• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 758
  • Last Modified:

Exchange 2003 Shared Calendar Security Settings

It's been a while since I've jumped into GPO's or the like, but I was made aware of a security issue in my organization.  What's happening is it seems I have some users out there that when they open a shared calendar, they can see everything on the users calendar fully.  As far as I can tell, these users are all my HR users, and seems to all be members of a few groups.

If I open a shared calendar, I see free/busy info, but nothing else.  So my question, where can I see calendar permissions for exchange users?  Note, I'm currently running my domain in mixed mode, as I have recently added two 2008 DC's and my old 2003's are still hanging around for a short time.  The 2008 controllers are the FSMO master.

Cheers
JJ
0
JamesonJendreas
Asked:
JamesonJendreas
  • 17
  • 6
2 Solutions
 
Adam BrownSr Solutions ArchitectCommented:
Calendar permissions are typically set in Outlook or OWA. There isn't a direct method for setting up calendar permissions on individual mailboxes in Exchange (Until you get to Exchange 2010). There are some tricks for bulk management, though. You can't do it with a GPO. http://exchange.sembee.info/2003/mailbox/folderpermissions.asp has a little information on what you can do. In general, each individual is in charge of the permissions on their own calendars. If they grant permissions to a user or group, they will have to revoke that permission themselves. The issue is, of course, with users granting permissions to a specific group of people, which is easier than one user at a time, but if a new person becomes a member of that group, then they have someone they don't know with access to their calendar. Only thing you can really do about that is tell people not to assign calendar permissions to groups.
0
 
JamesonJendreasAuthor Commented:
There isn't a way to reset calendar permissions across the board is there?
0
 
Adam BrownSr Solutions ArchitectCommented:
The Setperm utility in the link I gave *should* give you the ability to do that.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
JamesonJendreasAuthor Commented:
Man, this is odd, I went ahead and did a reset permissions using setperm, still getting the exact same thing.  I had errors when running, so I went back and did it to a single mailbox, and the users still have full access to the mailbox I 'rest' the permissions to.
0
 
Adam BrownSr Solutions ArchitectCommented:
Hmmm...You might want to check the permissions on the Mailboxes themselves. It's possible that the users are set with Full control permissions on the mailboxes in the ACLs in Exchange.
0
 
JamesonJendreasAuthor Commented:
Also, an odd one - I went ahead and added the user directly to the calendar permissions in outlook and set the mas 'reviewer' but they still see all items.
0
 
JamesonJendreasAuthor Commented:
OK- here's an interesting one, I checked rights on a user mailboxes in AD, and "Anonymous", "Authenticated" users and "Everyone" have:
Delete Mailbox Storage
Read
Change
Take Ownership
Full Mailbox Access

The check boxes are grey'd out.
0
 
Adam BrownSr Solutions ArchitectCommented:
Yeah, that would be the problem, then. From the description, the greyed out box means it's an inherited permission. I haven't used 2003 in a pretty long time so I'm not sure how to guide you for removing the inherited permission setting on the mailboxes. If you can check the mailbox permissions at the Domain level, you should be able to remove the mailbox permissions from there, but I don't have an Exchange 2003 server running in my test environment right now so I'm not 100% sure on that.
0
 
JamesonJendreasAuthor Commented:
Yeah, so I was able to remove the inherited permissions from system manager.  I then use Setperm on a test account and it seems to be taking.  Sadly, though all I can get is either no access or full access and not view free busy info only...
0
 
Adam BrownSr Solutions ArchitectCommented:
You may need to pick a default and have users share out their calendars to others as needed or requested. As I said, the vast majority of calendar permissions are set in Outlook rather than Exchange, so there isn't a lot you can do about it.
0
 
JamesonJendreasAuthor Commented:
That's what I was thinking - I have no problem with resetting all calendars to default.
0
 
JamesonJendreasAuthor Commented:
Still doesn't seem to be working...  I was  able to reproduce the issue in my outlook (that is, I can see everyones full calendar).  I went through and removed the permissions (or more accurately, added "none").  I went back, and lo-and-behold, I could see free/busy only for one of my managers.  Everyone else - not so much,  I then check the permissions on the calendar, and sure enough I show up with permissions "none" - but I can still see everything
0
 
JamesonJendreasAuthor Commented:
So I can't get the folders to default.  I change the permissions, they show in the calendar permissions (say all users have access "None") but they all can still see the entire calendar.  

Where is the calendar held?  I'm wondering if the users have some explicit access to the folders.
0
 
JamesonJendreasAuthor Commented:
Also note: I have two exchange servers, my main server with my stores, and a front end OWA server.  
0
 
Adam BrownSr Solutions ArchitectCommented:
The calendar is just a folder in each mailbox. The Front End shouldn't have much to do with this, since it just provides client access.
0
 
JamesonJendreasAuthor Commented:
OK - but what would the (general) path to the folder containing the calendar be?  I'm thinking this is where I am getting inherited permissions
0
 
JamesonJendreasAuthor Commented:
Well I'm trying out PFDAVAdmin to attempt to set all permissions back to "none"
0
 
JamesonJendreasAuthor Commented:
Ok, so I used PFDAVAdmin, set all suers to none.  Still, many of my users get full access to the calendar.  Attached is a screenshot of a very important users calendar, that most users can see fully (my own account is the only I can't replicated the issue fully).  User "Bonnie Chesser" who has explicit access of "none" can see this calendar in full....
permissions.png
0
 
JamesonJendreasAuthor Commented:
Also, from my regular account I can only see free/busy, but I seem to be the only one (figures).  I can't for the life of me find anything that is setup different between my account and others.
0
 
JamesonJendreasAuthor Commented:
So, is there a place I can look at folder permissions?  Like through explorer?  
0
 
JamesonJendreasAuthor Commented:
Also,
I've noted that "Everyone" has pretty much all access under "Mailbox rights" in AD->Exchange Advanced.  All options to remove are greyd out
Mailbox-Permissions.png
0
 
JamesonJendreasAuthor Commented:
OK - I think this is resolved.  Not 100% sure it is across the board as for some users I had to do some extra things.  BUT for the KB here's what I did:

1. Went to each of my storage groups and removed inherited permissions (within System Manager0
2. For each mailbox store*, open properties and go to security tabs
3. Remove "Everybody" and "Authenticated Users"
4. Use PFDAVAdmin and reset the permissions for all users calendars
5. For my stubborn users, I ended up moving their mailboxes from one store to another

Now I am going around and spot-checking my users.


*I have 5 Storage groups with 5 Mail stores each for some reason, so this had to be done on all 25 mailbox stores.

0
 
JamesonJendreasAuthor Commented:
Actual steps taken are my own after ACBrowns suggestions.

Odd permissions were setup prior to my taking over exchange, acbrows assistance helped point me in the right direction/
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 17
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now