I want to remove full access along with send as easier than with EWC so obviously that’s a Powershell job.
Removing full access – done easily enough with a one liner
Remove-MailboxPermission -Identity $MailboxOwner -user $MailboxDelegate -AccessRights FullAccess -InheritanceType All -Confirm
Removing send as access – you (I) would think same but with a different -AccessRights parameter.
Remove-MailboxPermission -Identity $MailboxOwner -User $MailboxDelegate -AccessRights SendAs
Nope, gives me a bit of info about “Can’t remove access control on the Object because the ACE doesn’t exist“. A little bit of google tells me that the right one to use is Remove-ADPermission so I check it out with Get-ADPermission first
Get-ADPermission -Identity $Username
Returns an error “The operation could not be performed because $Object could not be found on DC01“
Ok, fair enough, I can change it from the SAMAccountName to the CN and object is found. Not a massive deal as the CN is also accepted by Remove-MailboxPermission
So it seems that a combo of both like this should work
#Get CN of mailbox owner $MailboxOwner = Read-Host "Please enter the mailbox owner" #Get CN of person accessing the mailbox $MailboxDelegate = Read-Host "Please enter the delegated owner" #Remove Full Mailbox Access Remove-MailboxPermission -Identity $MailboxOwner -user $MailboxDelegate -AccessRights FullAccess -InheritanceType All -Confirm #Remove SendAs Access Remove-ADPermission -Identity $MailboxOwner -User $MailboxDelegate -ExtendedRights "Send As"
So those of you that actively manage exchange permissions, what way do you handle it ? I’d love to see better examples.