We migrated all of ourmailboxes from Exchange 5.5 and NT4 to 2007 and ADusing a third party tool which has worked a treat and everything is tickety boo. Well at least that is how it appeared until we needed to remove delegated permissions from a mailbox when the user moved department. The error message received was : Cannot remove ACE on object "CN=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX" for account "xxx\xxxxx.xxxx" because it is not present. Essentially the SID history of the migrated user has been applied to the mailbox ACL (not the SID) and Exchange is unable to work out the SID from the SID History and remove the user even though the user's name is corrently displayed. I've even tried a powershell remove with the SID history instead of a domain\username but no joy. This similar issue was the subject of this post: http://social.technet.microsoft.com/Forums/en-US/exchangesoftwareupdate/thread/50a94a45-903e-409e-ba5c-116d84bed7ffbut the workaround there was to use the 2003 ADUC extensions from Exchange 2003 which isn't possible for us as our AD Schema is native 2007 and I'm loathe to run ForestPrepand bloat the schema just to workaround a bug. Essentially what I'm looking foris another way ofdoing this or some idea from the Exchange team if this bug is ever going tobe resolved?

Hi, I would like to explain that Microsoft has identified the issue. Nevertheless, based on my research, currently, the issue is not scheduled to be fixed in Exchange 2007. Therefore, the recommended workaround is to remove the Mailbox Permission in ADUC. In addition, I understand that it is a pure Exchange 2007 environment. Based on current situation, I suggest you use Admodify tool to remove the mailbox permission. Note: The Admodify tool needs to be run on the computer which has Exchange 2003 administrative components installed: 1. Run the Admodify tool and select Modify Attributes 2. Connect to the DC server 3. Locate the user which owns the mailbox 4. Under Mailbox Rights tab, select Remove User From Mailbox Rights and type the SID of the user in original domain (SIDhistory) in Username, select related permission to remove Mike

Hi, Whether you are able to remove the mailbox permissin by using ADModify tool? Mike

Afraid not, the message I got when I attempted the removal via ADModify as you specified aboveon a machine with the Exchange 2003 tools was similar to the one I got through EMC or EMS that the account ( or rather the SIDHistory of the account with delegated rights) has no rights on the mailbox so no rights can be removed.Disappointing.....

Hi, Would you please let me know whether you use the SID number (instead username)to remove the mailbox permission? I would like to explain that I have reproduced your issue on my lab and I am able to remove the original SID from mailbox permission by using Admodify tool.In addition, if you export the mailbox permission by using Admodify tool, whether you are able to locate the SIDHistory?Mike

I've tried ADModifywith the SID of the delegated user, the SIDHistory, uppercase and lowercase, dashes and no dashes and the XML dump I get is:<?xml version="1.0" standalone="no"?><!DOCTYPE LogFile><XmlRoot xmlns="23072009152028.xml"><user UserDN="LDAP://CN=XXXX XXX,OU=Users,OU=XXX,OU=Location,DC=XXX,DC=co,DC=uk" type="Already Set to Specified Value" attribute="Modify Mailbox Rights" oldValue="S-1-5-21-535443030-547557486-315576832-2613 has no permissions on this object" newValue="S-1-5-21-535443030-547557486-315576832-2613 has no permissions on this object" /></XmlRoot>The SID aboveis the SID History number of the delegated user on the mailbox.The export from ADModify of the mailbox permissions doesn't show the SID history, it shows the username of the account that the SID History pertains to, i.e:- <NotInherited> <Entry Trustee="NT AUTHORITY\SELF" Mask="ACE_MB_FULL_ACCESS|Allowed ACE_MB_READ_PERMISSIONS|Allowed" /> <Entry Trustee="XXXX\XXXX.XXX" Mask="ACE_MB_FULL_ACCESS|Allowed" /> </NotInherited>Where the XXXs are the delegated domain\username. It seems able to work out the username from the sidhistory but unable to remove it becausewhen it attempts the removal it does it by SID and not SIDHistory.

The Security descriptor for the mailbox in question is: msExchMailboxSecurityDescriptor NTSecurityDescriptor 1 D:AI(D;CI;CC;;;S-1-5-21-1024095143-2884037468-579638536-1112)(A;CI;CCRC;;;PS)(A;CI;CC;;;S-1-5-21-373037694-4032081698-3299328069-4226)(A;CI;CC;;;S-1-5-21-535443030-547557486-315576832-1499)(A;CI;CC;;;S-1-5-21-535443030-547557486-315576832-2613)(A;CI;CC;;;S-1-5-21-535443030-547557486-315576832-4732)(A;CI;CC;;;S-1-5-21-535443030-547557486-315576832-4744) Note the -2613 SID which is the SID History of the delegated user I am trying to remove....

Hi, On my lab, I have John and Jeff migrated to Exchange 2007 org (Contoso). In original org (lab), Jeff already has full mailbox access permission to John. After migration, when I export the mailbox permission by using Admodify tool, it export the SID of the delegated user: <Entry Trustee="NT AUTHORITY\SELF" Mask="ACE_MB_FULL_ACCESS|Allowed" /> <Entry Trustee="S-1-5-21-2013028552-1802532860-1558631026-1130" Mask="ACE_MB_FULL_ACCESS|Allowed ACE_MB_READ_PERMISSIONS|Allowed" /> On the target Exchange organization (Contoso), if I run command get-mailboxpermission, I can see that Contoso\Jeff has full access permission to mailbox John: Identity User AccessRights IsInherited Denycontoso.com/migra... CONTOSO\jeff {FullAccess, Rea... False False On the orginal Exchange Organization (lab), I retrieve the SID of Jeff: Identity : lab.com/Users/jeffSid : S-1-5-21-2013028552-1802532860-1558631026-1130 Then, I am able to remove the mailbox permission by using SID number instead of username.Mike

In your case, looks like that the Admodify tool is not able to retrieve the SID from the mailbox permission. I suggest you use following script to check the permission setting on the mailbox. Please check whether the S-1-5-21-535443030-547557486-315576832-2613 has related permission set on the mailbox: Exchange Permission and Reverse Permission Powershell Gui version 1 Exchange 2000/3/7 http://gsexdev.blogspot.com/2008/04/exchange-permission-and-reverse.html In addition, would you please let me know how you migrate to Exchange 2007? According to following article: Migrating from Exchange Server 5.5http://technet.microsoft.com/en-us/library/aa997461.aspx We cannot upgrade an existing Microsoft Exchange Server version 5.5 organization to Exchange Server 2007. You must first migrate from the Exchange Server 5.5 organization to an Exchange Server 2003 or an Exchange 2000 Server organization. Then you can transition the Exchange 2003 or Exchange 2000 organization to Exchange 2007. Mike

Well, had a bit of brainwave, the way that ADModify dumped out the permissions on our setup i.e. domain\username rather than SID (or SIDHistory) made me wonder if it might be as simple as removing the users via the domain\username on ADModify. Thankfully that worked, so the solution wasn't as complicated as we expected.It is howeverrather odd that it wouldn't recognise the SID(or SIDHistory) and wouldn't export it through ADModify on our domain but was clearlyable to elucidate it when I removed it.Thanks for your help Mike.