I could not find Exchange Server 2010 forum.  So yea, I've got Windows Server 2008 R2 w/ Exch Enterprise Server 2010 SP2 with PowerShell 2.0.

I have users who are in one OU, (DomainName\People\ExEmployees).

I need to search and remove all full access and send to rights on all mailboxes for the ExEmployees accounts. 

This is what I've been trying to get to work:

get-mailbox -OrganizationalUnit "ou=EXemployees,ou=People,dc=domain,dc=net" | format-table alias > EXEmployees.csv
$csv = "C:\Scripts\EXEmployees.csv"
(gc $csv | select -Skip 3) | sc $csv
(gc $csv) | Foreach-Object {$_ -replace "\ ", ""} | sc $csv
(gc $csv) | ? {$_.trim() -ne "" } | sc $csv
$GetContent = gc $csv
$exuser = $GetContent | Foreach-Object{ "domainname\$_" }
$exuser | Foreach {Get-MailboxPermission | ?{($_.AccessRights -eq "FullAccess") -and ($_.User -like $_) -and ($_.IsInherited -eq $false)} | ft Id*

The last line is where it errors.  I can't figure out how to loop through all the users in that OU and get the permissions.  I figured I'd have to get through this for testing before I could use the remove-mailboxpermissions.  However, if there is a better way please let me know.

Any help would be very much appreciated.

Thanks,

George

Hi George,

You seem to be exporting the values out to csv and then getting it back. Not very convienent approach, you should try keeping the values in a $variable instead, gives you much more control.

Found this in the article below, updated it to meet your requirement.

Please test it on fewer mailboxes first using $Users variable

$Users = Get-Mailbox -OrganizationalUnit "ou=EXemployees,ou=People,dc=domain,dc=net"
#$Users = Get-Mailbox TestUser*

foreach ($alias in $Users)
{

Get-MailboxPermission -Identity $alias | ForEach-Object {Remove-MailboxPermission -identity $_.Identity -user $_.User -AccessRights FullAccess -InheritanceType All -confirm: $false}
Get-MailboxPermission -Identity $alias | ForEach-Object {Remove-MailboxPermission -identity $_.Identity -user $_.User -AccessRights ReadPermission -InheritanceType All -confirm: $false}

$Permissions = Get-Mailbox -identity $alias | where {($_.Identity -like "*")} | Get-ADPermission | Where-Object { ($_.ExtendedRights -like "*send-as*") -and $_.User -notlike "*AUTHORITY*" }

if ($Permissions) 
{
    $Permissions | ForEach-Object{ Remove-ADPermission -identity $_.Identity -user $_.User -ExtendedRights "Send As" -confirm:$false }
} 

#Skipped these as don't seem to be required
#$mb = Get-mailbox -Identity $alias
#$mb.GrantSendOnBehalfTo = "CN=SomeAdminAccount,CN=Users,DC=ourdomain,DC=local"

#Set-Mailbox -Identity $alias -GrantSendOnBehalfTo $mb.GrantSendOnBehalfTo
}

References:

Remove all user accessrights from mailbox in exchange using powershell

Hi George,

You seem to be exporting the values out to csv and then getting it back. Not very convienent approach, you should try keeping the values in a $variable instead, gives you much more control.

Found this in the article below, updated it to meet your requirement.

Please test it on fewer mailboxes first using $Users variable

$Users = Get-Mailbox -OrganizationalUnit "ou=EXemployees,ou=People,dc=domain,dc=net"
#$Users = Get-Mailbox TestUser*

foreach ($alias in $Users)
{

Get-MailboxPermission -Identity $alias | ForEach-Object {Remove-MailboxPermission -identity $_.Identity -user $_.User -AccessRights FullAccess -InheritanceType All -confirm: $false}
Get-MailboxPermission -Identity $alias | ForEach-Object {Remove-MailboxPermission -identity $_.Identity -user $_.User -AccessRights ReadPermission -InheritanceType All -confirm: $false}

$Permissions = Get-Mailbox -identity $alias | where {($_.Identity -like "*")} | Get-ADPermission | Where-Object { ($_.ExtendedRights -like "*send-as*") -and $_.User -notlike "*AUTHORITY*" }

if ($Permissions) 
{
    $Permissions | ForEach-Object{ Remove-ADPermission -identity $_.Identity -user $_.User -ExtendedRights "Send As" -confirm:$false }
} 

#Skipped these as don't seem to be required
#$mb = Get-mailbox -Identity $alias
#$mb.GrantSendOnBehalfTo = "CN=SomeAdminAccount,CN=Users,DC=ourdomain,DC=local"

#Set-Mailbox -Identity $alias -GrantSendOnBehalfTo $mb.GrantSendOnBehalfTo
}

References:

Remove all user accessrights from mailbox in exchange using powershe

Thank you!  Unfortunately this didn't work.  I had to add a '}' to the end of the script, which wasn't a big deal, but the results of running it was interesting....I got a lot of Warnings back and some failures.  I took your suggestion and used the TempUser variable which I know has full access to his own mailbox and to a Shared Mailbox.  He still has Full permissions to the mailboxes after this script was ran.

I got a ton of data back so I will paste just the lines that are not repeats.

------------RESULTS-------------

This was repeated 6 times:
Pipeline not executed because a pipeline is already executing. Pipelines cannot be executed concurrently.
    + CategoryInfo          : OperationStopped: (Microsoft.Power...tHelperRunspace:ExecutionCmdletHelperRunspace) [], PSInvalidOperationException
    + FullyQualifiedErrorId : RemotePipelineExecutionFailed

This was repeated 17 times:
WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, ControlType: Allow]  and was ignored on object
 "CN=LASTNAME\, FIRSTNAME,OU=EXemployees,OU=People,DC=DOMAINNAME,DC=net".

