That's a _great_ idea. Unfortunately, I already looked from above that container all the way down to each database involved. (I'm a bit masochistic, it seems.)
No joy. But - thanks very much. I greatly appreciate everyone's help! On Fri, Aug 9, 2013 at 12:09 PM, Rupprecht, James R. <[email protected]>wrote: > My guess is that the ACL was set on the configuration itself. > > <DangerWillRobinson> > Open ADSIEdit and go to configuration/services/Microsoft Exchange/<your > org name>. Right click that container and choose PROPERTIES then the > SECURITY tab. I suspect you will see the account there with rights assigned > to it. > </DangerWillRobinson> > > Exercise EXTREME caution here. removing the wrong thing is "very, very > bad". > > In the days before Exchange 2007 RBAC, we created an account that had > access to the entire mail system in order to perform extracts for legal and > HR purposes. When Exchange 2010 arrived (we skipped 2007) we maintained the > account for troubleshooting and support purposes. > > Hope this helps... > > James Rupprecht > Enterprise IT Architect, Microsoft Technologies > The University of Kansas > Office: +1 785 864-0116 > Email: [email protected] > > ----- Original Message ----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Russ Patterson > Sent: Friday, August 09, 2013 10:35 AM > To: Exchange list > Subject: Re: [Exchange] "the ACE doesn't exist on the object" > > It's definitely 'tidiness.' - THe onsite folks want the name gone when > they do a > > Get-Mailbox Permission "HugeBox" > > I think before I do a Deny, I'll bite the bullet & rebuild..... > > On Fri, Aug 9, 2013 at 11:25 AM, Sobey, Richard A <[email protected]> > wrote: > I can very well see the point of having the ACL gone, if only for > "tidiness" reasons, but if there is a desire to stop Goodbye from being > able to view the mailbox, could you set a Deny permission instead? > > Your later post talks about recovering HugeBox from a previous backup, but > wouldn't that still have the ACL intact? Sounds like it's possibly being > inherited higher up in the organization. Does GoodBye get listed on any > other mailboxes? > > Richard > > > From: [email protected] [mailto: > [email protected]] On Behalf Of Russ Patterson > Sent: 08 August 2013 22:34 > To: Exchange list > Subject: [Exchange] "the ACE doesn't exist on the object" > > I have a customer who has a very old, very large (11 gig) mailbox. Let's > call it HugeBox. There's a user who has retired & they want him to > disappear from Get-MailboxPermission output. Let's call him GoodBye. > > If you do Get-MailboxPermission, you see his name (FullAccess.) If you do > Add-MailboxPermission, with Goodbye as the user, it says' you can't because > he's already there. If you do Remove-MailboxPermission, it says you can't > because GoodBye's NOT there ("the ACE doesn't exist on the object.") > > We've tried moving the HugeBox mailbox. We've tried repairing the HugeBox > mailbox. As I said, the Powershell cmdlets fail. Goodbye does NOT get > listed if you do a Get-ADPermissions. The SIDHistory attribute of GoodBye > is <not set.> > > We did lots more, to the point that we finally even edited the > msExchMailboxSecurityDescriptor of HugeBox and removed the SID of GoodBye > (along with the other stuff that was surrounded by the same set of > parenthesis.) 3-4 hours later, that SID was back..... > > Any suggestions? I'm also told there's never been a different domain name, > in case you suggest trying using OLDDOMAIN\Goodbye in the > remove-MailboxPermission cmdlet - no OLDDOMAIN... > > I'd love some help here! - Thanks for your time! > > > > > > >
