Script Repository

Remove all trustees from Full Access list

February 18, 2021

The script removes all the trustees from the Full Access list of a mailbox. You can use the script in the Run a program or PowerShell script action in business rules, scheduled tasks and custom commands.


  • $trusteeDNsToSkip - Specifies distinguished names (DNs) of the trustees that should not be removed from the Full Access list if present.
Edit Remove
$trusteeDNsToSkip = @("CN=MyGroup,OU=Groups,DC=domain,DC=com", "CN=John Smith,OU=Users,DC=domain,DC=com") # TODO: modify me

# Get trustee SIDs
$sidsToSkip = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($dn in $trusteeDNsToSkip)
    $object = $Context.BindToObjectByDN($dn)
    $sidBytes = $object.Get("objectSID")
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)

# Get Exchange properties
$mailboxParams = $Context.TargetObject.GetMailParameters()

# Get SIDs of objects that have Full Access permissions
$mailboxRights = $mailboxParams.MailboxRights
$fullAccess = $mailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")
foreach ($objReference in $fullAccess)
    $sid = $objReference.ObjectSid
    if ([System.String]::IsNullOrEmpty($sid))
    if ($sidsToSkip.Contains($sid))
    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference

# Update permissions
$mailboxParams.MailboxRights = $mailboxRights
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")

Comments ( 0 )
No results found.
Leave a comment