Wednesday, July 1, 2009

Removing Permissions in Exchange 2007 = Adding DENY permissons

Sometimes the most intuitive GUI based actions have strong underlying consequences. In this case, I was at a site that had an IT user whose mailbox suddenly became inaccessible. No other admins could get into it either. I began down the path of assuming this mailbox was corrupted... I disabled the mailbox thus removing it from the users account, and just out of interest, tried reattaching it to a test domain users account... it worked! The user was able to see and use the mailbox, no problem. I reattached it to the original admin... it stopped working.

Long story short, come to find, another domain admin had decided it would be more secure to go in and remove the 'domain admins' full permission to each of the admins at the site. This would only allow each admin to see their own mailbox and not eachothers. The problem with this was that Exchange 2007 implicitly adds a DENY permission whenever you remove an ALLOW permission. In this case, they removed the domain admins allow permission, so exchange 2007 added a DENY permission to the admins mailbox... thus blocking out all admins including himself.

Here is the command I used to discover this erroneous permissions entry:

get-mailboxpermission "username" | where{$_.Deny} | where{!$_.IsInherited}


This retrieves all deny permissions that are not inherited from the parent (mailstore). Low and Behold, Domain admins was listed with deny full access.

You will also notice this behavior if you look at the output of the Exchange GUI when you remove permissions... note there will be two successful commands displayed in the confirmation dialog... one to remove the permission, and one to add the deny permission. Goofy, no?

This command will remove that deny permission:

Remove-MailboxPermission -identity 'CN=User Name,CN=Users,DC=domain,DC=local' -User 'DOMAIN\Domain Admins' -Deny -InheritanceType 'All' -AccessRights 'FullAccess'

2 comments:

  1. Works like a charm! I had an issue with dead SIDs having "FullAccess" set to DENY and I couldn't remove them because Exchange complained that it couldn't find the user in the ACE. I was running "Remove-MailboxPermission..." but without the -Deny switch. Once I used it the SID was successfully removed!

    ReplyDelete
  2. Man, you are a genius. For the last four days this has been a headache. God Bless you!!!!!!

    ReplyDelete