So I had to go through and remove some legacy permissions from Exchange. This can be added at multiple levels so it’s aways a diagnostic trail to where this was added. Go through each of these and if IsInherited is set to False you’ve found out where it’s being applied from

1) Get-MailBoxPermission domain\user

2) Get-MailboxDatabase | Get-ADPermission -user domain\user

3) Get-ExchangeServer | Get-ADPermission -user domain\user

4) Get-OrganizationConfig | Get-ADPermission -user domain\user

Remove the Permissions per level with

(Get-OrganizationConfig / Get-OrganizationConfig  / Get-OrganizationConfig) Choose one of these depending where the permissions are inherited from  | Remove-ADPermission -user domain\username -AccessRights GenericAll

Some of the permissions where also added from AD.

Open up ADSI Edit and Navigate to these :

In “Domain NC” OU=Microsoft Exchange Security Groups,DC=mydomain,DC=com
In “Domain NC” CN=Microsoft Exchange System Objects
In “Configuration Container” CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com

Make sure the user is not in any of these