Solved

Block Calendar Sharing/Viewing on Exchange 2010 and Outlook 2007

Posted on 2010-09-10
25
3,606 Views
Last Modified: 2012-08-14
Dear Experts,

It has come to my attention that some users are viewing other users calendar without their permission.

Now I have to secure all the VP's and Executives calendars.

How do I prevent that from happening, I tried going to Calendar, Properties, Permission and set it to None but that did not work.

Is there a choice to do it from the server it self, and just give rights to the users they choose to.

I have Exchange 2010 and I am using Outlook 2007

Thanks for all your help

WilsonJ
0
Comment
Question by:WilsonJ
  • 9
  • 6
  • 6
  • +2
25 Comments
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
from outlook
tools - options- calendar options -free/busy options
set the default value to None
0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
you don't have a lot of options it is either

1. Permissions were given from where you specified
2. The user has full mailbox access to the other's mailbox
3. the user has the password of the other user
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
you'll want to go into ad users and computers
tool - view advanced
go to the properties of a vp and the security tab
look for any account/group that has receive as permission
you'll want to remove anyone that doesn't belong
0
 
LVL 10

Expert Comment

by:dhruvarajp
Comment Utility
if you are talking about accessing the calender ? then it would not happen they have shared themselves or admin has done for them

..
however if you are talking about availibility info.. you know when you go to cal and create a meeting and see .. who all is available.. all see .. when someone is available or not.. this can not disabled
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
I am trying to think along these lines. What do you think jim.

Get-mailbox -vpname |Remove-MailboxFolderPermission -User mail@domain.com

The issue is this will remove access for -vpname for mail@domain.com
and we need to cycle through the whole AD instead of doing it 1 by 1 using mail@domain.com
 
http://blogs.msdn.com/b/pepeedu/archive/2010/09/08/exchange-2010-adding-mailbox-calendar-permissions-using-powershell.aspx
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
wilsonj - can you test my post above and see if it removes permission for mail@domain.com from -vpname calendar.
you can test it with your own account and then try to go to calendar of -vpname

thanks
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
you need to know the access writes to remove so i would run something like the following

$perms = Get-mailboxpermission vp | where { $_.IsInherited -eq $false -and $_.User.ToString().Contains("DOMAIN\") }
foreach($p in $perms) { $user = $p.user.tostring().substring($p.user.tostring().indexof("\")); remove-mailboxpermission vp -user $user -accessrights fullaccess }

there may be an easier way, but i have not had time to test anything else
0
 

Author Comment

by:WilsonJ
Comment Utility
Thank you for all your input,
i was doing further test and find out that from my Outlook when i go to My Calendar if i click on "Open a Shared Calendar" I can open any user calendar in the domain using my user id which has no admin rights, i dont think this is right there most be a setting to stop sharing everybodies calendar.
endital1097: i tried changing the default value to none and it didn't work. on your second post i checked all the permissions and none of the users or vp's belong to an admin  group or have admin rights to each others.
Akhater: 1) Permission were never given to any of those users accesing the vp's calendar 2) Users do not have full mailbox access to each others mail boxes. 3) Users do not have or need passwords to view the calendars.
sunnyc7: I tried to run the script but i must be making a mistake because I am getting a syntax error. for argument sake and to make sure i am typing everything correctly lets define.
Username= alpha and  VP Username= beta and mail@domain.com is the e-mail addres of alpha correct???
here is the syntax you typed
Get-mailbox -vpname |Remove-MailboxFolderPermission -User mail@domain.com
This is what i entered in the shell.
Get-mailbox -beta |Remove-MailboxFolderPermission -alpha a.lpha@company-name.us
Here is the error I am getting.

