A customer did a migration from Exchange 2007 to Exchange 2013 quite a while ago. When they try to open some random mailboxes in ECP, they got 500 Unexpected Error :(. Many mailboxes works fine. And also managing the mailboxes with Exchange Shell works fine. The customer have 2 DAG servers and 2 CAS servers. With latest CU7
Newly created mailbox does never get this error. So what’s wrong here?
When I looked in Application log on the mailboxserver hosting a mailbox I tried to managed, the following error appeared:
Multiple object with SID S-1-5-32-548 were found. I know that this SID maps to BuiltinAdministrators so I executed this PS command against a non-working and working mailbox an looked at differences.
Get-ADPermission –Identity ‘name.of.,mailbox’ | fl.
It turned out that all the effected mailbox had an explicit {ExtendedRight} (send-as) permission set to BUILTINAdministrator. This permission is also inherence from top of domain. I guess this was a permission set for a long time ago.
I then listed all mailboxes had this permission set, and removed it with this one-liner (NB! You could try with one user first:) )
Get-Mailbox –ResultSize Unlimited | Get-ADPermission –Identity ‘name.of.,mailbox’ | where { $_.IsInherited -eq $false } -and ($_.User -like "BUILTINAdministrators") } | Remove-ADPermission –Confirm:$false
And voila, admins now can use ECP to modify the mailboxes again.