We're running Exchange 2007 SP1 UR6. All clients are Outlook 2007. We have two groups, Marketing and Research, in the company that should not be allowed to see each others calendars. Currently, Default and Anonymous are set to None under Calendar permissions. However, we have found that many users between the two groups have explicitly granted each other rights to their calendars. My hope was that I could set the calendar permissions of all Marketing users to add a group containing all Research employees with a permission of NONE. However, in my testing, it appears that if you're a member of group that has explicitly been denied permission to a calendar, you can still view the calendar entires if your individual account has more explicit rights. It was my understanding that the more restrictive of the two permissions would work so the group settings would be applied. Here's a more visual look at what I'm seeing: Note: Timmy is a member of AllResearchEmployees Joe Marketing user's calendar permissions ------------------------------------------ AllResearchEmployees - None - Folder not visible Timmy Research user - Contributing Editor Results: Timmy can still view and edit items in the calendar even though his group has None for the calendar permissions. Does anyone have any suggestions on how to prevent these two groups from viewing each other's calendars? Based on the size of the groups, I would prefer to set permissions using group membership.

On Fri, 5 Mar 2010 21:04:21 +0000, steversk wrote:>We're running Exchange 2007 SP1 UR6. All clients are Outlook 2007. We have two groups, Marketing and Research, in the company that should not be allowed to see each others calendars. Currently, Default and Anonymous are set to None under Calendar permissions. However, we have found that many users between the two groups have explicitly granted each other rights to their calendars. My hope was that I could set the calendar permissions of all Marketing users to add a group containing all Research employees with a permission of NONE. However, in my testing, it appears that if you're a member of group that has explicitly been denied permission to a calendar, you can still view the calendar entires if your individual account has more explicit rights. It was my understanding that the more restrictive of the two permissions would work so the group settings would be applied. Here's a more visual look at what I'm seeing: Note: Timmy is a member of AllResearchEmployees Joe Marketing user's>calendar permissions ------------------------------------------ AllResearchEmployees - None - Folder not visible Timmy Research user - Contributing Editor Results: Timmy can still view and edit items in the calendar even though his group has None for the calendar permissions. Does anyone have any suggestions on how to prevent these two groups from viewing each other's calendars? Based on the size of the groups, I would prefer to set permissions using group membership. Has Joe Marketing made Timmy a delegate on his mailbox?Check the "Full Access Permission" in the EMC on Joe Marketing'smailbox. Check (in ADUC) the "Security" tab on Joe's user. Are thereany groups or users that have "Receive As" permission (e.g."Everyone")?---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP

Thanks for the feedback. I checked the delegate and receive as permission and confirmed it's not set. At this point, I believe it's due to granting access to a Distribution Group that isn't configured as a security group. I've found a few threads that indicate the group must be configured as security group in order to be able to set permissions for a calendar based on group membership. The group has a recipient type of MailUniversalSecurityGroup so it should work, but the behavior is very similar to what we'd see if we granted permissions to a DG that wasn't a mail enabled security group.

Confirmed it was due to a difference in lab versus production. Lab had the group set as only a DG where production had their group set as a mail enabled universal security group. Everything worked as expected. Thanks!