This was repeated 16 times:
WARNING: An inherited access control entry has been specified: [Rights: ReadControl, ControlType: Allow]
 and was ignored on object "CN=LASTNAME\,FIRSTNAME,OU=EXemployees,OU=People,DC=DOMAINNAME,DC=net".

This occurred four times, one for the Ex-Network Admin, one for "NT AUTHORITY\NETWORK SERVICE" and twice for DOMAINNAME\Delegated Setup:
WARNING: Can't remove the access control entry on the object "CN=LASTNAME\, FIRSTNAME,OU=EXemployees,OU=People,DC=DOMAINNAME,DC=net" for account "DOMAINNAME\Delegated Setup" because the ACE doesn't exist on the object.

----END RESULTS---

Any further help with this would be greatly appreciated.  I'm trying to create a process that will be included in what we do when an employee is no longer with us. 

Thanks again,

George

I forgot to mention...the References link at the end of your post is a broken link when I click on it.

I also started thinking about this script....

The $Users variable equaled this when I ran it:

Name                                Alias                             ServerName                                   ProhibitSendQuota
----                                   -----                              ----------                                       -----------------
LASTNAME, FIRSTNAME      1stInitialLASTNAME        exchange server hostname              unlimited

So when the following line runs:
Get-MailboxPermission -Identity $alias | ForEach-Object {Remove-MailboxPermission -identity $_.Identity -user $_.User -AccessRights FullAccess -InheritanceType All -confirm: $false}

What exactly does the above line do?  Isn't it removing permissions from the $User's mailbox?  I need to search all mailboxes to find which ones the $Users have Full Permissions and Send To permissions to.  Once those mailboxes are discovered then I need the $User's permissions removed from those discovered mailboxes.  I just wanted to make sure I described my need correctly.

Thanks again,

George

Hi George,

I have updated the refernce link. I expected it to just work, didn't test it though.

As you are getting errors, let me test this and then get back to you with details on the sections.

No big deal on the link...just figured you'd might want to know.  :-)  As for the errors - thank you so much for taking the time to help me.  I sure hope this task ends with success.  Hope to hear from you soon.

George

Hi George,

The script is working as expected. You might have not noticed, but additional to that it has removed the 'NT AUTHORITY\SELF' permission as well on the mailboxes.

Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
contoso.com/User... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False

Please run this below command to restore 'NT AUTHORITY\SELF' as it might cause issues.

Run it against the Get-mailbox command you initially used to run the script:

Get-Mailbox TempUser | Add-MailboxPermission  -user "NT AUTHORITY\SELF" -AccessRights FullAccess, ReadPermission -InheritanceType All

Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
contoso.com/User... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False

Now back to your point, now lets find what is your requirement.

Start with a single user:

Get-MailboxPermission -Identity User1

[PS] C:\Scripts>Get-MailboxPermission User1

Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
contoso.com/User... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
contoso.com/User... contoso\Administ... {FullAccess}                                                True        True
contoso.com/User... contoso\Domain A... {FullAccess}                                                True        True
contoso.com/User... contoso\Enterpri... {FullAccess}                                                True        True
contoso.com/User... contoso\Organiza... {FullAccess}                                                True        True
contoso.com/User... NT AUTHORITY\SYSTEM  {FullAccess}                                                True        False

As you can see there are lots of access permissions on the mailbox 'User1'. Now if you focus on the 'IsInherited' attribute, the $True indicates its coming from top DOmain or OU level and $false indicates this permission has been assigned at this level.

The Remove-MailboxPermission normally will remove only IsInherited:$false type Users accessrights only. Hence when you were running the script it was generating the WARNINGS informing that "An inherited AccessRight has been found  and was ignored on the 'User1'."

One more thing, you can remove just the 'Full Access' and keep 'ReadPermissions' (this is what the script does only FullAccess) or remove everything non-inherited.

Lets test this:

[PS] C:\Scripts>Remove-MailboxPermission User1 -User "Domain Admins" -AccessRights FullAccess,ReadPermission -Confirm:$false
WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl,WriteOwner, ControlType: Allow]  and was ignored on object "CN=User1,CN=Users,DC=contoso,DC=com".

So now question is do you really want to remove Domain Level inherited rights from the object, not a very good idea in normal operations, as it might give rise to other management issues on the object.

Run these tests on your TempUser , SharedMBX and post the results minus the inheritance warnings:

Get-mailbox SharedMBX | Add-MailboxPermission  -user "TempUser" -AccessRights FullAccess, ReadPermission -InheritanceType All

Get-MailboxPermission SharedMBX

Remove-MailboxPermission SharedMBX -User TempUser

What we are testing is Add permission to access SharedMBx, list SharedMBx permissions, then Remove access to SharedMBx.

Once you get this to work as per your requirements, you can script it.

Back to your question what below line does:

Get-MailboxPermission -Identity $alias | ForEach-Object {Remove-MailboxPermission -identity $_.Identity -user $_.User -AccessRights FullAccess -InheritanceType All -confirm: $false}

I have expanded the code to help you understand, removing the clutter and changed some.

$AccessRights = Get-MailboxPermission -Identity $alias

ForEach ($objfound in $AccessRights)
{

Remove-MailboxPermission -identity $alias -user $objfound.User -AccessRights FullAccess


}

1.Firstly you are getting all the users with accessrights information for the $alias (TempUser Object) and storing it on $AccessRights or piping the data directly in the one-liner.

2.Then looping through each user ($objfound = $_. = one user at a time) having rights on the mailbox.

Hi George,

Any updates. Let us know, if it worked or if you need any additional help on this.