Hi George,
The script is working as expected. You might have not noticed, but additional to that it has removed the 'NT AUTHORITY\SELF' permission as well on the mailboxes.
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
contoso.com/User... NT AUTHORITY\SELF {FullAccess, ReadPermission} False False
Please run this below command to restore 'NT AUTHORITY\SELF' as it might cause issues.
Run it against the Get-mailbox command you initially used to run the script:
Get-Mailbox TempUser | Add-MailboxPermission -user "NT AUTHORITY\SELF" -AccessRights FullAccess, ReadPermission -InheritanceType All
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
contoso.com/User... NT AUTHORITY\SELF {FullAccess, ReadPermission} False False
Now back to your point, now lets find what is your requirement.
Start with a single user:
Get-MailboxPermission -Identity User1
[PS] C:\Scripts>Get-MailboxPermission User1
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
contoso.com/User... NT AUTHORITY\SELF {FullAccess, ReadPermission} False False
contoso.com/User... contoso\Administ... {FullAccess} True True
contoso.com/User... contoso\Domain A... {FullAccess} True True
contoso.com/User... contoso\Enterpri... {FullAccess} True True
contoso.com/User... contoso\Organiza... {FullAccess} True True
contoso.com/User... NT AUTHORITY\SYSTEM {FullAccess} True False
As you can see there are lots of access permissions on the mailbox 'User1'. Now if you focus on the
'IsInherited' attribute, the $True indicates its coming from top DOmain or OU level and $false indicates this permission has been assigned at this level.
The Remove-MailboxPermission normally will remove only IsInherited:$false type Users accessrights only. Hence when you were running the script it was generating the WARNINGS informing that "An inherited AccessRight has been found
and was ignored on the 'User1'."
One more thing, you can remove just the 'Full Access' and keep 'ReadPermissions' (this is what the script does only FullAccess) or remove everything non-inherited.
Lets test this:
[PS] C:\Scripts>Remove-MailboxPermission User1 -User "Domain Admins" -AccessRights FullAccess,ReadPermission -Confirm:$false
WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl,WriteOwner, ControlType: Allow] and was ignored on object "CN=User1,CN=Users,DC=contoso,DC=com".
So now question is do you really want to
remove Domain Level inherited rights from the object, not a very good idea in normal operations, as it might give rise to other management issues on the object.
Run these tests on your TempUser , SharedMBX and post the results minus the inheritance warnings:
Get-mailbox SharedMBX | Add-MailboxPermission -user "TempUser" -AccessRights FullAccess, ReadPermission -InheritanceType All
Get-MailboxPermission SharedMBX
Remove-MailboxPermission SharedMBX -User TempUser
What we are testing is Add permission to access SharedMBx, list SharedMBx permissions, then Remove access to SharedMBx.
Once you get this to work as per your requirements, you can script it.
Back to your question what below line does:
Get-MailboxPermission -Identity $alias |
ForEach-Object {Remove-MailboxPermission -identity $_.Identity
-user $_.User -AccessRights FullAccess -InheritanceType All -confirm: $false}
I have expanded the code to help you understand, removing the clutter and changed some.
$AccessRights = Get-MailboxPermission -Identity $alias
ForEach ($objfound in $AccessRights)
{
Remove-MailboxPermission -identity $alias -user $objfound.User -AccessRights FullAccess
}
1.Firstly you are getting all the users with accessrights information for the $alias (TempUser Object) and storing it on $AccessRights or piping the data directly in the one-liner.
2.Then looping through each user ($objfound = $_. = one user at a time) having rights on the mailbox.
3.Inside the loop Removing the access.