Discussion:
can't remove Full Access rights for one user??!!!!
(too old to reply)
waleed
2009-03-09 13:13:01 UTC
Permalink
Raw Message
Hi everybody,

could you please help me to solve the below issue:


I'm trying to remove Full Access rights for one user from an
existing user's mailbox... Exchange 2007 SP1. When I try to do so, I
receive the following error message:


+++++++++++++++++++++++++++

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00


Error:
Cannot remove ACE on object
"CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX" for account
"xxx\xxxxx.xxxx" because it is not present.


Exchange Management Shell command attempted:
Remove-MailboxPermission -Identity
'CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX' -User
'xxx\xxxxx.xxx' -InheritanceType 'All' -AccessRights 'FullAccess'


please note that I can remove the "send as permission" for the same user on
the same mailbox!!!


thanks in advance...

waleed
Ed Crowley [MVP]
2009-03-09 16:46:31 UTC
Permalink
Raw Message
Do you have SID history enabled on the domain, and might this SID be an old
one? I'm suspicious that you might have tripped over a bug where maybe
Exchange 2007 SP1 doesn't properly handle SID history.

You might want to open a ticket with Microsoft Support.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.
Post by waleed
Hi everybody,
I'm trying to remove Full Access rights for one user from an
existing user's mailbox... Exchange 2007 SP1. When I try to do so, I
+++++++++++++++++++++++++++
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
Cannot remove ACE on object
"CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX" for account
"xxx\xxxxx.xxxx" because it is not present.
Remove-MailboxPermission -Identity
'CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX' -User
'xxx\xxxxx.xxx' -InheritanceType 'All' -AccessRights 'FullAccess'
please note that I can remove the "send as permission" for the same user on
the same mailbox!!!
thanks in advance...
waleed
jamestechman
2009-03-09 17:13:00 UTC
Permalink
Raw Message
Try adding the -deny parameter at the end of the remove-
mailboxpermission cmdlet. If that doesn't work and you have ADUC with
the Exchange 2003 tools remove it from there.


James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com
Post by Ed Crowley [MVP]
Do you have SID history enabled on the domain, and might this SID be an old
one?  I'm suspicious that you might have tripped over a bug where maybe
Exchange 2007 SP1 doesn't properly handle SID history.
You might want to open a ticket with Microsoft Support.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.
Post by waleed
Hi everybody,
I'm trying to remove Full Access rights for one user from an
existing user's mailbox... Exchange 2007 SP1.  When I try to do so, I
+++++++++++++++++++++++++++
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
Cannot remove ACE on object
"CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX" for account
"xxx\xxxxx.xxxx" because it is not present.
Remove-MailboxPermission -Identity
'CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX' -User
'xxx\xxxxx.xxx' -InheritanceType 'All' -AccessRights 'FullAccess'
please note that I can remove the "send as permission" for the same user on
the same mailbox!!!
thanks in advance...
waleed- Hide quoted text -
- Show quoted text -
Xerxes
2013-09-27 23:09:54 UTC
Permalink
Raw Message
Post by jamestechman
Try adding the -deny parameter at the end of the remove-
mailboxpermission cmdlet. If that doesn't work and you have ADUC with
the Exchange 2003 tools remove it from there.
James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com
Post by Ed Crowley [MVP]
Do you have SID history enabled on the domain, and might this SID be an old
one?  I'm suspicious that you might have tripped over a bug where maybe
Exchange 2007 SP1 doesn't properly handle SID history.
You might want to open a ticket with Microsoft Support.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.
Post by waleed
Hi everybody,
I'm trying to remove Full Access rights for one user from an
existing user's mailbox... Exchange 2007 SP1.  When I try to do so, I
+++++++++++++++++++++++++++
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
Cannot remove ACE on object
"CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX" for account
"xxx\xxxxx.xxxx" because it is not present.
Remove-MailboxPermission -Identity
'CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX' -User
'xxx\xxxxx.xxx' -InheritanceType 'All' -AccessRights 'FullAccess'
please note that I can remove the "send as permission" for the same user on
the same mailbox!!!
thanks in advance...
waleed- Hide quoted text -
- Show quoted text -
Thank you Jamestechman. adding -deny worked.

Loading...