Solved

Remove calendar access for user in Exchange 2010

Posted on 2013-01-02
15
373 Views
Last Modified: 2013-01-22
We have one user who is having an issue when he opens Outlook, he see's and has access to all resource accounts without permissions assigned to him.  We're running Exchange 2010 and the end user is running Outlook 2010.This has been an issue for some time, the user is both a Domain and Exchange admin.  We migrated from Exchange 2003 ~2 years ago to Exchange 2010.

I have checked each resource calendar for access permissions and his account is not listed.  Has anyone seen this behavior or know how to resolve?  This is quite irritating as the user gets every invite for every calendar and we have 23 resource calendars.  Any help is greatly appreciated!
0
Comment
Question by:Christina Taylor
  • 7
  • 5
  • 3
15 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38737280
Permissions must be there somewhere.
Having both domain admin rights on their regular user account isn't a good idea either.

You need to look to see what accounts and groups have either Full Mailbox or Receive As permissions and then check that user's account isn't a member of the group.

Simon.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737283
he does not have to be listed if he is the exchange admin... look at his account and group membership and then look for those groups in the calendar permission settings
use the Get-MailboxFolderPermission servlet in the powershell to list all the permissions of a calendar
0
 

Author Comment

by:Christina Taylor
ID: 38737331
Simon - agreed, permissions are somewhere... just cant seem to find where.

Group membership is a long list as he is our IT Director and has access to most everything, whether this is right or wrong... it's the way it is.  I also have similar access with the exception of two groups, Enterprise Admins & Schema Admins.  I've been tasked to resolve this particular annoying issue.  

theruck - Here is the result on one calendar with the Get-MailboxFolderPermission servlet:
[PS] C:\Windows\system32>Get-MailboxFolderPermission CR-EAST-2ND-FLOOR


RunspaceId   : cf4e00e1-eb79-4609-9cc7-47ca83d38d04
FolderName   : Top of Information Store
User         : Default
AccessRights : {None}
Identity     : Default
IsValid      : True

RunspaceId   : cf4e00e1-eb79-4609-9cc7-47ca83d38d04
FolderName   : Top of Information Store
User         : Anonymous
AccessRights : {None}
Identity     : Anonymous
IsValid      : True
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737355
"Top of Information Store" is not a name of a calendar i think...
0
 

Author Comment

by:Christina Taylor
ID: 38737380
cmdlet used  "Get-MailboxFolderPermission CR-EAST-2ND-FLOOR"

See previous comment.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38737496
I don't think it is going to be a permission in the mailbox, it will be an account permission.
As IT Director he should know better than having a single account with permissions to everything, although I do recall having a standup row with an IT director of a FTSE 100 company who thought he shoudl have access to everything on a single account, I won and he doesn't.

Simon.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737571
tell your boss that if he is the domain admin he has to do this himself. and if he is not then create him a regular account and add him to a group with elevated rights and permissions
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Christina Taylor
ID: 38737591
Thanks for the comical advice guys... but this does not help me resolve the issue :)  

At a closer look, he and myself have the same access and are both members of all of the same groups with the exception of Schema Admins,  so I'll try removing that group from his account and see what happens.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737617
nothing will happen as schema admin permission does not have anything with this topic. either he is the owner or delegate of all the calendars or has some specific settings set on his mailbox or account
0
 

Author Comment

by:Christina Taylor
ID: 38737720
Ok, thank you - I will have to work through this with him I suppose.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737767
if you have the domain admin rights and exchange admin rights you can have a look and fix it yourself. just check each calendar property and you will find it
0
 

Author Comment

by:Christina Taylor
ID: 38737936
I have gone into each resource calendar, I've checked every tab to see if he's got permissions somewhere and I'm not seeing anything.  

For example, I've checked under
resource policy tab - delegates (not a delegate)
Mail flow settings tab - delivery options - send on behalf OR forward to (nothing here)
Resource In\Out of Policy Request tabs (nothing here)

Is there somewhere I'm missing to check?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38738499
You are wasting your time looking at the properties of the resources individually.
Check what can actually be opened? Can the full mailbox be opened (via Open Other User's folders)? Can anyone's folders be opened?

I doubt very much if the permissions have been modified on each resource individually, hence a group at the domain level is going to be the place to go for.

As for the advice on split permissions - you must have hacked around with the domain to get them to work, as Exchange removes permissions automatically if you are a domain admin. Plus there are additional security issues, particularly if you are in a regulated environment, plus personal and data protection issues - plus my favourite - you have no auditing trail. That means if something goes wrong, you cannot prove who was (or wasn't) to blame.

Simon.
0
 

Accepted Solution

by:
Christina Taylor earned 0 total points
ID: 38788883
I think we will probably just blow away this account and recreate it.  The only thing left that we can think to try as something got tweaked and we just cannot locate where.
0
 

Author Closing Comment

by:Christina Taylor
ID: 38804806
Other solutions offered did not resolve the issue.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't know how to downgrade, my instructions below should be helpful.
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now