Remove calendar access for user in Exchange 2010

Permissions must be there somewhere.
Having both domain admin rights on their regular user account isn't a good idea either.

You need to look to see what accounts and groups have either Full Mailbox or Receive As permissions and then check that user's account isn't a member of the group.

Simon.

he does not have to be listed if he is the exchange admin... look at his account and group membership and then look for those groups in the calendar permission settings
use the Get-MailboxFolderPermission servlet in the powershell to list all the permissions of a calendar

Simon - agreed, permissions are somewhere... just cant seem to find where.

Group membership is a long list as he is our IT Director and has access to most everything, whether this is right or wrong... it's the way it is.  I also have similar access with the exception of two groups, Enterprise Admins & Schema Admins.  I've been tasked to resolve this particular annoying issue.  

theruck - Here is the result on one calendar with the Get-MailboxFolderPermission servlet:
[PS] C:\Windows\system32>Get-MailboxFolderPermission CR-EAST-2ND-FLOOR


RunspaceId   : cf4e00e1-eb79-4609-9cc7-47ca83d38d04
FolderName   : Top of Information Store
User         : Default
AccessRights : {None}
Identity     : Default
IsValid      : True

RunspaceId   : cf4e00e1-eb79-4609-9cc7-47ca83d38d04
FolderName   : Top of Information Store
User         : Anonymous
AccessRights : {None}
Identity     : Anonymous
IsValid      : True

"Top of Information Store" is not a name of a calendar i think...

cmdlet used  "Get-MailboxFolderPermission CR-EAST-2ND-FLOOR"

See previous comment.

I don't think it is going to be a permission in the mailbox, it will be an account permission.
As IT Director he should know better than having a single account with permissions to everything, although I do recall having a standup row with an IT director of a FTSE 100 company who thought he shoudl have access to everything on a single account, I won and he doesn't.

Simon.

tell your boss that if he is the domain admin he has to do this himself. and if he is not then create him a regular account and add him to a group with elevated rights and permissions

Thanks for the comical advice guys... but this does not help me resolve the issue :)  

At a closer look, he and myself have the same access and are both members of all of the same groups with the exception of Schema Admins,  so I'll try removing that group from his account and see what happens.

nothing will happen as schema admin permission does not have anything with this topic. either he is the owner or delegate of all the calendars or has some specific settings set on his mailbox or account

Ok, thank you - I will have to work through this with him I suppose.

if you have the domain admin rights and exchange admin rights you can have a look and fix it yourself. just check each calendar property and you will find it

I have gone into each resource calendar, I've checked every tab to see if he's got permissions somewhere and I'm not seeing anything.  

For example, I've checked under
resource policy tab - delegates (not a delegate)
Mail flow settings tab - delivery options - send on behalf OR forward to (nothing here)
Resource In\Out of Policy Request tabs (nothing here)

Is there somewhere I'm missing to check?

You are wasting your time looking at the properties of the resources individually.
Check what can actually be opened? Can the full mailbox be opened (via Open Other User's folders)? Can anyone's folders be opened?

I doubt very much if the permissions have been modified on each resource individually, hence a group at the domain level is going to be the place to go for.

As for the advice on split permissions - you must have hacked around with the domain to get them to work, as Exchange removes permissions automatically if you are a domain admin. Plus there are additional security issues, particularly if you are in a regulated environment, plus personal and data protection issues - plus my favourite - you have no auditing trail. That means if something goes wrong, you cannot prove who was (or wasn't) to blame.

Simon.

Other solutions offered did not resolve the issue.