Orphaned SID preventing mailbox delegation to specific user

Richard G 21 Reputation points
2023-01-25T16:08:44.0333333+00:00

User with 25+ year old mailbox - we'll call him Aaron, left the company. I've been tasked with granting access to the mailbox to 'Bobby' and a couple of others. The mailbox migrated from on-prem Exchange to Office 365 about 5 years ago. Granting Bobby access via EAC appears to work as I get no errors, but when checking, the user is not listed as a delegate even though the mailbox does show up for them in Outlook. When the Inbox is selected in Outlook, it is is blank.

In doing some digging with PowerShell I discover that there is two entries for Bobby with delegate access but with different UserSID entries. 

IsOwner         : False
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : bobby@mycompany.com
UserSid         : S-1-5-21-25500341-2949582500-3150002221-7181280
Identity        : Aaron
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

IsOwner         : False
AccessRights    : {FullAccess, ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SELF
UserSid         : S-1-5-10
Identity        : Aaron
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

IsOwner         : False
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : chuck@mycompany.com
UserSid         : S-1-5-21-2120108801-775384027-3996421721-2079015
Identity        : Aaron
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

IsOwner         : False
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : daniel@mycompany.com
UserSid         : S-1-5-21-2120108801-775384027-3996421721-2079037
Identity        : Aaron
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

IsOwner         : False
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : bobby@mycompany.com
UserSid         : S-1-5-21-2120108801-775384027-3996421721-2079072
Identity        : Aaron
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

The bottom 'bobby' UserSid in the list above is the one that is toggled when adding/removing delegate access to the mailbox. You may also notice that the three lower UserSids that have access to this mailbox are very similar, but the one on top of the list is quite different.

I'm speculating that this was orphaned somehow when migrating from the on-premise Exchange to Office 365, but that's just a theory. How do I remove that top delegate?

Microsoft Exchange Online
Outlook
Outlook
A family of Microsoft email and calendar products.
3,329 questions
Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,037 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,342 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,974 questions
0 comments
Accepted answer
  1. Andy David - MVP 144.2K Reputation points MVP
    2023-01-25T16:19:44.5666667+00:00

    You could try resetting the full access perms completely for that mailbox and re-adding the ones you need:

    [https://video2.skills-academy.com/en-us/powershell/module/exchange/remove-mailboxpermission?view=exchange-pshttps://video2.skills-academy.com/en-us/powershell/module/exchange/remove-mailboxpermission?view=exchange-ps

    User's image

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest