Using 2 lists in a Loop to remove Orphaned SIDs from Mailboxes

So it’s now 2021, I want to clean up some stuff that my counterparts have never really gotten around to for the last few years.

Pulled a list of all the Shared Mailboxes with an Orphaned SID inside.

I can’t really think of a good way to create anything. Below is a small example of my thoughts, but it’s going to potentially run for hours. Instead of just listing out manually, I’d import the $ID and $User fields via CSV/TXT but I haven’t really tried to do it with 2.

I have multiple variables to work with. Roughly 326 affected mailboxes, 1100 SIDs, and however many combinations of AccessRights (FullAccess, DeleteItem, SendAs, etc.) You can see how long this would take. Is there a cleaner/better way to do it? This just seems super messy and very time consuming.

 

 

$ID = "SMBox1", "SMBox2", "SMBox3"
$Users = "S-1-5-21-168066109-405644716-19828461076-6",
"S-1-5-21-168066109-405644716-24678092823-7",
"S-1-5-21-168066109-405644716-262263459876-2"

Get-MailboxPermission -Identity "$ID" | Select-Object User, AccessRights 
ForEach ($User in $Users){Remove-MailboxPermission -Identity "$ID" -USER "$User" -ACCESSRIGHTS FULLACCESS -Confirm:$false}
ForEach ($User in $Users){Remove-MailboxPermission -Identity "$ID" -USER "$User" -ACCESSRIGHTS DeleteItem -Confirm:$false}
ForEach ($User in $Users){Remove-MailboxPermission -Identity "$ID" -USER "$User" -ACCESSRIGHTS SendAs -Confirm:$false}

 

 

 

I’m not an exchange administrator, but just looking at your PowerShell code, you could put this in one foreach loop instead of 3 and according to the documentation on Remove-MailboxPermission cmdlet, the -AccessRights parameter will take an array of mailbox permissions so you should be able to do all 3 access rights in the same command. Here’s my take:

$ID = "SMBox1", "SMBox2", "SMBox3"
$Users = "S-1-5-21-168066109-405644716-19828461076-6",
"S-1-5-21-168066109-405644716-24678092823-7",
"S-1-5-21-168066109-405644716-262263459876-2"

Get-MailboxPermission -Identity $ID | Select-Object User, AccessRights 

ForEach ($User in $Users){    
    Remove-MailboxPermission -Identity $ID -USER $User -ACCESSRIGHTS FULLACCESS, DeleteItem, SendAs -Confirm:$false  
} #foreach User in Users

 

Thanks, Mike. While that does help, it will still be way too lengthy of a chore.

It’ll still need to run a million loops to complete the job. Mailbox1 x 1100 SIDs, Mailbox2 x 1100 SIDs, etc.

I also have the values exported to a CSV and I’m wondering if I can tell it to parse through that, line by line, to speed it up so it doesn’t run against the additional 1090 that aren’t needed. Some SIDs are on 1 mailbox, some are on 20, just depends. There would be tons of extra time wasted. Downside is it’s also using Exchange Online PS so my login token would expire well before this even got 1% done.

 

Exported CSV looks like the below:

Mailbox SID AccessRights
SMBox1 S-1-5-21-2081497765-1548102756-51780 FullAccess
SMBox1 S-1-5-21-168066109-405644716-6914220 FullAccess
SMBox2 S-1-5-21-2081497765-1548102756-13268 FullAccess, DeleteItem
SMBox3 S-1-5-21-2081497765-1548102756-24059 FullAccess, DeleteItem
SMBox3 S-1-5-21-168066109-405644716-6913878 FullAccess
SMBox3 S-1-5-21-168066109-405644716-6913024 FullAccess

Bump.

 

Any takers? Any ideas or input?