locked
Insuff_access_rights to remove mailbox - GUI or Powershell RRS feed

  • Question

  • Exchange 2016

    Trying to remove my old mailboxes that are just old, organization does not like to delete - anything.  GUI: delete mailbox 4003 error, insuff_access_rights.  Powershell: remove-mailbox -identity $user -permanent $true, 4003 error insuff_access_rights.  Account with Domain Admin and Org Admin is being used to perform these tasks.  Need some help as I have over 2000 mailboxes that need to be removed. 

    Searched on Google, Technet and will be performing a sacrifice at midnight to appease the Exchange gods.  

    Seen a few posts stating to enable inheritance for Exchange Trusted Subsystem.  Checked, inheritance is enabled on the object prior to the attempt to remove/delete.  Checked a few more mailboxes that need to be removed, still get the error on all and they are all enabled.

    I did see a post that listed the attributes for moves and explained the process in more detail but have not found anything listing the removal attributes that are required.

    The move request causes the Mailbox Replication Service (MRS) to update several attributes in the user object that MRS uses to track and report the progress of a move. Some of the attributes are static and some (like the move status) are updated as the move progresses. You can retrieve this data with the Get-MoveRequest cmdlet. The attributes are:

    Get-MoveRequest: https://docs.microsoft.com/en-us/powershell/module/exchange/get-moverequest?view=exchange-ps

    • msExchMailboxMoveBatchName (batch name for the move request, if specified)
    • msExchMailboxMoveFlags (any flags specified for the move)
    • msExchMailboxMoveRemoteHostName (the name of the remote host if MRS is pushing mailbox data to a legacy Exchange server)
    • msExchMailboxMoveSourceMDBLink (the source database)
    • msExchMailboxMoveStatus (the current status – for example, “Queued”)
    • msExchMailboxMoveTargetMDBLink (the target database)

    *Post source: https://thoughtsofanidlemind.com/2010/10/08/ex2010-insufficient-access/

    The last thing I found to try is to give full permissions to Exchange Trusted Subsystem.  Before I try that I would like to have a better understanding of the removal process and any attributes associated.

    Anyone found the attributes that are associated with the removals?  OR should I just set full control for Exchange Trusted Subsystem?

    • Edited by Thomas Waite Monday, October 5, 2020 7:54 PM added line breaks
    Monday, October 5, 2020 6:59 PM

All replies

  • Hi Thomas,

    1. According to the information you provide and my research on them, please make sure the account you are using has the correct permissions and inheritance of permissions can also cause this problem, to be able to view and edit them we need to display the Advanced Features in the Active Directory Users and Computers, then we browse to the relevant user and open the properties, on the Security tab we click on Advanced, here we click on Enable inheritance and confirm this with Apply.

    For more information:Issue deleting Mailbox – Active directory response.

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    2. About attributes about removals, you could refer to the Parameters section of this article, which introduces properties.

    3. Please make sure that "Exchange Trusted Subsystem" group has full access permission on the user.

    Please note that, this Exchange Server Development forum mainly focuses on scripting issues, And the previous TechNet Exchange forum has been migrated to Q&A forum, please post your issues there if you need further support. 

    Regards,

    Lucas Liu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, October 6, 2020 8:17 AM
  • Lucas,

    Thanks for the response.  However, I may have not been clear on my requests.  

    1) Account permissions - I did mistype the Exchange Org Management with Org Admin.  I have verified the account is in Organization Management and also verified Org Management has the required MailRecipientCreation role required for Remove-Mailbox.

    2) To clarify, what I was referring to was the attributes within the permissions entry dialog for a given principal.  AD User Object > Security Tab > Advanced (Advanced Security Settings) > Select entry (Exchange Trusted Subsytem) & edit/view > Permissions Entry.   A list of attributes is displayed - Permissions and Properties.  For a mailbox move within properties for example, the properties I listed above are listed in this area.  I'm looking for the attributes/properties/permissions required to remove a mailbox.  

    Inheritance - I have verified inheritance was enabled for the two (2) objects I'm working with now.  For object A, I have disabled and re-enabled inheritance, that reapplied an additional 107 or so permissions.  Objec B was left unchanged.  I have rechecked the GUI and powershell command on both objects with no success.  Both mailboxes were not removed.

    Exchange Trusted Subsystem:  For object A, I have granted Exchange Trusted Subsystem full control on the object.  I have rechecked both GUI and powershell to remove the mailbox with no successThe mailbox was not removed

    I have screenshots but can not post them.  I have also included the powershell script I am using.

    Powershell script

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ExchangeServer.domain.com/PowerShell/ 
    
    Import-PSSession $Session -AllowClobber
    # testing removal of mailboxes.
    $users = ("Object B","Object A")
    
    $sp   = "\\Path\To\File\Exchange_OldEmailRemoval_"
    $date = "$(get-date -Format ddMMMyy)"
    $ext  = ".csv"
    $se = $sp + $date + $ext
    
    foreach ($user in $users) {
    
        $mb_info  = Get-Mailbox -Identity $user | Select AccountDisabled, HiddenFromAddressListsEnabled, UserPrincipalName, Alias, DisplayName 
        $mb_stats = Get-MailboxStatistics -Identity $user@domain.com | Select ItemCount, TotalDeletedItemSize, TotalItemSize, DisplayName 
        
        $exp2 = New-Object PSObject -Property @{
                AccountDisabled = $($mb_info.AccountDisabled)
                HiddenFromAddressListsEnabled = $($mb_info.HiddenFromAddressListsEnabled)
                UserPrincipalName = $($mb_info.UserPrincipalName)
                Alias = $($mb_info.Alias)
                DisplayName = $($mb_info.DisplayName)
                ItemCount = $($mb_stats.ItemCount)
                TotalDeletedItemSize = $($mb_stats.TotalDeletedItemSize)
                TotalItemSize = $($mb_stats.TotalItemSize)
                StatsDisplayName = $($mb_stats.DisplayName)
            } | Export-Csv $se -Append -NoTypeInformation
    
        Remove-Mailbox -Identity $user@domain.com -Permanent $true
    
    }

    We do have email archiving, Dell EMC's SourceOne.  Not sure if this is a limitation or restriction from SourceOne but would think I could still remove a mailbox if needed from EAC or powershell (EMS).

    Hope this clarifies the issue we are having.

    Wednesday, October 7, 2020 8:58 PM
  • Hi Thomas,

    Can all mailboxes be deleted?

    I create a test user and view the attributes/properties/permissions in Exchange Trusted Subsystem(Apply to this object and all descendant objects) in ADUC. I found that the object does not have any attributes/properties/permissions by default, but it can be deleted normally.

    Could you try to directly delete the mailbox in ADUC? If not, please try it, this will directly delete the AD account and its bound mailbox.

    Please note that, this Exchange Server Development forum mainly focuses on scripting issues, And the previous TechNet Exchange forum has been migrated to Q&A forum, please post your issues there if you need further support.

    Regards,

    Lucas Liu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, October 9, 2020 9:53 AM
  • Thanks Lucas
    Tuesday, October 13, 2020 5:47 PM