It's definitely 'tidiness.' - THe onsite folks want the name gone when they do a
Get-Mailbox Permission "HugeBox" I think before I do a Deny, I'll bite the bullet & rebuild..... On Fri, Aug 9, 2013 at 11:25 AM, Sobey, Richard A <[email protected]>wrote: > I can very well see the point of having the ACL gone, if only for > “tidiness” reasons, but if there is a desire to stop Goodbye from being > able to view the mailbox, could you set a Deny permission instead?**** > > ** ** > > Your later post talks about recovering HugeBox from a previous backup, but > wouldn’t that still have the ACL intact? Sounds like it’s possibly being > inherited higher up in the organization. Does GoodBye get listed on any > other mailboxes?**** > > ** ** > > Richard**** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Russ Patterson > *Sent:* 08 August 2013 22:34 > *To:* Exchange list > *Subject:* [Exchange] "the ACE doesn't exist on the object"**** > > ** ** > > I have a customer who has a very old, very large (11 gig) mailbox. Let's > call it HugeBox. There's a user who has retired & they want him to > disappear from Get-MailboxPermission output. Let's call him GoodBye.**** > > **** > > If you do Get-MailboxPermission, you see his name (FullAccess.) If you do > Add-MailboxPermission, with Goodbye as the user, it says' you can't because > he's already there. If you do Remove-MailboxPermission, it says you can't > because GoodBye's NOT there ("the ACE doesn't exist on the object.")**** > > **** > > We've tried moving the HugeBox mailbox. We've tried repairing the HugeBox > mailbox. As I said, the Powershell cmdlets fail. Goodbye does NOT get > listed if you do a Get-ADPermissions. The SIDHistory attribute of GoodBye > is <not set.>**** > > **** > > We did lots more, to the point that we finally even edited the > msExchMailboxSecurityDescriptor of HugeBox and removed the SID of GoodBye > (along with the other stuff that was surrounded by the same set of > parenthesis.) 3-4 hours later, that SID was back.....**** > > **** > > Any suggestions? I'm also told there's never been a different domain name, > in case you suggest trying using OLDDOMAIN\Goodbye in the > remove-MailboxPermission cmdlet - no OLDDOMAIN...**** > > **** > > I'd love some help here! - Thanks for your time!**** > > **** > > **** >
