By Ace Fekay
Published 5/11/2017

Scope

How to remove a shared mailbox that keeps showing up in your Outlook profile that you’ve been removed as a delegate.

To add, this is a big stickler especially with migrating from on-premises to Office 365, where the SendAs permission is now changed, because the permission must be re-assigned to the EXO object, the entity actually sending-As the email as another, and not the on-premises AD object. This also discusses how to remove the original Automapped BL (backlink).

Automapping

Automapping is an Autodiscover feature that was added to Exchange 2010 SP1 and newer, that allows Outlook to automatically add a delegated mailbox without additional tasks.

Autodiscover looks at the mailbox owner’s AD account for an attribute called the MSExchDelegateListLink attribute.

When you use the EAC or PowerShell to delegate permissions to a shared mailbox or to another user, Exchange will automatically set the Automapping feature to $True. In PowerShell you can disable this, but not in the EAC.

This feature populates the MSExchDelegateListLink attribute on the shared or delegated mailbox with the user accounts that will be Automapped, and vice-versa, it also populates the MSExchDelegateLinkListBL attribute on the user account. I look at this as the “back link” to the shared mailbox.

These two attributes are one of  nine (9) links and backlinks that exist. Here’s a list of all links and backlinks in AD and more specifics can be found at the following link:
http://www.neroblanco.co.uk/2015/07/links-and-backlinks-in-active-directory-for-exchange/

Outlook, Autodiscover, and those attributes

When Outlook fires up, and while running, part of what Autodiscover process performs is it will check these two attributes to determine if there are any shared mailboxes that must be automatically added to the Outlook profile. In some cases using a managed process for shared mailboxes, we may want this feature disabled so the shared mailbox does not get automatically added.

Orphaned backlink is still populated and the mailbox still shows up in Outlook

If the user was previously delegated to a shared mailbox, then the delegated per,missions were removed, but for some reason, perhaps replication or corruption, or some other unforeseen factor (large environments fall under this category), the shared mailbox still shows up and you can’t get rid of it, and further, since you no longer have permissions, you can’t open it. This will cause the shared or delegated mailbox to still show up in Outlook. But you can clearly see in EAC or running a get-mailboxpermission that the user is no longer delegated.

Example of an account with the msExchDelegateLinkListBL still populated:

 

How to remove it?

First, establish your PowerShell session to Exchange onprem or your Office 365 tenant. If unsure how, see this:
https://blogs.msmvps.com/acefekay/2017/05/11/establishing-a-powershell-session-to-your-office-365-tenant-or-onprem-exchange/

Determine, if any, links or backlinks exist on the shared mailbox:

Get-ADUser “SharedMailboxDisplayName” -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink

If any show up, you’ll see their sAMAccountNames. If you don’t know who the sAMAccountNames are and you want to see their displayNames, run the following (this command works for DNs, too):

For one account:
get-aduser sAMAccountName -Properties displayName,mail  | ft Name, DisplayName, mail -A

For a list of accounts in a text file:
get-content c:\temp\names.txt | get-aduser -Properties displayName,mail  | ft Name, DisplayName, mail –A

 

Then remove the msexchDelegateLinkListBL orphaned backlink:

Note: I’m using the shared mailbox’s displayName. This will also work using the sAMAaccountName or the primary email address.

For one account:
Remove-MailboxPermission “SharedMailboxDisplayName” -user $_ –AccessRights FullAccess -Confirm:$false

For a list of accounts in a text file:
get-content c:\temp\ace\userIDs\users.txt | foreach {Remove-MailboxPermission “SharedMailboxDisplayName”  -user $_ –AccessRights FullAccess -Confirm:$false}

Then if needed, delegate the shared mailbox again & disabling Automapping

Delegate Ace to a shared mailbox:
Add-MailboxPermission “Shared Mailbox Name or email address” -User AceFekay@contoso.com -AccessRights FullAccess -AutoMapping:$false

 

============================================================

Summary

I hope this helps!

Published 5/18/2017

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

 

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.