• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 640
  • Last Modified:

removing "send on behalf" in outlook

I have an employee (B) that opens her bosses (A) email, and responds from A's email.  When an email is sent out, it states B send on behalf of A.  I have researched this problem, and found this:

Exchange administrator instructions to enable Send As permissions
In Microsoft Windows Server 2003, open Active Directory Users and Computers.
On the View menu, click Advanced Features.
Under the domain node, click Users.
Open the user account that you want to add Send As permissions to.
On the Security tab, click Add.
In the Enter the object names to select box, type the display name or user name of the person to whom you want to grant Send As permissions. Multiple users can be added by separating each entry with a semicolon.
Click OK.
In the Permissions list, click Send As, and then select the Allow check box.

The problem is, that after about 5 minutes, the setting disapear from AD.  I look at the list and B is not in there anymore.  I recreate the entry, checking allow send as, click apply and ok.  close it, look back a minute later and it is still there, but after about 5 minutes, then entry disapears.  I have added this both on our exchange 2003 server in AD, and at the DC, both with the same disapearing results!  How do I get this to stay?

Thanks in advance!
0
RDCit
Asked:
RDCit
  • 2
1 Solution
 
Raheman M. AbdulSenior Infrastructure Support Analyst & Systems DeveloperCommented:
From:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21320544.html?sfQueryTermInfo=1+10+30+behalf+send+stai

Referring links:
   http://groups-beta.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/bb5c4bdce0b14735/2a20f9e5fd127328?q=mucklo#2a20f9e5fd127328

and that link references 2 KBs:  http://support.microsoft.com/?id=318180

and http://support.microsoft.com/?id=817433

Solution:
"Hey there.  I think we fixed it finally.  In one of those KBs, it mentions the AdminSDHolder thread that runs and resets permissions on the hour for members of protected groups.  But, group membership is transitive.  So even if a user isn't in a protected group explicitly, if the user is in a group that is in a protected group, the thread will run on that user.  In our case, the Domain Users group was a member of the protected Print Operators group.  After removing Domain Users from Print Operators, the permissions stopped disappearing."


Hope this helps your issue
0
 
Raheman M. AbdulSenior Infrastructure Support Analyst & Systems DeveloperCommented:
One solution: It will fix if you remove the Print Operators from the Protected Group.

Details: Step by step

Source: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26176874.html

this is from technet

with the below query you can locate the protected group the user is in and or which accounts are protected. then you can remove them from this group.

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx


Determining Whether a Security Principal Is Protected by AdminSDHolder

A fairly large number of default users and groups are protected by AdminSDHolder. One thing to keep in mind is that users are protected by AdminSDHolder if they have direct or transitive membership in a security or distribution group. Distribution groups are included because a distribution group can be converted to a security group.

Let's say a user belongs to a distribution list called Canada IT. The Canada IT DL is a member of the North American IT security group; the North American IT security group is a member of the Administrators group. Because the user's transitive group membership includes the Administrators group (by virtue of group nesting), the user's account is protected by AdminSDHolder.

There's an easy way to determine which users and groups AdminSDHolder protects in your domain. You can query the adminCount attribute to determine whether an object is protected by the AdminSDHolder object. The following examples use the ADFind.exe tool, which can be downloaded from joeware.net.

To find all objects in a domain that are protected by AdminSDHolder, type:
Copy Code Adfind.exe -b DC=domain,DC=com -f "adminCount=1" DN
To find all user objects in a domain that are protected by AdminSDHolder, type:
Copy Code Adfind.exe -b DC=domain,DC=com -f "(&(objectcategory=person)(objectclass=user)(admincount=1))" DN
To find all groups in a domain that are protected by AdminSDHolder, type:
Copy Code Adfind.exe -b DC=domain,DC=com -f "(&(objectclass=group)(admincount=1))" DN

Note: In the preceding examples, replace DC=domain,DC=com with the distinguished name of your domain
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now