ExoModuleVersion: 3.2.0 Problem: Remove-MailboxFolderPermission cannot remove permission if the user specified in User property doesn't have any Exchange Online mailbox. The cmdlet fails with the following error: |Microsoft.Exchange.Management.StoreTasks.UserNotFoundInPermissionEntryException|There is no existing permission entry found for user:103ac2ac-42e3-4797-af94-bd13d4c69a9c. Where '103ac2ac-42e3-4797-af94-bd13d4c69a9c' is the ID of the user that I specify in -User parameter. If I specify the user's display name, then the cmdlet removes the permission correctly, but display name cannot be used because it is not unique and cannot identify the user correctly.

Can you show us the output of Get-MailboxFolderPermission for that entry? In particular, the properties of the User object, for example: Get-MailboxFolderPermission user:\calendar | Select -ExpandProperty User If the UserType value returned therein does not show "Internal", Exchange has no knowledge of the corresponding security principal, and using the GUID value will result in an error similar to the above. If you do see non-null RecipientPrincipal object returned, you can use identifiers therein to reference the user.

Why Remove-MailboxFolderPermission fails if user specified in User property doesn't have any mailbox?

Accepted answer

Vasil Michev 99,351 Reputation points MVP

2023-09-20T17:40:20.5266667+00:00

Can you show us the output of Get-MailboxFolderPermission for that entry? In particular, the properties of the User object, for example:

Get-MailboxFolderPermission user:\calendar | Select -ExpandProperty User

If the UserType value returned therein does not show "Internal", Exchange has no knowledge of the corresponding security principal, and using the GUID value will result in an error similar to the above.

If you do see non-null RecipientPrincipal object returned, you can use identifiers therein to reference the user.
Please sign in to rate this answer.

1 person found this answer helpful.
Volodymyr Dumchykov 41 Reputation points

2023-09-21T08:23:44.6166667+00:00

Get-MailboxFolderPermission returns a record with UserType equals "Internal". RecipientPrincipal contains an object of type ADRecipientPrincipal with fields such as "LegacyExchangeDN", "Name", "Sid", "Guid":

Type : ADRecipientPrincipal LegacyExchangeDN : /o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=5238b76e068c40eab6b0b2fc927243d4-b623a6df-87 PrimarySmtpAddress : EmailAddresses : {SIP:b623a6df87d64aae803a74925215ea8fb.user2@domain.com} RecipientType : User RecipientTypeDetails : User Name : b623a6df-87d6-4aae-803a-74925215ea8f DisplayName : Test User2 IsValidSecurityPrincipal : False IsConsumerMailbox : False IsGroup : False Sid : S-1-5-21-563815680-3157599435-888286042-64499404 Guid : 243cb006-edae-4d17-b2e9-0854c2c21f73 Alias : DirectoryRecipient : Test User2 IndexString : /o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=5238b76e068c40eab6b0b2fc927243d4-b623a6df-87

Remove-MailboxFolderPermission with indentifies from this object fails with a error like the following:

Write-ErrorMessage : |Microsoft.Exchange.Management.StoreTasks.UserNotFoundInPermissionEntryException|There is no existing permission entry found for user: /o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=5238b76e068c40eab6b0b2fc927243d4-b623a6df-87. At C:\Users\begemot\AppData\Local\Temp\tmpEXO_bjbcppbj.qkt\tmpEXO_bjbcppbj.qkt.psm1:1188 char:13 + Write-ErrorMessage $ErrorObject + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Remove-MailboxFolderPermission], UserNotFoundInPermissionEntryException + FullyQualifiedErrorId : [Server=BYAPR07MB5127,RequestId=cf47f0c4-553e-7429-cdb8-b6fe94cfa4d8,TimeStamp=Thu, 21 Sep 2023 07:54:20 GMT],Write-ErrorMessage

Only using the value of DisplayName field removes the permission, but again the DisplayName is not unique.

Vasil Michev 99,351 Reputation points MVP

2023-09-21T08:39:41.9+00:00

RecipientTypeDetails : User

The above means that this user is not a valid recipient (i.e. not an object supported by ExO), thus the errors you are getting. I'm actually surprised that using display name works in your case.

Volodymyr Dumchykov 41 Reputation points

2023-09-21T11:58:58.6966667+00:00

The above means that this user is not a valid recipient (i.e. not an object supported by ExO), thus the errors you are getting

But it means that there is no way to remove such permissions. As for me it's normal scenario - Exchange Online license is revoked from a user account, but there are permissions granted for the user, and there is no way to remove the permissions.

I'm actually surprised that using display name works in your case.

Yes, its quite interesting :-)

Kael Yao-MSFT 37,591 Reputation points Microsoft Vendor

2023-09-22T06:36:19.7466667+00:00

Hi @Volodymyr Dumchykov

In this case to me you may need to re-assign EXO license to the user, remove the permission then remove the license.

Besides, if the user does not have an active license, in normal cases it is not possible for him to actually make use of the permission.

Olivier DELAPLACE 0 Reputation points

2023-09-22T09:53:40.8466667+00:00

i've got the same problem and i couldn't remove users that have been deleted, the UserType was "Unknown" with the command :

Rmove-MailboxFolderPermission - Identity user:\calendar -User username

i've got this error message : "+ CategoryInfo : NotSpecified: (:) [Remove-MailboxFolderPermission], UserNotFoundInPermissionEntryException"

the users I wanted to delete had "Editor" access rights.

I therefore deleted all users with "Editor" access rights with these commands :

$calendarIdentity = "User:\Calendar"

$editors = Get-MailboxFolderPermission -Identity $calendarIdentity | Where-Object {$_.AccessRights -eq "Editor"}

foreach ($editor in $editors) {

Remove-MailboxFolderPermission -Identity $calendarIdentity -User $editor.User -Confirm:$false

}

Users who could not be deleted are now deleted
Sign in to comment

Share via

Why Remove-MailboxFolderPermission fails if user specified in User property doesn't have any mailbox?

0 additional answers