Share via

Orphaned SID preventing mailbox delegation to specific user

Richard G 21 Reputation points
2023-01-25T16:08:44.0333333+00:00

User with 25+ year old mailbox - we'll call him Aaron, left the company. I've been tasked with granting access to the mailbox to 'Bobby' and a couple of others. The mailbox migrated from on-prem Exchange to Office 365 about 5 years ago. Granting Bobby access via EAC appears to work as I get no errors, but when checking, the user is not listed as a delegate even though the mailbox does show up for them in Outlook. When the Inbox is selected in Outlook, it is is blank.

In doing some digging with PowerShell I discover that there is two entries for Bobby with delegate access but with different UserSID entries. 

IsOwner         : False
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : ******@mycompany.com
UserSid         : S-1-5-21-25500341-2949582500-3150002221-7181280
Identity        : Aaron
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

IsOwner         : False
AccessRights    : {FullAccess, ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SELF
UserSid         : S-1-5-10
Identity        : Aaron
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

IsOwner         : False
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : ******@mycompany.com
UserSid         : S-1-5-21-2120108801-775384027-3996421721-2079015
Identity        : Aaron
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

IsOwner         : False
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : ******@mycompany.com
UserSid         : S-1-5-21-2120108801-775384027-3996421721-2079037
Identity        : Aaron
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

IsOwner         : False
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : ******@mycompany.com
UserSid         : S-1-5-21-2120108801-775384027-3996421721-2079072
Identity        : Aaron
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

The bottom 'bobby' UserSid in the list above is the one that is toggled when adding/removing delegate access to the mailbox. You may also notice that the three lower UserSids that have access to this mailbox are very similar, but the one on top of the list is quite different.

I'm speculating that this was orphaned somehow when migrating from the on-premise Exchange to Office 365, but that's just a theory. How do I remove that top delegate?

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,188 questions
Outlook | Windows | Classic Outlook for Windows | For business
Exchange | Hybrid management
0 comments
Accepted answer
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2023-01-25T16:19:44.5666667+00:00

    You could try resetting the full access perms completely for that mailbox and re-adding the ones you need:

    [https://learn.microsoft.com/en-us/powershell/module/exchange/remove-mailboxpermission?view=exchange-pshttps://learn.microsoft.com/en-us/powershell/module/exchange/remove-mailboxpermission?view=exchange-ps

    User's image

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.