My guess is that the ACL was set on the configuration itself. <DangerWillRobinson> Open ADSIEdit and go to configuration/services/Microsoft Exchange/<your org name>. Right click that container and choose PROPERTIES then the SECURITY tab. I suspect you will see the account there with rights assigned to it. </DangerWillRobinson>
Exercise EXTREME caution here. removing the wrong thing is "very, very bad". In the days before Exchange 2007 RBAC, we created an account that had access to the entire mail system in order to perform extracts for legal and HR purposes. When Exchange 2010 arrived (we skipped 2007) we maintained the account for troubleshooting and support purposes. Hope this helps... James Rupprecht Enterprise IT Architect, Microsoft Technologies The University of Kansas Office: +1 785 864-0116 Email: [email protected] ----- Original Message ----- From: [email protected] [mailto:[email protected]] On Behalf Of Russ Patterson Sent: Friday, August 09, 2013 10:35 AM To: Exchange list Subject: Re: [Exchange] "the ACE doesn't exist on the object" It's definitely 'tidiness.' - THe onsite folks want the name gone when they do a Get-Mailbox Permission "HugeBox" I think before I do a Deny, I'll bite the bullet & rebuild..... On Fri, Aug 9, 2013 at 11:25 AM, Sobey, Richard A <[email protected]> wrote: I can very well see the point of having the ACL gone, if only for "tidiness" reasons, but if there is a desire to stop Goodbye from being able to view the mailbox, could you set a Deny permission instead? Your later post talks about recovering HugeBox from a previous backup, but wouldn't that still have the ACL intact? Sounds like it's possibly being inherited higher up in the organization. Does GoodBye get listed on any other mailboxes? Richard From: [email protected] [mailto:[email protected]] On Behalf Of Russ Patterson Sent: 08 August 2013 22:34 To: Exchange list Subject: [Exchange] "the ACE doesn't exist on the object" I have a customer who has a very old, very large (11 gig) mailbox. Let's call it HugeBox. There's a user who has retired & they want him to disappear from Get-MailboxPermission output. Let's call him GoodBye. If you do Get-MailboxPermission, you see his name (FullAccess.) If you do Add-MailboxPermission, with Goodbye as the user, it says' you can't because he's already there. If you do Remove-MailboxPermission, it says you can't because GoodBye's NOT there ("the ACE doesn't exist on the object.") We've tried moving the HugeBox mailbox. We've tried repairing the HugeBox mailbox. As I said, the Powershell cmdlets fail. Goodbye does NOT get listed if you do a Get-ADPermissions. The SIDHistory attribute of GoodBye is <not set.> We did lots more, to the point that we finally even edited the msExchMailboxSecurityDescriptor of HugeBox and removed the SID of GoodBye (along with the other stuff that was surrounded by the same set of parenthesis.) 3-4 hours later, that SID was back..... Any suggestions? I'm also told there's never been a different domain name, in case you suggest trying using OLDDOMAIN\Goodbye in the remove-MailboxPermission cmdlet - no OLDDOMAIN... I'd love some help here! - Thanks for your time!
