Bulk Remove Delegates in User Mailbox

Hi all,

I have been working on a task that goes into all the mailboxes in an OU i.e. Disabled Users to see if there are any delegates granted to the mailbox and if so remove them.

I have found a script i found on someone’s blog to do it but I’m looking for a bulk task.

$GetListOfDisabledUsers = (Get-Mailbox -ResultSize Unlimited -OrganizationalUnit “Disabled Accounts”)
$Delegates = $GetListOfDisabledUsers | Get-MailboxFolderPermission | Select FolderName, User | Export-Csv “C:\Temp\Export.csv” -NoTypeInformation
$Users = import-csv “c:\temp\export.csv”

ForEach($Mailbox in (Get-MailboxFolderStatistics $GetListOfDisabledUsers | Where { $.FolderPath.Contains("/Inbox") -eq $True -and $.User -ne “Default” -and $_.User -ne “Anonymous”} ))
{
$Mailboxname = “$($GetListOfDisabledUsers):” + $Mailbox.FolderPath.Replace("/","");
Remove-MailboxFolderPermission $MailboxName -User $User -confirm:$false
}

I have tried received the following message.

Cannot process argument transformation on parameter ‘Identity’. Cannot convert the “System.Collections.ArrayList” value of type “System.Collections.ArrayList” to type
“Microsoft.Exchange.Configuration.Tasks.GeneralMailboxOrMailUserIdParameter”.
+ CategoryInfo : InvalidData: (:slight_smile: [Get-MailboxFolderStatistics], ParameterBindin…mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-MailboxFolderStatistics
+ PSComputerName : ex01.domain.local

Thanks for your help in advance.

Hi

I had a little bit different approach but if you do not need export csv files this will do, but export can be added to following. I haven’t tried the remove command but it should work.

It goes through all users mailbox folders and searches other users than Default and Anonymous, if there’s a hit, it deletes it.

$allUsers = (Get-Mailbox -ResultSize Unlimited -OrganizationalUnit 'Disabled Accounts')

ForEach ($user in $allUsers) {

$allFolders = (Get-MailboxFolderStatistics -Identity $user).Name

    ForEach ($Folder in $allFolders) {

        $mailFolder = $user+':\'+$Folder

        $GrantedUsers =  (Get-MailboxFolderPermission -Identity $mailFolder).User.DisplayName

        # Uncomment following if you want to see folder strugture running on screen
        #$mailFolder

            ForEach ($gUser in $GrantedUsers) {

                if (-not (($gUser -eq 'Default') -or ($gUser -eq 'Anonymous'))) {

                    Remove-MailboxFolderPermission -Identity $mailFolder -User $gUser

                } # if (-not (($gUser -eq 'Default') -or ($gUser -eq 'Anonymous')))

            } # ForEach ($gUser in $GrantedUsers)

    } # ForEach ($Folder in $allFolders)

} # ForEach ($user in $allUsers)

Heippa Jarkko,

Your if is ugly. Please fix it.

As we chatted, I found few alternative ways to do it as you wanted to do it in the first place.

$guser = 'aapeli'
$matchToUsers = @('default','anonymous','Jarkko')

if (-not ($guser -in $matchToUsers)) {$guser}
if (-not ($matchToUsers -match $gUser)) {$guser}

Hi

Haha, yes I have fixed it now.

$allUsers = (Get-Mailbox -ResultSize Unlimited -OrganizationalUnit 'Disabled Accounts')

$matchToUsers = @('Default', 'Anonymous')

ForEach ($user in $allUsers) {

$allFolders = (Get-MailboxFolderStatistics -Identity $user).Name

    ForEach ($Folder in $allFolders) {

        $mailFolder = $user+':\'+$Folder

        $GrantedUsers =  (Get-MailboxFolderPermission -Identity $mailFolder).User.DisplayName

        # Uncomment following if you want to see folder strugture running on screen
        #$mailFolder

            ForEach ($gUser in $GrantedUsers) {

                if (-not ($gUser -in $matchToUsers)) {

                    Remove-MailboxFolderPermission -Identity $mailFolder -User $gUser
                    
                } # if (-not ($gUser -in $matchToUsers))

            } # ForEach ($gUser in $GrantedUsers)

    } # ForEach ($Folder in $allFolders)

} # ForEach ($user in $allUsers)

Thanks all.

You guys are awesome. I was thinking it is easy to do and realized it’s harder than first though. But you guys make it so easy to do.

Thanks again for your help. Will definitely post the outcome.

Hi Jarkko and Aapeli,

I tried running the script and it received the following error. I trying a couple of combination but still provide me the same outcome.

