Remove-SelfPermission.ps1

# Remove-SelfPermission.ps1

param($alias)

$searcher = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().FindGlobalCatalog().GetDirectorySearcher()
$searcher.Filter = "(mailnickname=$alias)"
$user = $searcher.FindOne()
if ($null -eq $user)
{
    Write-Host "User not found."
    return
}

Write-Host "Removing SELF on $($user.Path)"

$mbxSd = $user.Properties["msExchMailboxSecurityDescriptor"][0]
$sd = New-Object System.Security.AccessControl.RawSecurityDescriptor([byte[]]$mbxSd, 0)
$sddl = $sd.GetSddlForm("All")

Write-Host "Before:"
Write-Host $sddl

$newSddl = $sddl -replace "\(A;.+PS?\)", ""

Write-Host "After:"
Write-Host $newSddl

$newSd = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList $newSddl

$user = [ADSI]("LDAP://" + ($user.Properties["distinguishedName"][0]))
$user.Properties["msExchMailboxSecurityDescriptor"].Clear()
[byte[]]$mbxSdBytes = [System.Array]::CreateInstance([System.Byte], $newSd.BinaryLength)
$newSd.GetBinaryForm($mbxSdBytes, 0)
$user.Properties["msExchMailboxSecurityDescriptor"].Add($mbxSdBytes) | Out-Null
$user.CommitChanges()

Write-Host "Done!"