How to clear SIDHistory and keep mailbox permissions No ratings yet.

The SIDHistory attribute of a user object is used to store old SIDs for that user (usually SIDs from other domains when the user is migrated).  In some cases, over time, this attribute can hold lots of values (every time a user is migrated, the previous SID is added to the list), and we sometimes get requests that this can be cleared.  There is a very old KB (295758) describing how to clear the attribute, however, this can have knock-on effects if you are using Exchange.

When mailbox permissions are set, the SID of the user is used to identify the delegate.  When the user migrates, the SID on the mailbox permissions no longer matches the delegate’s SID, however, it does match one in SIDHistory, so everything still works.  When you delete SIDHistory, you’ll then remove the permissions for any delegates that are matched using that attribute.

I have written a set of scripts that can be used to store mailbox permissions and then clear the SIDHistory.  The mailbox permissions can then be applied back.  This turned out to be a fairly complicated process, though the end result is more or less straight-forward.  I must reiterate at this point that use of these scripts is entirely at your own risk.

The process, step-by-step, is:

  1. Set up a client and install the EWS Managed API.
  2. Open a PowerShell session, and connect to Exchange Remote Management.
  3. Create a folder on the computer to which the mailbox permissions will be logged (c:\perms is assumed for the following steps).
  4. Run the following PowerShell script to log the permissions for all mailboxes:
    $m = Get-Mailbox
    $m | ForEach-Object {
    .\Get-FolderPermissions.ps1 $_.PrimarySmtpAddress -impersonate -PermLogFolder “c:\perms”
    Note that this may take a long time to run.  Also note that if you have a large number of mailboxes, you may need to process them in batches (you can apply filters to Get-Mailbox, please see the examples on TechNet). There is a limit of 1000 mailboxes for Get-Mailbox, which can be overridden using -ResultSize Unlimited as a parameter.
  5. Once all the permissions have been saved, the SID History can be stored then cleared (from all user accounts) by running the following PowerShell script:
    $m | ForEach-Object {
    .\Get-SIDHistory $_.Alias -LogFile “c:\perms\sidhistory.log” –reset
  6. To restore the mailbox folder permissions (note this is separate to delegate permissions):
    $m | ForEach-Object {
    .\Set-FolderPermissions.ps1 $_.PrimarySmtpAddress -impersonate -PermissionsFolder “c:\perms”
  7. Finally, this will check and repair the mailbox delegate permissions:
    $m | ForEach-Object {
    .\Verify-MailboxPermission.ps1 $_.PrimarySmtpAddress -sIDHistoryLog “c:\perms\sidhistory.log” -PermissionsLogFolder “c:\perms”

The required scripts are below.  The above assumes that you are logged in as an administrator and have been granted impersonation rights to all the mailboxes being processed.

All these scripts can take a long time to run if you are processing a large number of mailboxes.  As mentioned in point 4, it would be advisable to run it in batches.


Please rate this

Leave a Reply

Your email address will not be published. Required fields are marked *