+ Post New Thread
Results 1 to 5 of 5
Enterprise Software Thread, Shared Calendars - Permissions Not Working! in Technical; Morning all! We are experiencing some issues with shared calendars in Exchange, in that all members of staff are able ...
  1. #1

    Join Date
    May 2009
    Location
    UK
    Posts
    20
    Thank Post
    6
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Question Shared Calendars - Permissions Not Working!

    Morning all!

    We are experiencing some issues with shared calendars in Exchange, in that all members of staff are able to view and edit any other staff member's Outlook calendar. It seems that setting permissions for individual users or keeping the standard 'Default: None, Anonymous: None' doesn't seem to have any effect!

    We are using Exchange 2003 on Server 2003 and users have Windows XP Pro with Outlook 2003.

    I've had a look at the security permissions on the Mailbox Store in Exchange System Manager and noticed that there are two entries which might have an effect; Domain Admins and Enterprise Admins. The profiles of staff users are not members of either group, however the Staff Organisational Unit folder does have 'Domain Admins' and 'Enterprise Admins' entries under the security tab, both of which have full access rights.

    Is this a possible reason as to why staff can freely edit other staff user's calendars without the need for permissions? Am I right in thinking if I remove 'Domain Admins' and 'Enterprise Admins' from the staff 'OU' folder, this shouldn't have an effect on staff accessing their e-mails?

    Any suggestions are hugely appreciated!

  2. #2

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    76
    Hi

    Moving the permissions from the OU would not have any effect as staff are not members.
    Can you pick one staff user and check the mailbox rights permissions on the object?
    Can you also check any delegation rights on this one user for permissions?
    You can browse each others calendars for free/busy, but you mentioned that users can edit too?
    How are the users accessing another users calendar and editing calendar enteries?

    Sukh

  3. #3
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 44 Times in 34 Posts
    Rep Power
    28
    Dont see how that particular group setting would have any impact oni it as such (unless all ur users are Domain Admins :P)... but could be on the right lines, or it could well be some Exchange setting at play. Difficult for me to say for sure as not on Exch 2003 (running 2010 here) but would have thought that the AD integration isnt really far different between versions.

    None of our staff can alter each others calendars without requesting permission, even those in the groups u mention.

    Might be worth looking in AD Users and Computers console (on the Exchange server specifically or u might not see the relevent entries) - Advanced view - Security on the relevent OU, and see what grainial permissions those or the Domain Users group have on it regarding the Exchange related attributes.

    Obviously, use extreme caution with actually changing any of that, as u cud make it a whole lot worse Exchange 2010 is pretty good at reverting configuration weirdness like that, but I'm not so sure on how good Exch 2003 is with this.

    Regards

  4. #4

    Join Date
    May 2009
    Location
    UK
    Posts
    20
    Thank Post
    6
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by sukh View Post
    Hi

    Moving the permissions from the OU would not have any effect as staff are not members.
    Can you pick one staff user and check the mailbox rights permissions on the object?
    Can you also check any delegation rights on this one user for permissions?
    You can browse each others calendars for free/busy, but you mentioned that users can edit too?
    How are the users accessing another users calendar and editing calendar enteries?

    Sukh
    Thanks for the suggestions so far

    Sukh, if I check the mailbox rights permissions on a staff member's profile, there are a couple of entries that might be allowing them access to other user's calendars; Domain Admins (Full Rights) and Enterprise Admins (Full Rights). I cannot remove these permissions, as they are inherited. I am right in thinking that these permissions are inherited from the mailbox store in Exchange System Manager and that I should be able to remove these with little effect?

    Users are able to view shared calendars by simply clicking on 'open a shared calendar' and typing in the name of the desired staff member - The user can then add entries and delete existing entries in this calendar!

    There has to be some sort of administrator privilege that is filtering down to all users ... Would the 'Domain Admins' entry in the mailbox store, which filters to all users in AD, cause this? Just double checking!

  5. #5

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    76
    Hi

    1. By default the domain admins group should not have Full mailbox access to any mailboxes unless someone has been playing around with permissions.
    2. When checking the permissions are you sure you are not looking at the Deny permission and not the allow permission?
    3. This particular right/attribute is set on the Information Store and is also available in AD. Depends if this attriubute was set on the IS before a user was created and mail-enabled or not.
    4. You should not remove these permissions but correct the issue you have.
    5. You mention shared calendars, are these shared calendars in the staff mailboxes or are they dedicated as shared mailboxes which users can use?
    6. Check the membership of the domain admins groups and check for a user who has access to the shared calendar that shouldn't is a member? Check for any other groups that exist in the domain admins group.
    7. Run the following command from the exchange 2003 server for a user who should not have access to a shared mailbox. Replace username with the username of user as mentioned. DCNAME, enter your domain controller name. "DC......." enter your DN name for domain, i.e in example below the FQDN is mydomain.ad.local.com

    ldifde -f username.txt -t 3268 -s DCNAME -d "DC=mydomain,dc=ad,dc=local,dc=com" -p subtree -r "(&(objectClass=user)(samaccountname=username) )" -v

    Sukh

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 4th May 2010, 05:27 PM
  2. ideas for SLT shared calendars please!
    By CarolBooth in forum MIS Systems
    Replies: 3
    Last Post: 18th March 2010, 04:41 PM
  3. Free shared calendars
    By timbo343 in forum Windows
    Replies: 13
    Last Post: 8th September 2009, 06:36 PM
  4. OWA 2003 + Shared Calendars
    By faza in forum How do you do....it?
    Replies: 10
    Last Post: 23rd June 2008, 09:46 AM
  5. Replies: 1
    Last Post: 8th February 2008, 01:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •