Solved

Remove calendar access for user in Exchange 2010

Posted on 2013-01-02
15
372 Views
Last Modified: 2013-01-22
We have one user who is having an issue when he opens Outlook, he see's and has access to all resource accounts without permissions assigned to him.  We're running Exchange 2010 and the end user is running Outlook 2010.This has been an issue for some time, the user is both a Domain and Exchange admin.  We migrated from Exchange 2003 ~2 years ago to Exchange 2010.

I have checked each resource calendar for access permissions and his account is not listed.  Has anyone seen this behavior or know how to resolve?  This is quite irritating as the user gets every invite for every calendar and we have 23 resource calendars.  Any help is greatly appreciated!
0
Comment
Question by:Christina Taylor
  • 7
  • 5
  • 3
15 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Permissions must be there somewhere.
Having both domain admin rights on their regular user account isn't a good idea either.

You need to look to see what accounts and groups have either Full Mailbox or Receive As permissions and then check that user's account isn't a member of the group.

Simon.
0
 
LVL 14

Expert Comment

by:theruck
Comment Utility
he does not have to be listed if he is the exchange admin... look at his account and group membership and then look for those groups in the calendar permission settings
use the Get-MailboxFolderPermission servlet in the powershell to list all the permissions of a calendar
0
 

Author Comment

by:Christina Taylor
Comment Utility
Simon - agreed, permissions are somewhere... just cant seem to find where.

Group membership is a long list as he is our IT Director and has access to most everything, whether this is right or wrong... it's the way it is.  I also have similar access with the exception of two groups, Enterprise Admins & Schema Admins.  I've been tasked to resolve this particular annoying issue.  

theruck - Here is the result on one calendar with the Get-MailboxFolderPermission servlet:
[PS] C:\Windows\system32>Get-MailboxFolderPermission CR-EAST-2ND-FLOOR


RunspaceId   : cf4e00e1-eb79-4609-9cc7-47ca83d38d04
FolderName   : Top of Information Store
User         : Default
AccessRights : {None}
Identity     : Default
IsValid      : True

RunspaceId   : cf4e00e1-eb79-4609-9cc7-47ca83d38d04
FolderName   : Top of Information Store
User         : Anonymous
AccessRights : {None}
Identity     : Anonymous
IsValid      : True
0
 
LVL 14

Expert Comment

by:theruck
Comment Utility
"Top of Information Store" is not a name of a calendar i think...
0
 

Author Comment

by:Christina Taylor
Comment Utility
cmdlet used  "Get-MailboxFolderPermission CR-EAST-2ND-FLOOR"

See previous comment.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
I don't think it is going to be a permission in the mailbox, it will be an account permission.
As IT Director he should know better than having a single account with permissions to everything, although I do recall having a standup row with an IT director of a FTSE 100 company who thought he shoudl have access to everything on a single account, I won and he doesn't.

Simon.
0
 
LVL 14

Expert Comment

by:theruck
Comment Utility
tell your boss that if he is the domain admin he has to do this himself. and if he is not then create him a regular account and add him to a group with elevated rights and permissions
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Christina Taylor
Comment Utility
Thanks for the comical advice guys... but this does not help me resolve the issue :)  

At a closer look, he and myself have the same access and are both members of all of the same groups with the exception of Schema Admins,  so I'll try removing that group from his account and see what happens.
0
 
LVL 14

Expert Comment

by:theruck
Comment Utility
nothing will happen as schema admin permission does not have anything with this topic. either he is the owner or delegate of all the calendars or has some specific settings set on his mailbox or account
0
 

Author Comment

by:Christina Taylor
Comment Utility
Ok, thank you - I will have to work through this with him I suppose.
0
 
LVL 14

Expert Comment

by:theruck
Comment Utility
if you have the domain admin rights and exchange admin rights you can have a look and fix it yourself. just check each calendar property and you will find it
0
 

Author Comment

by:Christina Taylor
Comment Utility
I have gone into each resource calendar, I've checked every tab to see if he's got permissions somewhere and I'm not seeing anything.  

For example, I've checked under
resource policy tab - delegates (not a delegate)
Mail flow settings tab - delivery options - send on behalf OR forward to (nothing here)
Resource In\Out of Policy Request tabs (nothing here)

Is there somewhere I'm missing to check?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
You are wasting your time looking at the properties of the resources individually.
Check what can actually be opened? Can the full mailbox be opened (via Open Other User's folders)? Can anyone's folders be opened?

I doubt very much if the permissions have been modified on each resource individually, hence a group at the domain level is going to be the place to go for.

As for the advice on split permissions - you must have hacked around with the domain to get them to work, as Exchange removes permissions automatically if you are a domain admin. Plus there are additional security issues, particularly if you are in a regulated environment, plus personal and data protection issues - plus my favourite - you have no auditing trail. That means if something goes wrong, you cannot prove who was (or wasn't) to blame.

Simon.
0
 

Accepted Solution

by:
Christina Taylor earned 0 total points
Comment Utility
I think we will probably just blow away this account and recreate it.  The only thing left that we can think to try as something got tweaked and we just cannot locate where.
0
 

Author Closing Comment

by:Christina Taylor
Comment Utility
Other solutions offered did not resolve the issue.
0

Featured Post

Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Wierd issue with missing "FROM" field in Outlook. 7 59
calendar, outlook 2 37
outlook 6 43
Outlook 2016 Can't Open Links 1 17
We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now