[PS] C:\Windows\system32>Get-mailbox beta |Remove-MailboxFolderPermission -alpha a.lpha@company-name.us
A positional parameter cannot be found that accepts argument 'a.lpha@company-name.us'.
    + CategoryInfo          : InvalidArgument: (:) [Remove-MailboxFolderPermission], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Remove-MailboxFolderPermission
 
 
Thanks for all your help
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
vp = alpha
user who should not be watchinv VP = beta - email address beta@domain.com

Get-mailbox -alpha |Remove-MailboxFolderPermission -user beta@domain.com
0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
"i was doing further test and find out that from my Outlook when i go to My Calendar if i click on "Open a Shared Calendar" I can open any user calendar in the domain using my user id which has no admin rights, i dont think this is right there most be a setting to stop sharing everybodies calendar."

by default no one can open calendars unless explicit right was given something is wrong with your permissions
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
i got something else

 ForEach($f in (Get-Mailbox) ) { $fname = "vp:\Calendar");
Remove-MailboxFolderPermission $fname -User $f }
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
you may want to run it with the -ErrorAction SilentlyContinue

ForEach($f in (Get-Mailbox) ) { $fname = "vp:\Calendar"); Remove-MailboxFolderPermission $fname -User $f  -ErrorAction SilentlyContinue}
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
yeah i was thinking about that and was tied-up with this one >>

> get-mailbox will output VP's mailbox too. Will that disable access to vp's calendar to the VP ?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
no, the mapi folder permissions don't apply to mailbox owner
0
 

Author Comment

by:WilsonJ
Comment Utility
sunnyc7:
I tried runing the new command and got the follwing error.
[PS] C:\Windows\system32>Get-mailbox -alpha |Remove-MailboxFolderPermission -user b.eta@company-name.us
The operation couldn't be performed because object '-alpha' couldn't be found on 'DC.domain.com'.
    + CategoryInfo          : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : 6C517B40,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
I dont understand why it says it can not find the user in the DC they are all there. what am i doing wrong i'm typing it exactly as i should. :(
endital1097:
I ran this line below and it executed fine, using my user against another domain user and i can stll view their calendar. when i go to open shared calendar.
ForEach($f in (Get-Mailbox) ) { $fname = "vp:\Calendar"); Remove-MailboxFolderPermission $fname -User $f  -ErrorAction SilentlyContinue}  
Thanks
 
0
 

Author Comment

by:WilsonJ
Comment Utility
Akhater,
I don't know what else to check as far as permissions, no one has acces to anybodies mailbox, and none of the user in question are part of an admin group or has explicit rights to other users.
:(
Any ideas??
Thanks
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
Comment Utility
run the following
get-mailboxpermission otheruser | where { $_.isinherited -eq $false }

do you belong to any groups listed with fullaccess
0
 

Author Comment

by:WilsonJ
Comment Utility
endital1097:
Wow i think i have given myself full rights in the past. i tested with another user and it seems to be blocked. I have to try with the actual users in question but will have to wait until later to make sure they are blocked as well.
Here are the results when i ran that command.

[PS] C:\Windows\system32>get-mailboxpermission User | where { $_.isinherited -eq $false }
Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
zzzzz.com/zzzzz/A... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False

[PS] C:\Windows\system32>get-mailboxpermission VP | where { $_.isinherited -eq $false }
Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
rwusa.com/zzzzz/A... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
zzzzz.com/zzzzz/A... zzzzz\administrator  {FullAccess}                                                False       False
zzzzz.com/zzzzz/A... zzzzz\username        {FullAccess}                                                False       False

[PS] C:\Windows\system32>get-mailboxpermission username   | where { $_.isinherited -eq $false }
Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
rwusa.com/zzzzz/W... NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
zzzzz.com/zzzzz/W... zzzzz\administrator  {FullAccess}                                                False       False
zzzzz.com/zzzzz/W... zzzzz\username     {FullAccess}                                                False       False

0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
let us know if you need anything more
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Thanks for the points wilsonJ > but I think endital deservers 100% of the credit on this one.
0
 

Author Comment

by:WilsonJ
Comment Utility
How do I change it, do i have to ask moderator.
 
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
From your end - you should be able to allocate endital's post as the answer and uncheck mine.
Otherwise - click on request attention link on top.
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
thanks everyone :)
0
 

Author Closing Comment

by:WilsonJ
Comment Utility
Sorry for the delay it completely skipped my mind, i thought i had already re-assigned the points.
Thanks a lot.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
how to add IIS SMTP to handle application/Scanner relays into office 365.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now