Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Remove calendar access for user in Exchange 2010

Posted on 2013-01-02
15
Medium Priority
?
378 Views
Last Modified: 2013-01-22
We have one user who is having an issue when he opens Outlook, he see's and has access to all resource accounts without permissions assigned to him.  We're running Exchange 2010 and the end user is running Outlook 2010.This has been an issue for some time, the user is both a Domain and Exchange admin.  We migrated from Exchange 2003 ~2 years ago to Exchange 2010.

I have checked each resource calendar for access permissions and his account is not listed.  Has anyone seen this behavior or know how to resolve?  This is quite irritating as the user gets every invite for every calendar and we have 23 resource calendars.  Any help is greatly appreciated!
0
Comment
Question by:Christina Taylor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
15 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38737280
Permissions must be there somewhere.
Having both domain admin rights on their regular user account isn't a good idea either.

You need to look to see what accounts and groups have either Full Mailbox or Receive As permissions and then check that user's account isn't a member of the group.

Simon.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737283
he does not have to be listed if he is the exchange admin... look at his account and group membership and then look for those groups in the calendar permission settings
use the Get-MailboxFolderPermission servlet in the powershell to list all the permissions of a calendar
0
 

Author Comment

by:Christina Taylor
ID: 38737331
Simon - agreed, permissions are somewhere... just cant seem to find where.

Group membership is a long list as he is our IT Director and has access to most everything, whether this is right or wrong... it's the way it is.  I also have similar access with the exception of two groups, Enterprise Admins & Schema Admins.  I've been tasked to resolve this particular annoying issue.  

theruck - Here is the result on one calendar with the Get-MailboxFolderPermission servlet:
[PS] C:\Windows\system32>Get-MailboxFolderPermission CR-EAST-2ND-FLOOR


RunspaceId   : cf4e00e1-eb79-4609-9cc7-47ca83d38d04
FolderName   : Top of Information Store
User         : Default
AccessRights : {None}
Identity     : Default
IsValid      : True

RunspaceId   : cf4e00e1-eb79-4609-9cc7-47ca83d38d04
FolderName   : Top of Information Store
User         : Anonymous
AccessRights : {None}
Identity     : Anonymous
IsValid      : True
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 14

Expert Comment

by:theruck
ID: 38737355
"Top of Information Store" is not a name of a calendar i think...
0
 

Author Comment

by:Christina Taylor
ID: 38737380
cmdlet used  "Get-MailboxFolderPermission CR-EAST-2ND-FLOOR"

See previous comment.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38737496
I don't think it is going to be a permission in the mailbox, it will be an account permission.
As IT Director he should know better than having a single account with permissions to everything, although I do recall having a standup row with an IT director of a FTSE 100 company who thought he shoudl have access to everything on a single account, I won and he doesn't.

Simon.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737571
tell your boss that if he is the domain admin he has to do this himself. and if he is not then create him a regular account and add him to a group with elevated rights and permissions
0
 

Author Comment

by:Christina Taylor
ID: 38737591
Thanks for the comical advice guys... but this does not help me resolve the issue :)  

At a closer look, he and myself have the same access and are both members of all of the same groups with the exception of Schema Admins,  so I'll try removing that group from his account and see what happens.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737617
nothing will happen as schema admin permission does not have anything with this topic. either he is the owner or delegate of all the calendars or has some specific settings set on his mailbox or account
0
 

Author Comment

by:Christina Taylor
ID: 38737720
Ok, thank you - I will have to work through this with him I suppose.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737767
if you have the domain admin rights and exchange admin rights you can have a look and fix it yourself. just check each calendar property and you will find it
0
 

Author Comment

by:Christina Taylor
ID: 38737936
I have gone into each resource calendar, I've checked every tab to see if he's got permissions somewhere and I'm not seeing anything.  

For example, I've checked under
resource policy tab - delegates (not a delegate)
Mail flow settings tab - delivery options - send on behalf OR forward to (nothing here)
Resource In\Out of Policy Request tabs (nothing here)

Is there somewhere I'm missing to check?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38738499
You are wasting your time looking at the properties of the resources individually.
Check what can actually be opened? Can the full mailbox be opened (via Open Other User's folders)? Can anyone's folders be opened?

I doubt very much if the permissions have been modified on each resource individually, hence a group at the domain level is going to be the place to go for.

As for the advice on split permissions - you must have hacked around with the domain to get them to work, as Exchange removes permissions automatically if you are a domain admin. Plus there are additional security issues, particularly if you are in a regulated environment, plus personal and data protection issues - plus my favourite - you have no auditing trail. That means if something goes wrong, you cannot prove who was (or wasn't) to blame.

Simon.
0
 

Accepted Solution

by:
Christina Taylor earned 0 total points
ID: 38788883
I think we will probably just blow away this account and recreate it.  The only thing left that we can think to try as something got tweaked and we just cannot locate where.
0
 

Author Closing Comment

by:Christina Taylor
ID: 38804806
Other solutions offered did not resolve the issue.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question