Method invocation failed because [Microsoft.Exchange.Data.Directory.Management.Mailbox] doesn’t contain a method named ‘op_Addition’.
At line:6 char:30

  •     $mailFolder = $user + <<<<  ':\' + $Folder
    
    • CategoryInfo : InvalidOperation: (op_Addition:String) [], RuntimeException
    • FullyQualifiedErrorId : MethodNotFound

Get-MailboxFolderPermission : The specified mailbox "$user" doesn't exist.
At line:7 char:54

  •     $GrantedUsers =  (Get-MailboxFolderPermission <<<<  -Identity $mailFolder).User.DisplayName
    
    • CategoryInfo : NotSpecified: (0:Int32) [Get-MailboxFolderPermission], ManagementObjectNotFoundException
    • FullyQualifiedErrorId : 67AE9BD0,Microsoft.Exchange.Management.StoreTasks.GetMailboxFolderPermission

Hi,
Did you fix that organizational unit? I think it should be like ‘contoso.com/users/disabled users’

Hi Mikey Mike

This is Onpremise Exchange query, but if needed, this can be modified to online/AD query quite easily, for example if you have AD OU that you move your tobedeleted AD Accounts, change first row to $allUsers = (Get-ADUser | where {$_.DistinguishedName -eq ‘ADOUDisabledAccounts’}

Hi Aapeli and Jarkko,

I have tried that initially before replying and it made no difference. The one thing that I noticed when I run each line by itself is that the

$GrantedUsers = (Get-MailboxFolderPermission -Identity $mailFolder).User.DisplayName

Does not return any result if I replace $mailfolder with an individual user i.e.

$GrantedUsers = (Get-MailboxFolderPermission -Identity TestUser1).User.DisplayName
$GrantedUsers

Strange.

Hi Michael

Kind odd, I tried this on Exchange Online and OnPremise and both gives the same result, Default and Anonymous. Although this if (-not ($gUser -in $matchToUsers)) excludes those two users.

And you use correct mail address there?

I did some tweaking with one of the guys here and this is what I got.

$Users = (get-mailbox -ResultSize unlimited -OrganizationalUnit “Disabled Accounts”)
Foreach ($User in $Users)
{
$folders = Get-MailboxFolderStatistics $User | % {$.folderpath} | % {$.replace(“/”,”\”)}
$folderPermissions = $folders | %{ Get-MailboxFolderPermission “$($User):$_”}
}

$allFolders = (Get-MailboxFolderStatistics -Identity $user)
ForEach ($Folder in $allFolders)
{
$mailFolder = “$($User):$($Folder)”
$GrantedUsers = (Get-MailboxFolderPermission -Identity $mailFolder)
ForEach ($gUser in $GrantedUsers)
{
$Username = $gUser.User.DisplayName

     If (-not (($Username -eq "Default") -or ($UserName -eq "Anonymous")) )
     {
        Remove-MailboxFolderPermission -Identity $mailFolder -User $UserName -confirm:$false
      }
  }

}

From what I can see it’s no difference to your script Jarkko so I’m scratching my head on this.

Hi

I looked up those error but I also found out that on the first line there was not .userPrincipalName or .mail that gives us the mail address. I don’t know where that has disappeared, I’m quite sure that it was there. The mail address is only thing that we need from users. Or instead of using get-mailbox we could use get-aduser command to get those users.

$allUsers = (Get-Mailbox -ResultSize Unlimited -OrganizationalUnit 'Disabled Accounts').userPrincipalName
#or with Get-AdUser
#$allUsers = (Get-AdUser -SearchBase 'Disabled Accounts').userPrincipalName

$matchToUsers = @('Default', 'Anonymous')

ForEach ($user in $allUsers) {

$allFolders = (Get-MailboxFolderStatistics -Identity $user).Name

    ForEach ($Folder in $allFolders) {

        $mailFolder = $user+':\'+$Folder

        $GrantedUsers =  (Get-MailboxFolderPermission -Identity $mailFolder).User.DisplayName

        # Uncomment following if you want to see folder strugture running on screen
        #$mailFolder

            ForEach ($gUser in $GrantedUsers) {

                if (-not ($gUser -in $matchToUsers)) {

                    Remove-MailboxFolderPermission -Identity $mailFolder -User $gUser
                    
                } # if (-not ($gUser -in $matchToUsers))

            } # ForEach ($gUser in $GrantedUsers)

    } # ForEach ($Folder in $allFolders)

} # ForEach ($user in $allUsers)

Thanks Jarkko. It is working now.