PowerShell: Remove invalid delegates from mailboxes

We recently had a case where there were invalid delegates on a mailbox and these were causing further issues (which aren't important with regards to this blog!).  Invalid delegates can come about when mailboxes and users are deleted from an organisation.  The reason for this is that delegate permissions are stored on the AD object/mailbox to which the delegate has permissions, and not on the delegate account.

To remove invalid delegates, I have written a PowerShell script that uses both PowerShell and EWS to process the mailbox.  It works be reading (and temporarily storing) existing delegates, and then deleting them.  Once the delegates have been removed, the valid delegates are added back to the mailbox.  The easiest way to run the script is from an Exchange Shell (so that the Exchange cmdlets are available).  If this isn't done, you'll need to supply the PowerShell URL to the script so that it can connect.  Parameters are as follows:

Reset-Delegates -Mailbox <string>
       [-ReportOnly <bool>]
                   [-Username <string> -Password <string> [-Domain <string>]]
                   [-Impersonate <bool>]
                   [-EwsUrl <string>]
                   [-IgnoreSSLCertificate <bool>]
                   [-EWSManagedApiPath <string>]

 -Mailbox : Mailbox SMTP email address

 -ReportOnly : By default this it true, which means no changes will be applied to the mailbox
 -Username : Username for the account being used to connect to EWS (if not specified, current user is assumed)
 -Password : Password for the specified user (required if username specified)
 -Domain : If specified, used for authentication (not required even if username specified)
 -Impersonate : Set to $true to use impersonation.
 -EwsUrl : Forces a particular EWS URl (otherwise autodiscover is used, which is recommended)
 -PowerShellUrl : Forces a particular remote Powershell URL (otherwise you need to have imported the remote session into the current PowerShell session)
 -IgnoreSSLCertificate : If $true, then any SSL errors will be ignored
 -EWSManagedApiDLLFilePath : Full and path to the DLL for EWS Managed API (if not specified, default path for v1.2 is used)


Comments (4)

  1. pamarths says:

    Hi Dave, Thanks for the script. I have a few questions about the script.

    Why are you removing all delegates and adding the valid once again? Will it preserve all the custom settings given a particular valid delegate? Also I see that you are not using RemoveDelegate method in EWS(msdn.microsoft.com/…/dd633632%28v=exchg.80%29.aspx) for removing the delegates rather trying to do it from some low level calls. Any particular reason why RemoveDelegates method is not suited for this case?

  2. In the case that this script was developed for, an error was produced when Outlook or EWS was used to remove delegates – this is why the properties are stripped directly. Usually there would be no problem with invalid delegates as Outlook and EWS will handle them (simply reporting that it is invalid), so there would normally be no need for this script.

  3. Jack Roberts says:

    Have you possibly re-written this script for Outlook 2013 on Exchange 365?

  4. None says:

    Best I can tell, Microsoft has pulled EWS. It cannot be downloaded from Microsoft any more. Is there another way to accomplish this without EWS?

Skip to main content