In a previous post, I outlined a process to find and remove Ghost Delegates from Exchange. (To recap: you turn a delegate a ghost delegate by deleting the account from AD without removing the delegate permissions in Outlook.)
In this post, I'll outline a process that avoids the ghost delegate problem (by finding and removing delegates BEFORE deleting the terminated user's account.) There are two steps: search AD, and then remove the delegates.
The hard part was finding all users that granted delegate rights to the "soon-to-be-deleted-account." I dredged up two "oldies but goodies:" LDIFDE and CSVDE to do a reverse-lookup for a terminated user using the "public delegate" fields:
- PublicDelegates "What mailbox(es) did I give delegate rights to"
- PublicDelegatesBL: "What mailbox(es) am I a delegate of"
Here are both commands:
LDIFDE.EXE -F delegateLDIFDE.TXT -D "OU=TestUsers,DC=myDC,DC=mydomain,DC=com" -L "name,mail,PublicDelegatesBL" -R "(&email@example.com)(PublicDelegatesBL=*))"
csvde -f delegateCSVDE.csv -s myDC -l "name,mail,PublicDelegatesBL" -r "(&firstname.lastname@example.org)(PublicDelegatesBL=*))"
Note: the LDIFDE command limits the scope of its work to the "OU=TestUsers;" csvde seaches the entire enterprise directory.
Here is an output from LDIFDE, in which we found all of PublicDelegatesBL of "Andre Admin" (it's just Big Boss):
Next, use Glen Scale's powershell code to confirm the terminated user is a delegate, and then remove that user from all accounts he was granted delegate rights. (The following commands were described in a prior post.) Step 7 is where the terminated user is removed as a delegate. I have shown how to display delegates and forwarding rules, just as an FYI.
- set-ExecutionPolicy RemoteSigned -force
- import-Module ./Messageops-Exchange.psd1
- $myCred=Get-Credential -Credential email@example.com
- $newprofile=new-messageops.ewsprofile -identity:firstname.lastname@example.org -exchangeversion:exchange2010_sp1 -casURL:https://mycas.mydomain.com -Credential:$myCred
- Get-MessageOps.MailboxDelegateReport-p:$newprofile -id:email@example.com
- Get-MessageOps.MailboxDelegateForwardingRules -p:$newprofile -id:firstname.lastname@example.org
- Remove-MessageOps.MailboxDelegate -p:$newprofile -id:email@example.com -DelegateAddress:firstname.lastname@example.org
I've pulled the URLs and commands into a text file that you can download to simplify typing....
p.s.: I tried Exchange Management Shell, using a new Exchange 2010 commandlet: "Get-MailboxFolderPermission." But it was difficult to do a reverse-lookup (i.e., find all users who grated the "terminated user" permissions: I had to type that user's display name correctly or got no hits.... Plus, this commandlet isn't available for Exchange 2007 customers.
Here is how to get Big Boss' permissions:
Get-MailboxFolderPermission -Identity bigboss:\Calendar
FYI, you can set accessrights, particularly editor rights, between "big boss" and "her admin," that you can't do if your end users access their Exchange calendars via OWA (only):
Set-MailboxFolderPermission -Id:bigboss:\Calendar -User:herAdmin -AccessRights:Editor