Remove full access permissions of all disabled users on shared mailboxes with exchange management shell

Question

I’m looking for a powershell exchange script to remove Full access permissions of all disabled users on all shared mailboxes in a specific OU.

This is what I got so far

Remove-MailboxPermission -Identity Sharedmailbox -AccessRights Fullaccess -InheritanceType all -user DisabledUser -Confirm:$false | where {$_.UseraccountControl -like "*accountdisabled*"}

Its seems to work but I’m not sure about the last piece of het script if it will check for “accountdisabled”

Then I created a variable so it will check only one specific OU

$ou = Get-ADUser -SearchBase "OU=Functional Mailboxes,OU=Generalaccounts,DC=DOMAIN,DC=COM" -Filter * foreach ($user in $ou)

Remove-MailboxPermission -Identity "$ou" -AccessRights Fullaccess -InheritanceType all -Confirm:$false | where {$_.UseraccountControl -like "*accountdisabled*"}

The script is checking the right OU but I'm still looking for the last part where it will automatically remove full access permissions of the disabled users ONLY.

Can someone show me the way?

Answer 1

Instead of trying to screen for disabled users after removing the mailbox permissions (which is what your Remove-MailboxPermission ... | Where-Object ... appears to be intended to do - except that the way you wrote it, it's only checking for disabled state after removing the permissions), try selecting for the disabled accounts first, then passing only the disabled accounts to Remove-MailboxPermission:

Get-ADUser -SearchBase ... -filter {Enabled -eq $false} | Remove-Mailbox ...

(replacing ... with the appropriate SearchBase or parameters for Remove-Mailbox, using $_ for the identity of the ADUser whose mailbox permissions you're removing.)