We recently had a case where there were invalid delegates on a mailbox and these were causing further issues (which aren't important with regards to this blog!).  Invalid delegates can come about when mailboxes and users are deleted from an organisation.  The reason for this is that delegate permissions are stored on the AD object/mailbox to which the delegate has permissions, and not on the delegate account.

To remove invalid delegates, I have written a PowerShell script that uses both PowerShell and EWS to process the mailbox.  It works be reading (and temporarily storing) existing delegates, and then deleting them.  Once the delegates have been removed, the valid delegates are added back to the mailbox.  The easiest way to run the script is from an Exchange Shell (so that the Exchange cmdlets are available).  If this isn't done, you'll need to supply the PowerShell URL to the script so that it can connect.  Parameters are as follows:

Reset-Delegates -Mailbox <string>
       [-ReportOnly <bool>]
                   [-Username <string> -Password <string> [-Domain <string>]]
                   [-Impersonate <bool>]
                   [-EwsUrl <string>]
                   [-IgnoreSSLCertificate <bool>]
                   [-EWSManagedApiPath <string>]

Required:
 -Mailbox : Mailbox SMTP email address

Optional:
 -ReportOnly : By default this it true, which means no changes will be applied to the mailbox
 -Username : Username for the account being used to connect to EWS (if not specified, current user is assumed)
 -Password : Password for the specified user (required if username specified)
 -Domain : If specified, used for authentication (not required even if username specified)
 -Impersonate : Set to $true to use impersonation.
 -EwsUrl : Forces a particular EWS URl (otherwise autodiscover is used, which is recommended)
 -PowerShellUrl : Forces a particular remote Powershell URL (otherwise you need to have imported the remote session into the current PowerShell session)
 -IgnoreSSLCertificate : If $true, then any SSL errors will be ignored
 -EWSManagedApiDLLFilePath : Full and path to the DLL for EWS Managed API (if not specified, default path for v1.2 is used)