But I have modified the commands some to get a better listing.

$group = Get-DynamicDistributionGroup –identity “AllStaff”

Get-Recipient –RecipientPreviewFilter $group.RecipientFilter | sort name | select name > d:\_temp\dlist_members.txt

These changes will give you an alphabetical list of members, with names only in the list. I find this easier for managers to use to verify list membership.

The list we have uses the PO filed to filter it. So we then just have to go to the user account and add specific text in the PO filed to add or remove them from the distribution list.

But when you try to delete the message, you get the following screen that contains the following error

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00

[REMOVED]\dtaylor
Failed

Error:
Cannot remove ACE on object “CN=MAIL ROOM,OU=Email Accounts,OU=[REMOVED]” for account “[REMOVED]\dtaylor” because it is not present.

Exchange Management Shell command attempted:
Remove-MailboxPermission -Identity ‘CN=MAIL ROOM,OU=Email Accounts,OU=[REMOVED]‘ -User ‘[REMOVED]\dtaylor’ -InheritanceType ‘All’ -AccessRights ‘FullAccess’

Elapsed Time: 00:00:00

Let me give you a little background. Several years ago, we had three domains. Two of the domains contained Exchange 2003 servers with mailboxes. We migrated all the mailboxes from the two domains to the domain that did not currently have an Exchange server in it. So basically we took three domains and consolidated to a single domain and migrated from Exchange 2003 to Exchange 2007. All three domains belonged to the same AD forest.

Solution
One way I found to get past this error was to copy the error message, and change the domain to the previous domain in the command. This would then delete the ACE for that user. This method works great, if the domain still exists in the organization so that it can do a SID lookup and then delete the ACE. (NOTE: I even tried to modify the command so instead of using [DOMAIN]\[USERNAME] I used the SID, but this did not work).

Exchange for some odd reason will always send the command to the Remove-MailboxPermission with the username in domain\username format. It will always do a lookup on the SID and then translate it to that format. So even by using the sid you get the same error. Here is an example:

[PS] >Remove-MailboxPermission -Identity ‘CN=MAIL ROOM,OU=Email Accounts,OU=[REMOVED]‘ -User ‘S-1-5-21-1398355167-[REMOVED]-15821′ -InheritanceType ‘All’ -AccessRights ‘FullAccess’

Confirm
Are you sure you want to perform this action?

Removing mailbox permission “[REMOVED]/Corp/Email Accounts/MAIL ROOM” for user “S-1-5-21-1398355167-[REMOVED]-15821″ with access rights “‘FullAccess’”.

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”):y

Remove-MailboxPermission : Cannot remove ACE on object “CN=MAIL ROOM,OU=Email Accounts,OU=[REMOVED]” for account “[REMOVED]\dtaylor” because it is not present.
At line:1 char:25

Notice that the first line has the SID in the remove-mailboxPermission command, but in the failed text, it has replaced the SID with the username.

To get the sid to do this, I went into AD Users and Computers and then after selecting the advanced view did an Attribute Editor lookup on the sIDHistory field.

So what do you do to remove the ACE for this account? The problem is that no matter what input you give the remove-MailboxPermission cmdlet, it will always do a lookup and resolve the sid to a username format. But if the sid it does the lookup on is not the primary sid for that account it will fail. To solve this problem you have to remove the ability for the cmdlet to resolve the sid in the first place. To do this, you have to remove the sIDHistory from the AD account.

Microsoft has a script on their site called “How To Use Visual Basic Script to Clear SidHistory“. If you run this script, it will remove the sid history, then when you look at the FULL Permissions, you will see a unresolved SID instead of the username. The remove-mailboxpermission cmdlet can then remove the ACE from that mailbox.

NOTE: I would record the sid value in the sIDHistory field somewhere, because chances are you will find other accounts that now show that sid as having full mailbox rights. You will then want to have a history of the sid so you can then grant permission to the correct account when you see an unresolved sid.

export-mailbox familydomains -PSTFolderPath C:\temp\ -DeleteContent -endDate 12/31/2008

The advantage to doing it this way is that no emails are actually deleted. They are moved from the mailbox to the PST file, so they can be imported, or viewed through Outlook at a later date if the end user changes their mind.

get-transportserver | Get-MessageTrackingLog -ResultSize Unlimited -Start “10/17/2009 8:00AM” -End “11/17/2009 5:00PM” -eventid Send | WHERE {$_.recipients -like “*domainname.com*”} > “c:\send.xls”