-2

My original question was a bit complex. However some cool memebers did manage to help me.

I got the following piece of code from Vesper:

$mailbox=get-mailbox $username
$perms=get-mailboxpermission $mailbox | where {$_.isinherited -eq $false -and $_.user.toString() -ne "NT AUTHORITY\SELF"}
$perms | remove-mailboxpermission $mailbox -confirm:$false

When I run these commands in a Exchange powershell one by one it works beautifully. However when I try to run my complete script with that snippet in it I receive the following error:

Cannot process argument transformation on parameter 'Identity'. Cannot convert the "USERNAME" value of type
"Deserialized.Microsoft.Exchange.Data.Directory.Management.Mailbox" to type
"Microsoft.Exchange.Configuration.Tasks.MailboxIdParameter".
    + CategoryInfo          : InvalidData: (:) [Get-MailboxPermission], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-MailboxPermission
    + PSComputerName        : SERVER

Any idea how to solve this?

John
  • 1
  • 2
  • 1
    Hey John, Welcome to SO. That is a pretty tall order. We are not a code writing service nor a resource location tool. We are here to help programmers and programming enthusiasts. On your own you should be able to break this request into its parts and try it on your own. When you get a specific problem show you work and what you need and the community would be more than willing to help you. – Matt Jun 22 '15 at 12:51
  • Hello Matt. I completly understand. I am already trying to put somthing togheter but unfortunatly I do not really know where to start. I guess I will keep browsing the internet then and see how far I can come. Thank you anyway. – John Jun 22 '15 at 12:56
  • `Get-Mailbox`, `Get-ADPermission` would be the place to start. – Matt Jun 22 '15 at 12:57
  • I already know about those commands. Where I am stuck is how can I walk trough the permissions on that particular mailbox, recognize the standard rights that need to stay and remove all other rights. I am thinking along the lines of Get-Mailboxpermission. Export that result then Import it again and walk through the rights and only remove the rights that are not standard. – John Jun 22 '15 at 13:02
  • So, you need to remove "all user rights" that are not specific to Exchange system form a mailbox of a disabled user? You should use Exchange's cmdlets for permissions (`Get-MailboxPermission`, etc) instead of AD's cmdlets. – Vesper Jun 22 '15 at 13:30
  • @Vesper Oops. `Get-MailboxPermission` would be the preferential one to use in this case. – Matt Jun 22 '15 at 14:10

3 Answers3

0

A quick and dirty solution can be like this:

$mailbox=get-mailbox $user #populate this first
$perms=get-mailboxpermissions $mailbox | where {$_.isinherited -eq $false -and $_.user.toString() -ne "NT AUTHORITY\SELF"}
$perms | remove-mailboxpermission $mailbox -whatif

Be warned, incorrect user of this script can ruin your Exchange organization, probably test that on a single mailbox. The script is NOT tested, although complies with manuals on both Exchange and Powershell.

Explanation: First line gets the mailbox in question. Second line first gets full ACL on Exchange mailbox object, then filters only those entries that are not inherited $_.IsInherited -eq $false and filters out NT AUTHORITY\SELF which is required to be present for someone to ever access the mailbox - this entry is not inherited. Everything else is deemed to be those permissions that you wish to remove (such rights are added on the mailboxes directly, and thus are not inherited). The third line removes the rights determined by calling Remove-MailboxPermission against a pipeline. Note the -whatif switch, which makes the cmdlet to display what's about to be done for the administrator to review before launching the script into production.

Vesper
  • 18,599
  • 6
  • 39
  • 61
  • 1
    This question could very likely be closed soon and would make your effort here needless. It is not usually good form to encourage these types of question. Or if nothing else add some information about how to ask a good question by linking to help. – Matt Jun 22 '15 at 14:09
  • "Deleted" will make my efforts needless, indeed, "closed" less so if OP would reach the answer and find it useful. Anyway I need practice too, and SO usually presents tasks for me to not have my mind rot of misuse :) – Vesper Jun 22 '15 at 14:15
  • Closed questions meeting certain criteria get deleted automatically by the crawling processes. FYI – Matt Jun 22 '15 at 14:48
  • Thank you Vesper. I will save your suggested solution so it does not get deleted :). I was already busy working out something with if else statements. Maybe I can come up with something now with your help. Again thank you. – John Jun 22 '15 at 14:56
0

John,

I'm running into the exact same problem.

I've made one change and it pushed the problem down but didn't solve it.

$Mailboxes = Get-Mailbox testmailbox

foreach($Mailbox in $Mailboxes)    {
$FixAutoMappings = Get-MailboxPermission $Mailbox.DisplayName |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}
    Foreach($FixAutoMapping in $FixAutoMappings){
    $FixAutoMapping | Remove-MailboxPermission $Mailbox.DisplayName
    $FixAutoMapping | Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $false
    }
}

I simply added the .DisplayName after $Mailbox, this solved the getting of permissions, but now I can't remove them. I'm stuck.

For everyone looking at this and asking why.

In Exchange 2010 Service Pack 1 (SP1) Exchange introduced a feature that [forces] allows Outlook 2007 and Outlook 2010 clients to automatically map to any mailbox to which a user has Full Access permissions. If a user is granted Full Access permissions to another user's mailbox or to a shared mailbox, Outlook automatically loads all mailboxes to which the user has full access.

https://technet.microsoft.com/en-us/library/hh529943(v=exchg.141).aspx

This lovely little feature is causing problems when you have mailboxes with permissions to mailboxes in a different forest.

user3561713
  • 1
0

I figured it out

 foreach($Mailbox in $Mailboxes){
    $FixAutoMappings = Get-MailboxPermission $Mailbox.DisplayName |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}
    $FixAutoMappings 
        Foreach($FixAutoMapping in $FixAutoMappings){
        Remove-MailboxPermission -Identity $Mailbox.Identity -User $FixAutoMapping.User -AccessRights $FixAutoMapping.AccessRights -confirm:$false
        Add-MailboxPermission -Identity $Mailbox.Identity -User $FixAutoMapping.User -AccessRights:FullAccess -AutoMapping $false
        }
}

This seemed to work for me.

user3561713
  • 1