We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Remove all trustees from Full Access list

February 18, 2021 Views: 1113

The script removes all the trustees from the Full Access list of a mailbox. You can use the script in the Run a program or PowerShell script action in business rules, scheduled tasks and custom commands.


  • $trusteeDNsToSkip - Specifies distinguished names (DNs) of the trustees that should not be removed from the Full Access list if present.
Edit Remove
$trusteeDNsToSkip = @("CN=MyGroup,OU=Groups,DC=domain,DC=com", "CN=John Smith,OU=Users,DC=domain,DC=com") # TODO: modify me

# Get trustee SIDs
$sidsToSkip = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($dn in $trusteeDNsToSkip)
    $object = $Context.BindToObjectByDN($dn)
    $sidBytes = $object.Get("objectSID")
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)

# Get Exchange properties
$mailboxParams = $Context.TargetObject.GetMailParameters()

# Get SIDs of objects that have Full Access permissions
$mailboxRights = $mailboxParams.MailboxRights
$fullAccess = $mailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
foreach ($objReference in $fullAccess)
    $sid = $objReference.ObjectSid
    if ([System.String]::IsNullOrEmpty($sid))
    if ($sidsToSkip.Contains($sid))
    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference

# Update permissions
$mailboxParams.MailboxRights = $mailboxRights
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
Comments 0
Leave a comment

Got questions?

Support Questions & Answers