Removeinherited mailbox permission

Question

Removeinherited mailbox permission

Austin Sundar 436

It has been noticed a couple of service account permissions are inherited to many accounts. Could you help to let me know how to remove the below accounts

I ran this command and found that the service account permissions are added to DB, exchange server .
Get-MailboxDatabase | Get-ADPermission -user “ServiceAccountName”

Get-ExchangeServer | Get-ADPermission -user “ServiceAccountName”

Accepted answer

1 additional answer

Your answer

Answer 1

Eric Yin-MSFT 4,396

So it worked in the third command and failed the second and first command?

Get-MailboxDatabase | Get-ADPermission -User Domain\UserName | Remove-ADPermission -AccessRights GenericAll -InheritanceType All -Confirm:$false

Get-ExchangeServer | Get-ADPermission -User Domain\UserName | Remove-ADPermission -AccessRights GenericAll -InheritanceType All -Confirm:$false

Get-OrganizationConfig | Get-ADPermission -User Domain\UserName | Remove-ADPermission -AccessRights GenericAll -InheritanceType All -Confirm:$false

Open adsi.edit and negative to Configuration [dc.yourdomain.local], CN=Configuration,DC=yourdomain,DC=local, CN=Services, CN=Microsoft Exchange, CN=First Organization, CN=Administrative Groups, CN=Exchange Administrative Group(FYDIBOHF23SPDLT), check the database and server 's property-security, is the user listed there?

Austin Sundar 436 Reputation points

2021-01-28T16:36:17.447+00:00

@Eric Yin-MSFT as you mentioned the permissions are applied on the top-level DB/Servers

we need to remove using ADSI edit. Thanks
Eric Yin-MSFT 4,396 Reputation points

2021-01-29T01:58:03.517+00:00

Is it resolved? Please accept it as answer if it is helpful. Thanks.

Answer 2

Ashok M 6,846

Hi @Austin Sundar ,

You can use the below commands,

Get-MailboxDatabase <NameoftheDatabase> | Remove-ADPermission -User <Username> -AccessRights GenericAll –InheritanceType All
Get-ExchangeServer <NameoftheExchangeServer> | Remove-ADPermission -User <Username> -AccessRights GenericAll –InheritanceType All

https://learn.microsoft.com/en-us/powershell/module/exchange/remove-adpermission?view=exchange-ps#parameters

Since these permissions are Inherited, it is also important to check if the ServiceAccount is part of any Administrative groups like Domain/Schema/Enterprise Admins or Exchange Administrative roles like Organization management, Recipient management, etc and if yes, its better to remove the roles, wait for the AD replication and check the permissions again.

https://learn.microsoft.com/en-us/exchange/permissions/permissions?view=exchserver-2019#role-groups-and-role-assignment-policies

If the above suggestion helps, please click on "Accept Answer" and upvote it

Ashok M 6,846 Reputation points

2021-01-13T11:58:28.563+00:00

Hi @Austin Sundar ,

Any updates on this? If the above suggestion helps, please click on "Accept Answer" and upvote it. Thanks for understanding.
Austin Sundar 436 Reputation points

2021-01-15T09:05:51.307+00:00

i receive the below error when I run these commands
Get-ExchangeServer | Remove-ADPermission -user “user” -AccessRights GenericAll -InheritanceType All -Confirm:$false
Get-MailboxDatabase | Remove-ADPermission -User “User” -AccessRights GenericAll -InheritanceType All -Confirm:$false
Eric Yin-MSFT 4,396 Reputation points

2021-01-15T09:21:26.783+00:00

How about running Get-OrganizationConfig | Get-ADPermission...?
And if any of the permission is Deny $true, you need to add "-deny" in the command.
Austin Sundar 436 Reputation points

2021-01-15T12:29:29.3+00:00

the above cmtlet is not showing any result, because I already ran the below command

Get-OrganizationConfig | Remove-ADPermission -User "" -AccessRights GenericAll -InheritanceType All -Confirm:$false

i also ran the commands below. Deny is false for all the dbs/exchange server
Ashok M 6,846 Reputation points

2021-01-18T10:37:32.233+00:00

Hi @Austin Sundar ,

Please check if the ServiceAccount is part of any Administrative groups like Domain/Schema/Enterprise Admins or Exchange Administrative roles like Organization management, Recipient management, etc and if yes, its better to remove the roles, wait for the AD replication and check the permissions again.

Share via

Removeinherited mailbox permission

1 additional answer

Your answer