Today I tried to remove some permissions from a public folder database. I had all these "NT User" objects under some of the public folders for users that no longer existed. This environment is running Exchange 2007.
When I went to remove "NT User:S-1-5-21-676542811-1909674497-837300805-8592" using:
Remove-PublicFolderClientPermission -Identity "\Professional Services" -User "NT User:S-1-5-21-676542811-1909674497-837300805-8592" -AccessRights Owner
I recieved the following error:
Remove-PublicFolderClientPermission : The specified public folder user "NT User:S-1-5-21-676542811-1909674497-837300805-8592" does not exist. A valid public folder user should be a mail-enabled user, mailbox or distribution group.
At line:1 char:36
+ Remove-PublicFolderClientPermission <<<< -Identity "\Professional Services" -User "NT User:S-1-5-21-676542811-1909674497-837300805-8592" -AccessRights Owner
What this error is saying is only a valid public folder user should be a mail-enabled user, mailbox or distribution group. These objects are actually Zombie User objects.
What are Zombie Users?
Pretty much anyone who has upgraded a 5.5 server to E2K has probably encountered the zombie user phenomenon. The reason behind these errors has to do with what we did to Exchange security in Exchange 2000 versus how it existed in Exchange 5.5 and earlier. The early versions of Exchange were developed before the NT security model became widely adopted, so it rolled its own for security. Both the NT model and the Ex5.5 model made use of something called an ACL, or Access Control List, but the formats of them are very different. Having a different security model in Exchange versus the OS and other products was a nuisance and limited a lot of things we could do along the lines of storage convergence, but the main reason for making the change was that we were also integrating with the new (at the time) Active Directory which used NT security descriptors. This presented us with a major headache: how do we convert the 5.5 ACL's to NTSD's?
The above paragraph was taken from:
How can I remove these Zombie User Accounts
This cannot be done using Exchange Management Console or Exchange Management Shell (as of this writing the latest exchange release is 2007 SP1).
There are two known ways to kill zombies, this can be done using Outlook or using PFDavAdmin.
The following comments were made by Evan Dodds, Program Manager for Exchange at Microsoft:
I asked around a bit - as I don't have a lot of awareness of the details of the PublicFolder Permissions feature - and here's what I found out:
Yes. What you are observing is by design. When a user is removed, the ACL on public folders has a hanging SID. Since this is not transmitted over the wire (due to conversion to LegacyDN, which cannot be found for deleted users), the only ramification is that of wasted space.
There are currently no cmdlets to clean up such SIDs.
Comments from Me
This is the second problem I have witnessed in the past few months that has appeared to be a bug - however turning out to be "By Design". The last one was with adding replica's to certain system public folders in which Indarraaj, a microsoft exchange architect told me the error was by design. You can find this blogpost here: