outlook calendar permissions

Theodosios
Theodosios used Ask the Experts™
on
Hi All,

Got a problem in our Exchange 2003 SBS environment.  Everyone's Outlook Calendars are wide open and anyone logged into the Domain can add/modify entries.

Where are these permissions set?  I need to lock them down asap.

Thanks,

Theo
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
Permissions are set in one of two places.
For permissions to just the calendar, that can only be set through Outlook and there is no way to set it on the server so that everyone has access to all of the calendars.

On the server, the only permission that can be set is to the entire mailbox, so I would check to see whether that is actually what people can do - open any other user's mailbox. I suspect that is what is happening.

You need to check what groups and users have been granted either Send As and Receive As (set on the Security tab in ADUC - if you do not see it then choose View, Advanced Features) or Full Mailbox Access.
Those are the ONLY permissions that grant full access to the mailbox.
However do not start randomly removing all the permissions. For example if you find that "Everyone" (as in the object called Everyone) has one of those permissions, do not simply remove Everyone from the list, as that will break Exchange. You need to look to find where that permission is being inherited from.

Also do not confuse AD permissions with mailbox permissions. For example, Read, Write and Full Control do not grant users access to the mailbox, those are permissions on the AD object - the user account.

It could be that that the permissions have been granted to something like Domain Admins or Administrators, then all users added to that group, so you have to go through the permissions on the server very carefully. It is not something to be done in a rush and if you are not sure, do not touch. Removing permissions that you are not sure about can easily break Exchange.

Simon.

Author

Commented:
Thanks Simon,

Do the same rules apply to viewing other e-mail, tasks as well?

Also, when I look at the security tab of mail server properties in the Exchange Manager, do the users listed there have the same bearing on all of this?

Thanks,

Theo

Author

Commented:
One more thing...do nay of these permissions modification require restarting Exchange?  They don't seem to be taking effect.

Thanks,

Theo
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
Exchange caches permissions for up to two hours. Therefore if you have found the permission and removed it, it can still be active for that time. The only way to flush the cache is to restart the information store service and system attendant, which will of course kick everyone out of email.

There are various places that the permissions can be set. The most common is on the security tab of the server in ESM. Be very careful about removing permissions - I cannot stress that enough. I have seen too many people lock themselves out of Exchange either because of this problem or because they think Exchange needs to be "secured".

Simon.
Expert of the Quarter 2009
Expert of the Year 2009
Commented:
If you want to see the mess that removing the wrong permissions can cause, check this live question (At the time of writing).

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24584723.html

Almost certainly the OP has the same problem that you have, but has removed the wrong permission set.

Simon.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial