Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 380
  • Last Modified:

Remove calendar access for user in Exchange 2010

We have one user who is having an issue when he opens Outlook, he see's and has access to all resource accounts without permissions assigned to him.  We're running Exchange 2010 and the end user is running Outlook 2010.This has been an issue for some time, the user is both a Domain and Exchange admin.  We migrated from Exchange 2003 ~2 years ago to Exchange 2010.

I have checked each resource calendar for access permissions and his account is not listed.  Has anyone seen this behavior or know how to resolve?  This is quite irritating as the user gets every invite for every calendar and we have 23 resource calendars.  Any help is greatly appreciated!
0
Christina Taylor
Asked:
Christina Taylor
  • 7
  • 5
  • 3
1 Solution
 
Simon Butler (Sembee)ConsultantCommented:
Permissions must be there somewhere.
Having both domain admin rights on their regular user account isn't a good idea either.

You need to look to see what accounts and groups have either Full Mailbox or Receive As permissions and then check that user's account isn't a member of the group.

Simon.
0
 
theruckCommented:
he does not have to be listed if he is the exchange admin... look at his account and group membership and then look for those groups in the calendar permission settings
use the Get-MailboxFolderPermission servlet in the powershell to list all the permissions of a calendar
0
 
Christina TaylorIT AdministratorAuthor Commented:
Simon - agreed, permissions are somewhere... just cant seem to find where.

Group membership is a long list as he is our IT Director and has access to most everything, whether this is right or wrong... it's the way it is.  I also have similar access with the exception of two groups, Enterprise Admins & Schema Admins.  I've been tasked to resolve this particular annoying issue.  

theruck - Here is the result on one calendar with the Get-MailboxFolderPermission servlet:
[PS] C:\Windows\system32>Get-MailboxFolderPermission CR-EAST-2ND-FLOOR


RunspaceId   : cf4e00e1-eb79-4609-9cc7-47ca83d38d04
FolderName   : Top of Information Store
User         : Default
AccessRights : {None}
Identity     : Default
IsValid      : True

RunspaceId   : cf4e00e1-eb79-4609-9cc7-47ca83d38d04
FolderName   : Top of Information Store
User         : Anonymous
AccessRights : {None}
Identity     : Anonymous
IsValid      : True
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
theruckCommented:
"Top of Information Store" is not a name of a calendar i think...
0
 
Christina TaylorIT AdministratorAuthor Commented:
cmdlet used  "Get-MailboxFolderPermission CR-EAST-2ND-FLOOR"

See previous comment.
0
 
Simon Butler (Sembee)ConsultantCommented:
I don't think it is going to be a permission in the mailbox, it will be an account permission.
As IT Director he should know better than having a single account with permissions to everything, although I do recall having a standup row with an IT director of a FTSE 100 company who thought he shoudl have access to everything on a single account, I won and he doesn't.

Simon.
0
 
theruckCommented:
tell your boss that if he is the domain admin he has to do this himself. and if he is not then create him a regular account and add him to a group with elevated rights and permissions
0
 
Christina TaylorIT AdministratorAuthor Commented:
Thanks for the comical advice guys... but this does not help me resolve the issue :)  

At a closer look, he and myself have the same access and are both members of all of the same groups with the exception of Schema Admins,  so I'll try removing that group from his account and see what happens.
0
 
theruckCommented:
nothing will happen as schema admin permission does not have anything with this topic. either he is the owner or delegate of all the calendars or has some specific settings set on his mailbox or account
0
 
Christina TaylorIT AdministratorAuthor Commented:
Ok, thank you - I will have to work through this with him I suppose.
0
 
theruckCommented:
if you have the domain admin rights and exchange admin rights you can have a look and fix it yourself. just check each calendar property and you will find it
0
 
Christina TaylorIT AdministratorAuthor Commented:
I have gone into each resource calendar, I've checked every tab to see if he's got permissions somewhere and I'm not seeing anything.  

For example, I've checked under
resource policy tab - delegates (not a delegate)
Mail flow settings tab - delivery options - send on behalf OR forward to (nothing here)
Resource In\Out of Policy Request tabs (nothing here)

Is there somewhere I'm missing to check?
0
 
Simon Butler (Sembee)ConsultantCommented:
You are wasting your time looking at the properties of the resources individually.
Check what can actually be opened? Can the full mailbox be opened (via Open Other User's folders)? Can anyone's folders be opened?

I doubt very much if the permissions have been modified on each resource individually, hence a group at the domain level is going to be the place to go for.

As for the advice on split permissions - you must have hacked around with the domain to get them to work, as Exchange removes permissions automatically if you are a domain admin. Plus there are additional security issues, particularly if you are in a regulated environment, plus personal and data protection issues - plus my favourite - you have no auditing trail. That means if something goes wrong, you cannot prove who was (or wasn't) to blame.

Simon.
0
 
Christina TaylorIT AdministratorAuthor Commented:
I think we will probably just blow away this account and recreate it.  The only thing left that we can think to try as something got tweaked and we just cannot locate where.
0
 
Christina TaylorIT AdministratorAuthor Commented:
Other solutions offered did not resolve the issue.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 7
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now