%29.aspx

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2015 2:07am

I tried it by email address as well as alias.  I do have permission as I make these changes all the time and was able to add and remove people to this account.  It is just this particular account no longer exists which is odd because it shows the name correctly in the listing.  It wouldn't be terrible to leave it as an orphan, but it still shows that it is sending meeting requests to that phantom account as well as the others.

Any other thoughts?

June 2nd, 2015 12:35pm

Hi cwssab,

First of all, we could make sure AD replication without any problems.

You could run the following command:

Add-mailboxfolderpermission -Identity engcalendar:\calendar -user doej -accessright Editor

Then run

Remove-mailboxfolderpermission engcalendar:\calendar -user doej

We could check if the issue persist.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now
June 4th, 2015 10:00pm

You can only do a set-mailboxfolderpermission on an account that has already been added.  If I do an add-mailboxfolderpermission it just adds them alongside the existing listed users.

I am able to add and remove other people from the calendar permissions on that mailbox by using the add-mailboxfolderpermission and remove-mailboxfolderpermission without impacting any other users.

June 17th, 2015 10:50am

You can only do a set-mailboxfolderpermission on an account that has already been added.  If I do an add-mailboxfolderpermission it just adds them alongside the existing listed users.

I am able to add and remove other people from the calendar permissions on that mailbox by using the add-mailboxfolderpermission and remove-mailboxfolderpermission without impacting any other users.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 10:50am

Our AD is replicating without any issues.  When I try to add the user back in, it says: "the user doej@... is either not valid SMTP address, or there is no matching information."  Which is accurate because there is no user in our system anymore.

June 17th, 2015 10:59am

Our AD is replicating without any issues.  When I try to add the user back in, it says: "the user doej@... is either not valid SMTP address, or there is no matching information."  Which is accurate because there is no user in our system anymore.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 10:59am

You can only do a set-mailboxfolderpermission on an account that has already been added.  If I do an add-mailboxfolderpermission it just adds them alongside the existing listed users.



That's not true. Running set-mailboxfolderpermission on a mailbox folder overwrites all the permission entries on that folder. This way you don't need to enable the problem AD account again. What would you do if you had deleted the AD account? It's also convenient if you don't have permissions in your AD to enable the AD account.
June 17th, 2015 1:51pm

You can only do a set-mailboxfolderpermission on an account that has already been added.  If I do an add-mailboxfolderpermission it just adds them alongside the existing listed users.



That's not true. Running set-mailboxfolderpermission on a mailbox folder overwrites all the permission entries on that folder. This way you don't need to enable the problem AD account again. What would you do if you had deleted the AD account? It's also convenient if you don't have permissions in your AD to enable the AD account.
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 1:51pm

I must be doing something wrong.  When I ran the set-mailboxfolderpermission engcalendar:\calendar -user myuserid -accessrights editor it replies:

[PS] C:\Windows\system32>set-mailboxfolderpermission engcalendar:\calendar -user myuserid -accessrights editor
There is no existing permission entry found for user: Sally xxxxxx.
    + CategoryInfo          : NotSpecified: (:) [Set-MailboxFolderPermission], UserNotFoundInPermissionEntryException
    + FullyQualifiedErrorId : [Server=MAILservername,RequestId=e307a512-0b9f-485e-a7b8-d7d5d0667d30,TimeStamp=6/17/2015 6:12
   :02 PM] [FailureCategory=Cmdlet-UserNotFoundInPermissionEntryException] 3FC69FC4,Microsoft.Exchange.Management.Sto
  reTasks.SetMailboxFolderPermission
    + PSComputerName        : mailservername.xxx.xxx

I do worry about what would happen if I have that problem with a deleted AD account which is why I want to find out how to do it.  In the past I have copied all of the calendar information to a PST, removed the resource account, created a new one and imported the information.  This is a resource account that was migrated from an Exchange 2007 server to our Exchange 2013 server if that matters.

