Send-As and FullAccess Permissions Post Domain Migration

Having just migrated over 5k accounts from one domain to another, I began to have issues removing Send-As and FullAccess permissions in either the EMS or EMC (PowerShell either way). The specific error I received was "Cannot remove ACE on object [mailbox name] because it is not present.". After doing a little research I found that the mechanism used by PowerShell under the hood leverages the user's new SID and does not attempt to pass along anything from SIDHistory.

The Scenario

  1. Both User1 and User2 are in the ad.contoso.com domain.
  2. User1 is granted FullAccess permissions to User2's mailbox
  3. Both User1 and User2 are migrated to the contoso.com domain
  4. You attempt to remove User1's FullAccess permissoin from User2's mailbox
  5. You receive the error "Cannot remove ACE on object User2 because it is not present."

To remove the user you first need to track down User1's ad.contoso.com SID. You can find this in the SIDHistory attribute. If your user has multiple SIDs in SIDHistory then get the one containing the domain SID of your user when the permissions were applied. 

Once you have the SID from SIDHistory you can then leverage either Remove-MailboxPermission or Remove-ADPermission to remove the unwanted permissions. Note, Remove-MailboxPermission is used when removing FullAccess permissions and Remove-ADPermission is used when removing Send-As permissions.