Solved

Block Calendar Sharing/Viewing on Exchange 2010 and Outlook 2007

Posted on 2010-09-10
25
3,646 Views
Last Modified: 2012-08-14
Dear Experts,

It has come to my attention that some users are viewing other users calendar without their permission.

Now I have to secure all the VP's and Executives calendars.

How do I prevent that from happening, I tried going to Calendar, Properties, Permission and set it to None but that did not work.

Is there a choice to do it from the server it self, and just give rights to the users they choose to.

I have Exchange 2010 and I am using Outlook 2007

Thanks for all your help

WilsonJ
0
Comment
Question by:WilsonJ
  • 9
  • 6
  • 6
  • +2
25 Comments
 
LVL 32

Expert Comment

by:endital1097
ID: 33647101
from outlook
tools - options- calendar options -free/busy options
set the default value to None
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33647108
you don't have a lot of options it is either

1. Permissions were given from where you specified
2. The user has full mailbox access to the other's mailbox
3. the user has the password of the other user
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33647129
you'll want to go into ad users and computers
tool - view advanced
go to the properties of a vp and the security tab
look for any account/group that has receive as permission
you'll want to remove anyone that doesn't belong
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 10

Expert Comment

by:dhruvarajp
ID: 33647177
if you are talking about accessing the calender ? then it would not happen they have shared themselves or admin has done for them

..
however if you are talking about availibility info.. you know when you go to cal and create a meeting and see .. who all is available.. all see .. when someone is available or not.. this can not disabled
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33647227
I am trying to think along these lines. What do you think jim.

Get-mailbox -vpname |Remove-MailboxFolderPermission -User mail@domain.com

The issue is this will remove access for -vpname for mail@domain.com
and we need to cycle through the whole AD instead of doing it 1 by 1 using mail@domain.com
 
http://blogs.msdn.com/b/pepeedu/archive/2010/09/08/exchange-2010-adding-mailbox-calendar-permissions-using-powershell.aspx
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33647599
wilsonj - can you test my post above and see if it removes permission for mail@domain.com from -vpname calendar.
you can test it with your own account and then try to go to calendar of -vpname

thanks
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33647697
you need to know the access writes to remove so i would run something like the following

$perms = Get-mailboxpermission vp | where { $_.IsInherited -eq $false -and $_.User.ToString().Contains("DOMAIN\") }
foreach($p in $perms) { $user = $p.user.tostring().substring($p.user.tostring().indexof("\")); remove-mailboxpermission vp -user $user -accessrights fullaccess }

there may be an easier way, but i have not had time to test anything else
0
 

Author Comment

by:WilsonJ
ID: 33649447
Thank you for all your input,
i was doing further test and find out that from my Outlook when i go to My Calendar if i click on "Open a Shared Calendar" I can open any user calendar in the domain using my user id which has no admin rights, i dont think this is right there most be a setting to stop sharing everybodies calendar.
endital1097: i tried changing the default value to none and it didn't work. on your second post i checked all the permissions and none of the users or vp's belong to an admin  group or have admin rights to each others.
Akhater: 1) Permission were never given to any of those users accesing the vp's calendar 2) Users do not have full mailbox access to each others mail boxes. 3) Users do not have or need passwords to view the calendars.
sunnyc7: I tried to run the script but i must be making a mistake because I am getting a syntax error. for argument sake and to make sure i am typing everything correctly lets define.
Username= alpha and  VP Username= beta and mail@domain.com is the e-mail addres of alpha correct???
here is the syntax you typed
Get-mailbox -vpname |Remove-MailboxFolderPermission -User mail@domain.com
This is what i entered in the shell.
Get-mailbox -beta |Remove-MailboxFolderPermission -alpha a.lpha@company-name.us
Here is the error I am getting.