June 17th, 2015 2:22pm

I must be doing something wrong.  When I ran the set-mailboxfolderpermission engcalendar:\calendar -user myuserid -accessrights editor it replies:

[PS] C:\Windows\system32>set-mailboxfolderpermission engcalendar:\calendar -user myuserid -accessrights editor
There is no existing permission entry found for user: Sally xxxxxx.
    + CategoryInfo          : NotSpecified: (:) [Set-MailboxFolderPermission], UserNotFoundInPermissionEntryException
    + FullyQualifiedErrorId : [Server=MAILservername,RequestId=e307a512-0b9f-485e-a7b8-d7d5d0667d30,TimeStamp=6/17/2015 6:12
   :02 PM] [FailureCategory=Cmdlet-UserNotFoundInPermissionEntryException] 3FC69FC4,Microsoft.Exchange.Management.Sto
  reTasks.SetMailboxFolderPermission
    + PSComputerName        : mailservername.xxx.xxx

I do worry about what would happen if I have that problem with a deleted AD account which is why I want to find out how to do it.  In the past I have copied all of the calendar information to a PST, removed the resource account, created a new one and imported the information.  This is a resource account that was migrated from an Exchange 2007 server to our Exchange 2013 server if that matters.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 2:22pm
In my experience the easiest way to do this is to eliminate the existing permission entries by overwriting them with set-mailboxfolderpermission. It is pretty quick and easy when you only have a few permission entries. I hope this serves as a usable workaround for you.
June 17th, 2015 6:26pm
In my experience the easiest way to do this is to eliminate the existing permission entries by overwriting them with set-mailboxfolderpermission. It is pretty quick and easy when you only have a few permission entries. I hope this serves as a usable workaround for you.
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 6:26pm

I don't know how to remove all of the people that have permission to the calendar.  I don't have many of them so I don't mind removing them all and adding them separately.  Also when I try to set the removed person to a different level access rights I get essentially the same thing: "There is no existing permission entry found for user: doej." 

When I tried to do a remove-mailboxfolderpermission engcalendar:\calendar -user * I get the error message, * matches multiple entries.  There must be a way to pipe thru a "where" statement...  I tried to do a remove-mailboxfolderpermission engcalendar:\calendar | get-mailboxfolderpermission and it just asks for the name of the person to remove...

What statement do I use to remove them all?

Thanks.

June 17th, 2015 7:31pm

I don't know how to remove all of the people that have permission to the calendar.  I don't have many of them so I don't mind removing them all and adding them separately.  Also when I try to set the removed person to a different level access rights I get essentially the same thing: "There is no existing permission entry found for user: doej." 

When I tried to do a remove-mailboxfolderpermission engcalendar:\calendar -user * I get the error message, * matches multiple entries.  There must be a way to pipe thru a "where" statement...  I tried to do a remove-mailboxfolderpermission engcalendar:\calendar | get-mailboxfolderpermission and it just asks for the name of the person to remove...

What statement do I use to remove them all?

Thanks.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 7:31pm
Just do set-mailboxfolderpermission 'engcalendar:\acalendar' -user anybody -accessrights editor

This will overwrite all the permission entries on this calendar. just make a note of the people with permissions first!
June 18th, 2015 1:29am
Just do set-mailboxfolderpermission 'engcalendar:\acalendar' -user anybody -accessrights editor

This will overwrite all the permission entries on this calendar. just make a note of the people with permissions first!
Free Windows Admin Tool Kit Click here and download it now
June 18th, 2015 1:29am

Our AD is replicating without any issues.  When I try to add the user back in, it says: "the user doej@... is either not valid SMTP address, or there is no matching information."  Which is accurate because there is no user in our system anymore.

June 18th, 2015 3:31am

Our AD is replicating without any issues.  When I try to add the user back in, it says: "the user doej@... is either not valid SMTP address, or there is no matching information."  Which is accurate because there is no user in our system anymore.

Free Windows Admin Tool Kit Click here and download it now
June 18th, 2015 3:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics