Announcement

Collapse
No announcement yet.

Remove a once granted access from user

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remove a once granted access from user

    We are running an Exchange 2003 server with Outlook 2003 clients.

    User2 worked as an assistant for User1, as such User2 had access to User1's Mail and Calendar. User2 has moved on to another position at the company and should no longer have access to User1's stuff. I removed the rights from User1's Exchange advanced -> Mailbox rights and User2 is no longer granted Send on behalf, but still - as I open User2's Outlook I can Open other users folder and gain access to User1's stuff.

    I'm stuck here. I think I've looked everywhere! But obviously I'm missing something, please help me brainstorm!


    ps
    I've already tried to open User1's stuff from other user accounts, just to make sure it's not open for everyone and therefore also open for User2 - but it isn't open for everyone.

    Last edited by Anders; 26th February 2007, 10:52. Reason: Changed to a more descriptive title
    A wise man once said: "Assumption is the mother of all fu*k ups".

    Any advice I give is to the best of my knowledge, there is no guarantee what so ever that it will actually work in your particular scenario. I will not accept any responsibility for unexpected consequences, after all - you are taking advice from a complete stranger over the internet. =)

  • #2
    Re: Remove a once granted access from user

    I thought I had a solution, but not.

    To insert a Deny entry for Full mailbox access in User properties -> Exchange Advanced -> Mailbox rights.Should preceede over Allow access, thus access would be denied.

    This does not work in my case.
    Last edited by Anders; 26th February 2007, 11:31.
    A wise man once said: "Assumption is the mother of all fu*k ups".

    Any advice I give is to the best of my knowledge, there is no guarantee what so ever that it will actually work in your particular scenario. I will not accept any responsibility for unexpected consequences, after all - you are taking advice from a complete stranger over the internet. =)

    Comment


    • #3
      Re: Remove a once granted access from user

      In user1's outlook there is a delegates tab under tools > options. Remove access to calendar (and other items) from there.
      "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

      Comment


      • #4
        Re: Remove a once granted access from user

        User2 is already removed from delegation, but User2 still has access to User1's stuff... this is driving me nuts! I've checked and tripplechecked everything and I can't find anything. I checked delegation, I checked access rights in security settings on exchange server... I just can't wrap my brain around this one.
        A wise man once said: "Assumption is the mother of all fu*k ups".

        Any advice I give is to the best of my knowledge, there is no guarantee what so ever that it will actually work in your particular scenario. I will not accept any responsibility for unexpected consequences, after all - you are taking advice from a complete stranger over the internet. =)

        Comment


        • #5
          Re: Remove a once granted access from user

          definitely strange...

          User2 is no longer granted Send on behalf
          did you remove all the other setting related to user2 too?
          "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

          Comment


          • #6
            Re: Remove a once granted access from user

            How long have you waited before testing again?
            Exchange caches permissions, so it can take a couple of hours before a permission is live.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: Remove a once granted access from user

              The access has been removed for several months, I just stumbled upon this a couple of days ago. When User2 moved on to another position in the company I promptly removed the access rights. (Security settings in Exchange, "send on behalf of" and the Outlook client setting "Delegation")

              User2 has not been, and still isn't, aware of the fact that User2 has access to User1's stuff. User1 is very aware of this problem since User2 sends Out of office replys to email sent to User1.

              A wise man once said: "Assumption is the mother of all fu*k ups".

              Any advice I give is to the best of my knowledge, there is no guarantee what so ever that it will actually work in your particular scenario. I will not accept any responsibility for unexpected consequences, after all - you are taking advice from a complete stranger over the internet. =)

              Comment


              • #8
                Re: Remove a once granted access from user

                I have seen that before.
                Part of the delegate setting is still in the domain.

                I have seen a few things fix this

                - add a new delegate (As that forces the domain to update)
                - remove all delegates and restart Outlook (again forces the domain to update).

                However what it usually ends up is a hack out of the domain manually using adsiedit.msc. Be very careful using adsiedit.msc as it can cause problems with the domain or user account. Think of the warnings you see for the registry, multiple times 100 and consider a change that would affect the entire domain requiring a rebuild of the domain - that is what a false move in delegates could do.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: Remove a once granted access from user

                  Originally posted by Sembee View Post

                  However what it usually ends up is a hack out of the domain manually using adsiedit.msc. Be very careful using adsiedit.msc as it can cause problems with the domain or user account. Think of the warnings you see for the registry, multiple times 100 and consider a change that would affect the entire domain requiring a rebuild of the domain - that is what a false move in delegates could do.

                  Simon.
                  A similar warning exists with the delegates tab is unavailable error...in that case I just copied the entire mailbox to a PST, deleted the mailbox, created a new one (same user), and imported the PST back.
                  "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

                  Comment


                  • #10
                    Re: Remove a once granted access from user

                    Originally posted by Lior_S View Post
                    A similar warning exists with the delegates tab is unavailable error...in that case I just copied the entire mailbox to a PST, deleted the mailbox, created a new one (same user), and imported the PST back.
                    The hack out of adsiedit.msc for delegates fixes that one. That was the first ever delegate fix I had to do in adsiedit.msc. It made tracking down the problem very easy as I asked the user to remove the other person from delegates and they told me they couldn't.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment

                    Working...
                    X