We help IT Professionals succeed at work.

Exchange 2010 Send-As permissions do not stay applied

jn2112
jn2112 asked
on
I have an Exchange 2010 server, running on Windows 2008 R2. To make an email sending program work in one of my internal applications, I created an account, and then set Send-As permissions for that account on about 15 user mailboxes. This worked fine for a while, but then the Send-As permission for that account goes away on those mailboxes after some period of time and breaks the program. This error is returned:
"The server response was 550 5.7.1 Client does not have permissions to send as this sender"

If I set the permission again, it will work for a while and then disappear from the accounts. I am doing this through the management console, by going to Recipient Configuration\Mailbox

Right-click the user and choose Manage Send-As permissions. Then I click Add and choose the new account I created and click the Manage button to apply the change.  

I am not an Exchange expert by any measure, so any help would be greatly appreciated.
Comment
Watch Question

AkhaterSolutions Architect

Commented:
the permission is being cleared from all 15 mailboxes ?

usually this will happen when you apply send-as to a mailbox who's owner is part of an AD protected group like

administrators, domain admins etc...

is this the case?

Author

Commented:
When I checked, it was not removed from all the mailboxes. A few accounts are domain admins (mine included). The rest are members of domain users only.

At least one account that was only a domain user also had the permission removed, though not others.  i reset them without keeping count at the time, though I will be more observant next time.
AkhaterSolutions Architect

Commented:
if it is being removed from users that are domains admins then this is a normal behaviour

Author

Commented:
I read that elsewhere. However, what about the other users?

Also, how do I make that work for domain admins? Why is that normal behavior?
AkhaterSolutions Architect

Commented:
The only way to make it work is to remove them the administrators group.

This is the way AD works, the "protected groups" permissions are reset periodically

Author

Commented:
Is there some workaround, such as setting the time period between these resets to be longer?

Also, is there any reason this would happen on a user who's only membership is Domain Users?
AkhaterSolutions Architect

Commented:
it should not happen for users only member of domain users.

And no there no workaround, at least not as far as I know.
Commented:
What about something like this?

dsacls "cn=AdminSDHolder,cn=system,dc=domain,dc=example,dc=com" /G "domain\ApplicationAdminAcct:CA;Send As"
AkhaterSolutions Architect

Commented:
good find !

give me a couple of minutes to think it over
AkhaterSolutions Architect

Commented:
OK looks like you found this in a technet article !

Then it would surely work

Author

Commented:
I have implemented this, and I'll monitor the issue for a few days to see if it seems resolved. I appreciate your help pointing me in the right direction.
AkhaterSolutions Architect

Commented:
Well I honestly think points should be awarded here, I answered your original question that was why they where being wiped out