Hi there. I just recently completed an Exchange 2007 to Exchange 2010 migration and am taking this opportunity to clean up the Full Access permissions in my envionrment. I had planned to script most of this with the Exchange Management Shell using the "Remove-MailboxPermission" commandlet, but I wanted to do some initial testing in the EMC. So, I removed a few unnecessary users from having Full Access on some mailboxes (using EMC) and I noticed the summary contained 2 items: Remove-MailboxPermission -Identity 'John Dough' -User 'User_Being_Removed' -InheritanceType 'All' -AccessRights 'FullAccess' and Add-MailboxPermission -Identity 'John Dough' -User 'User_Being_Removed' -Deny -AccessRights 'FullAccess' I am curious as to why it is removing the full access permission, then re-adding it, this time with a Deny. Does this mean that if I want to script this, I also need to perform the 2 steps mentioned above in my script? Wouldn't the Remove-MailboxPermission command achieve what I am trying to do alone? Any insight is appreciated. Thanks!

I don’t think you should have to add the ‘deny’ line. This article doesn’t include it: http://technet.microsoft.com/en-us/library/bb676551(EXCHG.140).aspx I wonder if this is just added for ‘good measure’. Perhaps it ensures the permission is removed even if there are rights set higher up in the chain somewhere? Mike Crowley Check out My Blog!

I think you do have to use both lines. The first line does remove the inherited permissions, but not the permission set with for instance the EMC: Mange Full Access Permission. Just made a short test. While I cannot see the differences right now, there is an updated reference for Exchange 2010 SP1. Manage Full Access Permissions Applies to: Exchange Server 2010 SP1 http://technet.microsoft.com/en-us/library/bb676551.aspxMCTS: Messaging | MCSE: S+M

Jon, I don't see the line for deny in the article you supplied. am I overlooking it? Mike Crowley Check out My Blog!

Yeah. I'm just really curious which procecure is considered best practice. I would like to believe that removing the permission is essentially the same as adding a deny. Will doing either/or of these procedures get me into trouble down the road if I have a need for re-adding these users/groups? After I remove the user in question from having Full Access from "John Dough", I ran Get-MailboxPermission on this account and I still see User_Being_Removed on the bottom of the list, with FullAccess rights, Inherited = True, Deny = False. Then, further up the list, Inherited = True, Deny = True. The only thing I can think of is the EMC accounts for higher level inheritance, while running the command manually from EMS does not.

You don't need to run the deny, typically preferably want to stay away from deny unless you explicity want to deny that person which in this case you don't. You just want him it back to the default behavior which is he doesn't have access. Deny won't nessarily get you in trouble, but for example say in the future you grant group X rights to user A's maibox. User B is in group X but won't have rights to open if he explicity has a deny. So you could run into these hidden deny scenarios. I didn't have to run the second command with the deny, just running the remove-mailboxpermission removed the user for me. If you are finding that it's not removing, that account might be inheriting permissions at the database level. That account may have receive-as rights set on the database level (or higher up) which would grant him full mailbox access as well. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.comJames Chong (MVP) MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

James, I think your comments are pretty sound overall, but the question here is why does the GUI add ‘deny’ by default if this is not necessary. I am looking into this and will post back my findings. Mike Crowley Check out My Blog!

Hmm, I'm not able to reproduce the issue. Just to confirm the issue: 1. add-MailboxPermission -Identity 'john doe' -User 'admin' -InheritanceType 'All' -AccessRights 'FullAccess' 2. Go into EMC and remove admin from full mailbox rights 3. Run get-mailboxpermission john doe I no longer see user admin listed. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi James & Mike, I believe I have this figured out. It looks like the EMC is smart enough to detect inherited rights and will add the -Deny line if you remove the user with EMC and it detects it will still have full access after the Full Access permissions are removed. Performing this operation with the EMS would not give the same resutlts as the EMC must have some additional logic around running commandlets. I wonder if this would be worthwhile to request as a feature in Remove-MailboxPermissions? Maybe at least just provide a warning rather then automatically add the -Deny? Shortly, I am going to try and nail down where these permissions are being inherited from. Do either of you know the proper locaion for to check the security in ADSI Edit for Exchange 2010 SP1? So far, I am guessing: CN=MBXServer,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration Or is this at the IS level? : CN=Information Store,CN=MBXServer,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration Thanks!

Ahh good find!. The inheritance can come at any level, you just need to start working your way up the hiearchy until you find it :)James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi James & Mike, I believe I have this figured out. It looks like the EMC is smart enough to detect inherited rights and will add the -Deny line if you remove the user with EMC and it detects it will still have full access after the Full Access permissions are removed. Performing this operation with the EMS would not give the same resutlts as the EMC must have some additional logic around running commandlets. I wonder if this would be worthwhile to request as a feature in Remove-MailboxPermissions? Maybe at least just provide a warning rather then automatically add the -Deny? Shortly, I am going to try and nail down where these permissions are being inherited from. Do either of you know the proper locaion for to check the security in ADSI Edit for Exchange 2010 SP1? So far, I am guessing: CN=MBXServer,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration Or is this at the IS level? : CN=Information Store,CN=MBXServer,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration Thanks! I do not believe EMC is 'smart' in this way. These are two command strings that run when you choose to remove full access. I do not believe there is any additional logic behind the scenes. Mike Crowley Check out My Blog!