add/remove mailboxpermission problem
Scenario: Resource Mailbox = testresource1User = User1Group = ResourceGroup (Universal Security Group)Membership = User1 part of ResourceGroup--------------Steps:1. Applied permission using add-mailboxpermission -id testresource1 -user "domain\ResourceGroup" -accessrights fullaccessIt appears that the permissions worked from here as the User had access. Good.2. Removed User1 from ResourceGroup.User1 still appeared to have permission to the mailbox. Bad.Ran get-mailboxpermission to verify applied permissions and any possible missed inheritance from other memberhips or explicit permissions. Nothing in there referring to User1 in any form.3. Removed ResourceGroup from testresource1 using remove-mailboxpermission -id testresource1 -user "domain\ResourceGroup" -accessrights fullaccessUser1 no longer had access to testresource1. Ooook??4. Ran through the steps a few times to try and confirm and each time came back with the same result.----------Any thoughts on this? I am curious why just removing the user from the group didnt remove their permission to this resource? I have a small environment with 2 DCs and forced replication while doing this. Shouldnt it just work by removing them??
December 8th, 2008 7:13pm
Hi,
How long did you wait to verify the results after removing user from the resource group?
Full Access or Receive As permissions are not granted/removed until the Microsoft Exchange Information Store service caches the permissions and updates the cache, which is by default 2 hours so suggest you to wait for couple of hours and verify again.
To grant/remove the permissions immediately, stop and then restart the MicrosoftExchange Information Store service but it affects all the mailboxes on the server.
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2008 7:36pm
Thanks for the reply, it appears after waiting the recommendation (which seemed fully reasonable) the "revoked" permissions still were applied to the user. Its been over 2 hours now, I will restart the service later to see if this could be the problem still. Thanks for your reply, I will keep you posted.
December 9th, 2008 12:20am
Hi,
I would like to know which method you used to test the issue. OWA or Outlook?
Please tell me whether the issue also exists if you are able to logon the resource mailbox by using Outlook and providing the User1s credential after removing the user1 from the group.
If you are not able to logon resource mailbox by using Outlook, please reset IIS and then access the resource mailbox again by using OWA.
Mike
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2008 10:57am