Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How to Set and remove send on behalf rights for Exchange 2003 programatically

Posted on 2007-10-14
Medium Priority
Last Modified: 2010-04-21
Active Directory and Exchange 2003 on Windows.

I am trying to set the "Send on behalf" permission programatically, but I'm missing what I need to set
for exchange permissions. Just setting the publicDelegates is not enough, even if it looks that way
from the GUI side of things.

Does anyone have an example for setting and removing this right from vbscript or .net?
Question by:antwhitehead
LVL 70

Expert Comment

ID: 20074515

Author Comment

ID: 20074747
That thread has been inactive since mid 2006 and does not even mention the non-publicDelegates portion
of the problem. I read that thread and several others before posting the question.
LVL 48

Expert Comment

ID: 20075111
i will ask a VBS guru to comment on this, he is in the UK so might not be here for a bit

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

LVL 71

Expert Comment

by:Chris Dent
ID: 20077613

Hey guys,

I'll certainly have a look. It's unlikely to be today though, I've some work to do for a change.

LVL 71

Accepted Solution

Chris Dent earned 1500 total points
ID: 20086625

Hmm can you tell me what error you get when setting publicDelegates only and attempting to send a mail? "You do not have permission..."?

The tests I've done here seem to indicate that's the extent of the changes required. The value isn't even cached by Exchange so any alteration should work right away.

As you noted, the permissions detailed in the link posted above aren't relevant to Send On Behalf.

I'm sure you have the code already, this is all I used (marginally obscured):

Set objUser = GetObject("LDAP://CN=GAL Test,CN=Users,DC=Domain,DC=com")
objUser.Put "publicDelegates", "CN=Me,OU=Users,OU=Here,DC=Domain,DC=com"

Which is working for both internally and externally delivered mail. Tested on Exchange 2003 (Native Mode Exchange / Native Mode 2003 Domain).


Author Comment

ID: 20086863
Hi Chris,

Thanks for your comment, I'm getting the permission error as you suggested. But all the
GUI dialogs look correct. My code looks pretty much exactly the same as yours but done
by another LDAP API.

Do you think that the VBScript you have used is doing something in the background
other than just adding the correct LDAP attribute to the target DN?

Another wild speculation, is it possible that some global policy is set that is denying
users to do "Send on Behalf" whatever I set in AD?

Again, thanks for your help so far.

LVL 71

Expert Comment

by:Chris Dent
ID: 20086916

Which API are you using? The above uses MS ADSI.

It would perhaps be worth trying the above on your environment (just VbScript) to see if that works. I'm not aware of it performing any actions other than those listed above, but I couldn't rule it out entirely as I don't really dig into the nuts and bolts of how ADSI actually works (only that it does).

I'm not aware of any policies that would deny Send on Behalf globally, overriding local settings. I'll have a dig around though and see if anything turns up.


Author Closing Comment

ID: 31408160
This worked correctly from the start, unfortunatly the error was a miscommunication of what wasn't working from my testers side. They expected to be able to open the mailbox before doing the "Send on Behalf", just setting the publicDelegates does not grant any other permissions, they did not understand that point.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
Among the most obnoxious of Exchange errors is error 1216 – Attached Database Mismatch error of the Jet Database Engine. When faced with this error, users may have to suffer from mailbox inaccessibility and in worst situations, permanent data loss.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question