Solved

Group permission to "send-as" a Distribution list (works for one group member but not others) - Exchange 2003

Posted on 2008-10-30
13
992 Views
Last Modified: 2012-05-05
Hello,

Server: Windows 2003 Small Business Server (service Packed)
Application: Exchange 2003 (latest SP)

After looking through the numerous questions related to this topic on EE and other websites I'm 99%+ sure that I've got the settings correct.

There is a distribution list that a group of users need to "send as" email from.  

Instead of adding the individuals to the "send as" permissions I created a group and granted the group the rights to do the send as.  

My problem is that only one member of the send-as group can actually do it (as well as the user 'administrator').

I've even given the send-as-group "full" permissions in the security tab.

The error message that is returned (immediately) to the non-working users is that they 'do not have permision to send to this person'

Troubleshooting:
- created a chart showing each user and all groups that they belong to
- the one user that it does work for is in a group (sharepoint admins) that no other user is in, and all users are in a group with at least one other user.  
- the sharepoint admins group is not listed in the security tab of the distribution list and is not a member of any group that is listed.
- rebooted the server
- waited days for the permissions within exchange to propogate even though it only needs a couple of hours

I have set up the ability of AA/secretaries/assistants/etc to be able to send email as their boss on numerous occasions, but this is the first time I'm doing this for a security group to have permissions to 'send-as' a distribution list.

...ultimately what has me stumped is why it works for one user but not the other members of the same group....

Your help and insight is greatly appreciated.  

Doug
0
Comment
Question by:dougclingman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 14

Expert Comment

by:ashwynr
ID: 22843306
Hello Doug,

Does that one member have explicit Full or Send As rights on that Distribution list?

If not then you could check the effective permissions for that one user on that particular distribution list, I think it will show that he has got elevated permissions as compared to others.

- #wyn
0
 

Author Comment

by:dougclingman
ID: 22843633
Ashwynr,

I listed each of the members of the security group that has permission to send-as the distribution list.

Right click/properties on distribution list name > advanced > effective permissions > select... > and then chose each of the group members.

For all the members every check box was checked.  In comparison I chose non-admin users who are not part of the security group.  They did not have the elevated rights.

Thank you for your response.

Doug
0
 
LVL 14

Expert Comment

by:ashwynr
ID: 22856165
Doug,

You said you created a Security Group and added all the users to that group and add that Security Group to the DL granting it Send As permissions.
Just to check, have you changed the group type to 'Security' for the Distribution List?
Also, If the Group Scope of the Security Group is Global then try to change the Group Scope of the DL to Universal and then give it a try.

Not getting much thought at the moment but you could give this a try. I'll post if Im struck with something else. In the mean while you could post your findings and if not me then may be other Experts could help.

#wyn
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:dougclingman
ID: 22870763
Sorry it took me so long to reply...I didn't get the notification from EE...

I have not changed the group type of the Distribution List to "security."  Are you thinking that this may help?

Just modified the security group from Global to Universal.  I also looked at the DL group and it was set to Global ... went ahead and set it to Universal since every other DL was an Universal.

Thanks,
eric
0
 

Author Comment

by:dougclingman
ID: 22870778
p.s. contacting a user to have them test and then will test again in a couple of hours if it doesn't work now
0
 
LVL 14

Expert Comment

by:ashwynr
ID: 22877008
Yes, the group type needs to be Security and not Distribution for it to work.
This Security Group is also known as Mail Enabled Security Group which would have an email address and also function as a group to grant permissions onto other AD Objects.
0
 

Author Comment

by:dougclingman
ID: 22880002
Just changed the DL from a Distribution Group to a Security Group...contacting a user to have them try sending an email.
0
 

Author Comment

by:dougclingman
ID: 22888036
Ash,

the end use was not able to send the email...

thanks,
doug
0
 
LVL 14

Expert Comment

by:ashwynr
ID: 22888536
Then I really wonder Doug.
What happened if you explicitly grant each user Send As rights in the Security tab of that distribution list.
I think that would be the only way to work with it then unless another Expert throws some light on this.

#wyn
0
 

Author Comment

by:dougclingman
ID: 22894970
Thank you,

My next step is to do one of two things:

- what you said...grant each user explicit rights.  Not preferable, but not that bad because it is a small organization

- wipe it all out and start from scratch...  making the assumption that I've been looking at it for so long that I'm missing something obvious...

Thanks,
doug
0
 
LVL 14

Accepted Solution

by:
ashwynr earned 250 total points
ID: 22899712
Granting Send As rights to individual users should definitely work. However, if its a small organization then it would be ideal to grant users rights to the DL instead of going round about adding it via another security group.
Theoretically it should work however I think its the group scope or something else which we haven't looked at as needed.

#wyn
0
 

Author Closing Comment

by:dougclingman
ID: 31511739
Ashwynr, thanks for the help.  FYI I didn't give the full points only because the initial issue was not resolved, but a work around was given.
0
 
LVL 14

Expert Comment

by:ashwynr
ID: 22931650
Neva mind mate!

I wish if I could have helped you to troubleshoot the initial issue, however if you could check things correctly then would be able to find the loophole.

#wyn
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question