I can very well see the point of having the ACL gone, if only for "tidiness" reasons, but if there is a desire to stop Goodbye from being able to view the mailbox, could you set a Deny permission instead?
Your later post talks about recovering HugeBox from a previous backup, but wouldn't that still have the ACL intact? Sounds like it's possibly being inherited higher up in the organization. Does GoodBye get listed on any other mailboxes? Richard From: [email protected] [mailto:[email protected]] On Behalf Of Russ Patterson Sent: 08 August 2013 22:34 To: Exchange list Subject: [Exchange] "the ACE doesn't exist on the object" I have a customer who has a very old, very large (11 gig) mailbox. Let's call it HugeBox. There's a user who has retired & they want him to disappear from Get-MailboxPermission output. Let's call him GoodBye. If you do Get-MailboxPermission, you see his name (FullAccess.) If you do Add-MailboxPermission, with Goodbye as the user, it says' you can't because he's already there. If you do Remove-MailboxPermission, it says you can't because GoodBye's NOT there ("the ACE doesn't exist on the object.") We've tried moving the HugeBox mailbox. We've tried repairing the HugeBox mailbox. As I said, the Powershell cmdlets fail. Goodbye does NOT get listed if you do a Get-ADPermissions. The SIDHistory attribute of GoodBye is <not set.> We did lots more, to the point that we finally even edited the msExchMailboxSecurityDescriptor of HugeBox and removed the SID of GoodBye (along with the other stuff that was surrounded by the same set of parenthesis.) 3-4 hours later, that SID was back..... Any suggestions? I'm also told there's never been a different domain name, in case you suggest trying using OLDDOMAIN\Goodbye in the remove-MailboxPermission cmdlet - no OLDDOMAIN... I'd love some help here! - Thanks for your time!
