Send As Permissions Exchange 2007
I posted a question previously about this and the solution worked, however it isn't really a solution at this time. I'm trying to grant John permissions to send as (send on behalf) of sales in Exchange 2007. I have given the following command in the EMC as well as in the gui to give Send as permissions and Send on Behalf of.
Add-ADPermission "sales" -User "john" -Extendedrights "Send As"
The way I am having John send as sales is to put sales@domain.com in the From line in Outlook. He then receives the Exchange Delivery notification that he doesn't have permission when attempting to send as sales. The only way I can get it to work is if I recreate the Outlook profile. Unfortunately this isn't an option with this user.
Is there something else I can do? It's been over 24 hours so I know the changes have replicated.
Add-ADPermission "sales" -User "john" -Extendedrights "Send As"
The way I am having John send as sales is to put sales@domain.com in the From line in Outlook. He then receives the Exchange Delivery notification that he doesn't have permission when attempting to send as sales. The only way I can get it to work is if I recreate the Outlook profile. Unfortunately this isn't an option with this user.
Is there something else I can do? It's been over 24 hours so I know the changes have replicated.
Is Sales a user defined in AD or in Exchange? In other words does it have it's own mailbox/username? If not I do not believe you can do this, because you cant send as if the as is a contact or alternate SMTP address.
ASKER
It has its own AD account and mailbox. This can be done as I already have other users set up to send as Sales. I had to recreate their Outlook profile in order for it to work though. I don't want to have to do that this time. It should be more simple than this.
Send As and Grand Send on behalf is different. In your case, you should configure sales@domain.com as a ditribution group and configure john to send on behalf.
Set-DistributionGroup "Sales" -GrantSendOnBehalfTo "John","Marc","Peter"
GrantSendOnBehalfTo is a multi-valued properties. You must have all users when you set the properties. You could not run the following for example :
Set-DistributionGroup "Distribution Group Name" -GrantSendOnBehalfTo "John"
Set-DistributionGroup "Distribution Group Name" -GrantSendOnBehalfTo "Marc"
Set-DistributionGroup "Distribution Group Name" -GrantSendOnBehalfTo "Peter"
Only Peter would have the permission to send on behalf.
------------
Now if you want to set SendAs use this command
Add-AdPermission "Sales" -user john@domain.com -AccessRights extendedright -ExtendedRights "send as"
Note: “Send as” as precedence over “Send on behalf” if you configure both.
Set-DistributionGroup "Sales" -GrantSendOnBehalfTo "John","Marc","Peter"
GrantSendOnBehalfTo is a multi-valued properties. You must have all users when you set the properties. You could not run the following for example :
Set-DistributionGroup "Distribution Group Name" -GrantSendOnBehalfTo "John"
Set-DistributionGroup "Distribution Group Name" -GrantSendOnBehalfTo "Marc"
Set-DistributionGroup "Distribution Group Name" -GrantSendOnBehalfTo "Peter"
Only Peter would have the permission to send on behalf.
------------
Now if you want to set SendAs use this command
Add-AdPermission "Sales" -user john@domain.com -AccessRights extendedright -ExtendedRights "send as"
Note: “Send as” as precedence over “Send on behalf” if you configure both.
ASKER
Thanks for the clarification martingagnon. I know I don't want to use Send on Behalf as I do not want the recipient to know the true sender.
The command Add-AdPermission "Sales" -user john@domain.com -AccessRights extendedright -ExtendedRights "send as" has already been set for John.
He is still receiving the nondeliverable message.
The command Add-AdPermission "Sales" -user john@domain.com -AccessRights extendedright -ExtendedRights "send as" has already been set for John.
He is still receiving the nondeliverable message.
Verify that the permission have been applied correctly by running the following command:
Get-AdPermission "Sales" -User John@domain.com
Note : Instead of Sales, you may have to enter the full name domain/OU/Sales
It should return something like :
User : domain\john
Identity : domain/OU/Sales
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {Send-As}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
If it returns nothing, it means no permissions has been set for this user.
Get-AdPermission "Sales" -User John@domain.com
Note : Instead of Sales, you may have to enter the full name domain/OU/Sales
It should return something like :
User : domain\john
Identity : domain/OU/Sales
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {Send-As}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
If it returns nothing, it means no permissions has been set for this user.
ASKER
I have exactly that as you showed above, so it appears the permissions have been set.
Has the user logged off and logged back on to get his new security token? If not, make sure he reboots completely the computer he is using to send as using Outlook.
ASKER
No, he hasn't, but that probably won't happen until he leaves for the day. I'll update this again tomorrow. Thanks for your help so far.
The Send As permission is not granted until after replication has occurred. Replication times depend on your Microsoft Exchange and network configuration. To grant the permission immediately, stop and then restart the Microsoft Exchange Information Store service.
Be aware that you cannot send e-mail messages on behalf of a mailbox if the mailbox is hidden from address lists. When sending a message, Exchange requires that an e-mail address is resolved in the From field. In the case where a message is sent on behalf of a mailbox that is hidden from address lists, the SMTP address is interpreted as an address that is not from your organization (known as a foreign address) and is rejected.
So make sure you select the address from the global address list. If the user has created a contact named sales@domain.com in his personnal contact, the recipient resolver may try to send as this smtp address. By selecting sales@domain.com, you are sure to use the correct object.
So make sure you select the address from the global address list. If the user has created a contact named sales@domain.com in his personnal contact, the recipient resolver may try to send as this smtp address. By selecting sales@domain.com, you are sure to use the correct object.
ASKER
The address is available in the global address book. Also, it's been 3 days for replication and the user still can't send as. I guess I'm going to have to recreate the profile.
How about you copy his profile with a new name? That would be quicker than creating from scratch a new profile. Also, what version is the Microsoft Outlook Client?
ASKER
I'm just going to recreate it, I know that it works that way. It's Outlook 2007. Thanks for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.