[PS] C:\Windows\system32>Get-mailbox beta |Remove-MailboxFolderPermission -alpha a.lpha@company-name.us
A positional parameter cannot be found that accepts argument 'a.lpha@company-name.us'.
    + CategoryInfo          : InvalidArgument: (:) [Remove-MailboxFolderPermission], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Remove-MailboxFolderPermission
 
 
Thanks for all your help
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33649468
vp = alpha
user who should not be watchinv VP = beta - email address beta@domain.com

Get-mailbox -alpha |Remove-MailboxFolderPermission -user beta@domain.com
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33649479
"i was doing further test and find out that from my Outlook when i go to My Calendar if i click on "Open a Shared Calendar" I can open any user calendar in the domain using my user id which has no admin rights, i dont think this is right there most be a setting to stop sharing everybodies calendar."

by default no one can open calendars unless explicit right was given something is wrong with your permissions
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33649481
i got something else

 ForEach($f in (Get-Mailbox) ) { $fname = "vp:\Calendar");
Remove-MailboxFolderPermission $fname -User $f }
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33649492
you may want to run it with the -ErrorAction SilentlyContinue

ForEach($f in (Get-Mailbox) ) { $fname = "vp:\Calendar"); Remove-MailboxFolderPermission $fname -User $f  -ErrorAction SilentlyContinue}
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33649500
yeah i was thinking about that and was tied-up with this one >>

> get-mailbox will output VP's mailbox too. Will that disable access to vp's calendar to the VP ?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33649525
no, the mapi folder permissions don't apply to mailbox owner
0
 

Author Comment

by:WilsonJ
ID: 33649955
sunnyc7:
I tried runing the new command and got the follwing error.
[PS] C:\Windows\system32>Get-mailbox -alpha |Remove-MailboxFolderPermission -user b.eta@company-name.us
The operation couldn't be performed because object '-alpha' couldn't be found on 'DC.domain.com'.
    + CategoryInfo          : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : 6C517B40,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
I dont understand why it says it can not find the user in the DC they are all there. what am i doing wrong i'm typing it exactly as i should. :(
endital1097:
I ran this line below and it executed fine, using my user against another domain user and i can stll view their calendar. when i go to open shared calendar.
ForEach($f in (Get-Mailbox) ) { $fname = "vp:\Calendar"); Remove-MailboxFolderPermission $fname -User $f  -ErrorAction SilentlyContinue}  
Thanks
 
0
 

Author Comment

by:WilsonJ
ID: 33649988
Akhater,
I don't know what else to check as far as permissions, no one has acces to anybodies mailbox, and none of the user in question are part of an admin group or has explicit rights to other users.
:(
Any ideas??
Thanks
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
ID: 33649992
run the following
get-mailboxpermission otheruser | where { $_.isinherited -eq $false }

do you belong to any groups listed with fullaccess
0
 

Author Comment

by:WilsonJ
ID: 33650229
endital1097:
Wow i think i have given myself full rights in the past. i tested with another user and it seems to be blocked. I have to try with the actual users in question but will have to wait until later to make sure they are blocked as well.
Here are the results when i ran that command.

[PS] C:\Windows\system32>get-mailboxpermission User | where { $_.isinherited -eq $false }
Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
zzzzz.com/zzzzz/A... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False

[PS] C:\Windows\system32>get-mailboxpermission VP | where { $_.isinherited -eq $false }
Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
rwusa.com/zzzzz/A... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
zzzzz.com/zzzzz/A... zzzzz\administrator  {FullAccess}                                                False       False
zzzzz.com/zzzzz/A... zzzzz\username        {FullAccess}                                                False       False

[PS] C:\Windows\system32>get-mailboxpermission username   | where { $_.isinherited -eq $false }
Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
rwusa.com/zzzzz/W... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
zzzzz.com/zzzzz/W... zzzzz\administrator  {FullAccess}                                                False       False
zzzzz.com/zzzzz/W... zzzzz\username     {FullAccess}                                                False       False

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33650243
let us know if you need anything more
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33662260
Thanks for the points wilsonJ > but I think endital deservers 100% of the credit on this one.
0
 

Author Comment

by:WilsonJ
ID: 33662514
How do I change it, do i have to ask moderator.
 
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33662560
From your end - you should be able to allocate endital's post as the answer and uncheck mine.
Otherwise - click on request attention link on top.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33662580
thanks everyone :)
0
 

Author Closing Comment

by:WilsonJ
ID: 33781790
Sorry for the delay it completely skipped my mind, i thought i had already re-assigned the points.
Thanks a lot.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question