Link to home
Start Free TrialLog in
Avatar of WilsonJ
WilsonJFlag for United States of America

asked on

Block Calendar Sharing/Viewing on Exchange 2010 and Outlook 2007

Dear Experts,

It has come to my attention that some users are viewing other users calendar without their permission.

Now I have to secure all the VP's and Executives calendars.

How do I prevent that from happening, I tried going to Calendar, Properties, Permission and set it to None but that did not work.

Is there a choice to do it from the server it self, and just give rights to the users they choose to.

I have Exchange 2010 and I am using Outlook 2007

Thanks for all your help

WilsonJ
Avatar of endital1097
endital1097
Flag of United States of America image

from outlook
tools - options- calendar options -free/busy options
set the default value to None
Avatar of Akhater
you don't have a lot of options it is either

1. Permissions were given from where you specified
2. The user has full mailbox access to the other's mailbox
3. the user has the password of the other user
you'll want to go into ad users and computers
tool - view advanced
go to the properties of a vp and the security tab
look for any account/group that has receive as permission
you'll want to remove anyone that doesn't belong
if you are talking about accessing the calender ? then it would not happen they have shared themselves or admin has done for them

..
however if you are talking about availibility info.. you know when you go to cal and create a meeting and see .. who all is available.. all see .. when someone is available or not.. this can not disabled
I am trying to think along these lines. What do you think jim.

Get-mailbox -vpname |Remove-MailboxFolderPermission -User mail@domain.com

The issue is this will remove access for -vpname for mail@domain.com
and we need to cycle through the whole AD instead of doing it 1 by 1 using mail@domain.com
 
http://blogs.msdn.com/b/pepeedu/archive/2010/09/08/exchange-2010-adding-mailbox-calendar-permissions-using-powershell.aspx
wilsonj - can you test my post above and see if it removes permission for mail@domain.com from -vpname calendar.
you can test it with your own account and then try to go to calendar of -vpname

thanks
you need to know the access writes to remove so i would run something like the following

$perms = Get-mailboxpermission vp | where { $_.IsInherited -eq $false -and $_.User.ToString().Contains("DOMAIN\") }
foreach($p in $perms) { $user = $p.user.tostring().substring($p.user.tostring().indexof("\")); remove-mailboxpermission vp -user $user -accessrights fullaccess }

there may be an easier way, but i have not had time to test anything else
Avatar of WilsonJ

ASKER

Thank you for all your input,
i was doing further test and find out that from my Outlook when i go to My Calendar if i click on "Open a Shared Calendar" I can open any user calendar in the domain using my user id which has no admin rights, i dont think this is right there most be a setting to stop sharing everybodies calendar.
endital1097: i tried changing the default value to none and it didn't work. on your second post i checked all the permissions and none of the users or vp's belong to an admin  group or have admin rights to each others.
Akhater: 1) Permission were never given to any of those users accesing the vp's calendar 2) Users do not have full mailbox access to each others mail boxes. 3) Users do not have or need passwords to view the calendars.
sunnyc7: I tried to run the script but i must be making a mistake because I am getting a syntax error. for argument sake and to make sure i am typing everything correctly lets define.
Username= alpha and  VP Username= beta and mail@domain.com is the e-mail addres of alpha correct???
here is the syntax you typed
Get-mailbox -vpname |Remove-MailboxFolderPermission -User mail@domain.com
This is what i entered in the shell.
Get-mailbox -beta |Remove-MailboxFolderPermission -alpha a.lpha@company-name.us
Here is the error I am getting.

[PS] C:\Windows\system32>Get-mailbox beta |Remove-MailboxFolderPermission -alpha a.lpha@company-name.us
A positional parameter cannot be found that accepts argument 'a.lpha@company-name.us'.
    + CategoryInfo          : InvalidArgument: (:) [Remove-MailboxFolderPermission], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Remove-MailboxFolderPermission
 
 
Thanks for all your help
vp = alpha
user who should not be watchinv VP = beta - email address beta@domain.com

Get-mailbox -alpha |Remove-MailboxFolderPermission -user beta@domain.com
"i was doing further test and find out that from my Outlook when i go to My Calendar if i click on "Open a Shared Calendar" I can open any user calendar in the domain using my user id which has no admin rights, i dont think this is right there most be a setting to stop sharing everybodies calendar."

by default no one can open calendars unless explicit right was given something is wrong with your permissions
i got something else

 ForEach($f in (Get-Mailbox) ) { $fname = "vp:\Calendar");
Remove-MailboxFolderPermission $fname -User $f }
you may want to run it with the -ErrorAction SilentlyContinue

ForEach($f in (Get-Mailbox) ) { $fname = "vp:\Calendar"); Remove-MailboxFolderPermission $fname -User $f  -ErrorAction SilentlyContinue}
yeah i was thinking about that and was tied-up with this one >>

> get-mailbox will output VP's mailbox too. Will that disable access to vp's calendar to the VP ?
no, the mapi folder permissions don't apply to mailbox owner
Avatar of WilsonJ

ASKER

sunnyc7:
I tried runing the new command and got the follwing error.
[PS] C:\Windows\system32>Get-mailbox -alpha |Remove-MailboxFolderPermission -user b.eta@company-name.us
The operation couldn't be performed because object '-alpha' couldn't be found on 'DC.domain.com'.
    + CategoryInfo          : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : 6C517B40,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
I dont understand why it says it can not find the user in the DC they are all there. what am i doing wrong i'm typing it exactly as i should. :(
endital1097:
I ran this line below and it executed fine, using my user against another domain user and i can stll view their calendar. when i go to open shared calendar.
ForEach($f in (Get-Mailbox) ) { $fname = "vp:\Calendar"); Remove-MailboxFolderPermission $fname -User $f  -ErrorAction SilentlyContinue}  
Thanks
 
Avatar of WilsonJ

ASKER

Akhater,
I don't know what else to check as far as permissions, no one has acces to anybodies mailbox, and none of the user in question are part of an admin group or has explicit rights to other users.
:(
Any ideas??
Thanks
ASKER CERTIFIED SOLUTION
Avatar of endital1097
endital1097
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of WilsonJ

ASKER

endital1097:
Wow i think i have given myself full rights in the past. i tested with another user and it seems to be blocked. I have to try with the actual users in question but will have to wait until later to make sure they are blocked as well.
Here are the results when i ran that command.

[PS] C:\Windows\system32>get-mailboxpermission User | where { $_.isinherited -eq $false }
Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
zzzzz.com/zzzzz/A... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False

[PS] C:\Windows\system32>get-mailboxpermission VP | where { $_.isinherited -eq $false }
Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
rwusa.com/zzzzz/A... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
zzzzz.com/zzzzz/A... zzzzz\administrator  {FullAccess}                                                False       False
zzzzz.com/zzzzz/A... zzzzz\username        {FullAccess}                                                False       False

[PS] C:\Windows\system32>get-mailboxpermission username   | where { $_.isinherited -eq $false }
Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
rwusa.com/zzzzz/W... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
zzzzz.com/zzzzz/W... zzzzz\administrator  {FullAccess}                                                False       False
zzzzz.com/zzzzz/W... zzzzz\username     {FullAccess}                                                False       False

let us know if you need anything more
Thanks for the points wilsonJ > but I think endital deservers 100% of the credit on this one.
Avatar of WilsonJ

ASKER

How do I change it, do i have to ask moderator.
 
From your end - you should be able to allocate endital's post as the answer and uncheck mine.
Otherwise - click on request attention link on top.
thanks everyone :)
Avatar of WilsonJ

ASKER

Sorry for the delay it completely skipped my mind, i thought i had already re-assigned the points.
Thanks a lot.