Thursday, July 23, 2009

Zombie User Accounts and Exchange Public Folders

Today I tried to remove some permissions from a public folder database. I had all these "NT User" objects under some of the public folders for users that no longer existed. This environment is running Exchange 2007.

When I went to remove "NT User:S-1-5-21-676542811-1909674497-837300805-8592" using:

Remove-PublicFolderClientPermission -Identity "\Professional Services" -User "NT User:S-1-5-21-676542811-1909674497-837300805-8592" -AccessRights Owner

I recieved the following error:

Remove-PublicFolderClientPermission : The specified public folder user "NT User:S-1-5-21-676542811-1909674497-837300805-8592" does not exist. A valid public folder user should be a mail-enabled user, mailbox or distribution group.
At line:1 char:36
+ Remove-PublicFolderClientPermission <<<< -Identity "\Professional Services" -User "NT User:S-1-5-21-676542811-1909674497-837300805-8592" -AccessRights Owner

What this error is saying is only a valid public folder user should be a mail-enabled user, mailbox or distribution group. These objects are actually Zombie User objects.

What are Zombie Users?

Pretty much anyone who has upgraded a 5.5 server to E2K has probably encountered the zombie user phenomenon. The reason behind these errors has to do with what we did to Exchange security in Exchange 2000 versus how it existed in Exchange 5.5 and earlier. The early versions of Exchange were developed before the NT security model became widely adopted, so it rolled its own for security. Both the NT model and the Ex5.5 model made use of something called an ACL, or Access Control List, but the formats of them are very different. Having a different security model in Exchange versus the OS and other products was a nuisance and limited a lot of things we could do along the lines of storage convergence, but the main reason for making the change was that we were also integrating with the new (at the time) Active Directory which used NT security descriptors. This presented us with a major headache: how do we convert the 5.5 ACL's to NTSD's?

The above paragraph was taken from:

How can I remove these Zombie User Accounts

This cannot be done using Exchange Management Console or Exchange Management Shell (as of this writing the latest exchange release is 2007 SP1).

There are two known ways to kill zombies, this can be done using Outlook or using PFDavAdmin.

The following comments were made by Evan Dodds, Program Manager for Exchange at Microsoft:

I asked around a bit - as I don't have a lot of awareness of the details of the PublicFolder Permissions feature - and here's what I found out:

Yes. What you are observing is by design. When a user is removed, the ACL on public folders has a hanging SID. Since this is not transmitted over the wire (due to conversion to LegacyDN, which cannot be found for deleted users), the only ramification is that of wasted space.

There are currently no cmdlets to clean up such SIDs.

Comments from Me

This is the second problem I have witnessed in the past few months that has appeared to be a bug - however turning out to be "By Design". The last one was with adding replica's to certain system public folders in which Indarraaj, a microsoft exchange architect told me the error was by design. You can find this blogpost here:


  1. I was looking for a PS script to clean up my Zombie accounts in my Public Folders, which contains thousands of folders. I found your post in my search. When I couldn't find any existing scripts I decided to roll up my sleeves and give it a go myself. I was able to successfully write a a PS script that will go through your Public Folders recursively and clean out Zombie accounts in one swoop with either no confirmations or per Zombie account per folder confirmations.

    If you or anyone else wishes to look at the script I came up with and/or share with others shoot me an email @


  2. This is a one line script...

    get-publicfolder "\" -recurse -resultsize unlimited | get-publicfolderclientpermission | where {$_.user -like "NT User:S-1-*"} | % {remove-publicfolderclientpermission -identity $_.identity -user $_.user -access $_.accessrights -confirm:$false}

    This removes all but the "None" access for zombie accounts. That access requires a bit of extra work due to the odd behavior of the remove command when dealing with an access level of "None".