We have a user who is able to view another user's calendar and inbox even though that user's calendar and inbox is completely locked down. I am not able to access the calendar or the inbox and I have Enterprise Admin, Domain Admin, Exchange Admin permissions. The user who is able to access the calendar and inbox has fewer permissions than this. We want to know why this user can access a locked down calendar and inbox.

Hi, Did you check both the permissions in the Outlook client and on Exchange? Regards, JohanExchange-blog: www.johanveldhuis.nl

Hello Johan, Thank you for your reply. I did check the permissions on both the client and in Exchange. It is possible that at one time this user had permission to access the user's calendar and mailbox for testing purposes (the user that can access other user's calendars and inboxes is in our IT department) but those permissions have been removed sometime ago. Thanks, BD6675

Hi, Which Exchange version are you using ? JohanExchange-blog: www.johanveldhuis.nl

On Wed, 4 Aug 2010 13:03:29 +0000, bd6675 wrote: >We have a user who is able to view another user's calendar and inbox even though that user's calendar and inbox is completely locked down. I am not able to access the calendar or the inbox and I have Enterprise Admin, Domain Admin, Exchange Admin permissions. All of the users in those groups or roles have an inherited, explicit, "Deny" ACE for "Receive As" and "Send As", so it's not at all surprising you can't use your account to open another mailbox. >The user who is able to access the calendar and inbox has fewer permissions than this. The other person won't have those inherited ACEs. If they can open the other mailbos then they either have the "Receive As" permission or, from Exchange, "Full Mailbox Access". They may have this permission by virtue of being a member of a group that has this permission. >We want to know why this user can access a locked down calendar and inbox. They can't. The mailbox isn't locked down if they can. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hello Johan, We are using Exchange 2003 SP2 Thanks, BD6675

see the answer from RichExchange-blog: www.johanveldhuis.nl

Hello Rich, Thank you for your reply. To make this easier to follow, I am going to use names. The person who can access every inbox and calendar in the company is named Eric. How would I go about making the change to Eric's account so that he can not access the inbox and calendar of other users? As I mentioned above, Eric and I are in the same groups and he is able to access every inbox and calendar and I am not. Thanks, BD6675

That is what I was asking in my last post. How do I go about making those changes to Eric's account? In Exchange System Manager? Active Directory? Thanks, BD6675

On Thu, 5 Aug 2010 13:16:08 +0000, bd6675 wrote: > Thank you for your reply. To make this easier to follow, I am going to use names. The person who can access every inbox and calendar in the company is named Eric. How would I go about making the change to Eric's account so that he can not access the inbox and calendar of other users? As I mentioned above, Eric and I are in the same groups and he is able to access every inbox and calendar and I am not. If what you say about group memberhip is true, then Eric's account must either inherit the "Receive As" permission on every mailbox or be given "Receive As" permission on each mailbox. Since Eric must be able to open your mailbox, start by looking at the "Security" tab on you AD user with ADUC. Is Eric in the list of security principals on your mailbox? If he is, click on the "Advanced" button and find out what's been assigned to his account. If the permission is inherited you'll be able to use ADSIEDIT to work your way up the hierarchy of objects in the domain naming contxt looking for where the permission was granted. If you don't find it in the domain naming context, switch to the configuration naming context becasue it's possible that the "Receive As" permission is inherited through the Exchange hierarchy. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

When I go to ADUC and go into my account and click the security tab I see no reference to Eric's account.

On Fri, 6 Aug 2010 15:22:00 +0000, bd6675 wrote: >When I go to ADUC and go into my account and click the security tab I see no reference to Eric's account. Is Eric a member of a group that has that permission? Or a member of a group that's a member of a group that has that permission? There's no magic here. Eric has permission to do what he's doing. You just have to dig to find it. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP