Solved

Send As Permission in Exchange 2010 is always removed

Posted on 2012-04-03
19
2,796 Views
Last Modified: 2013-01-22
Hello,

I have a client who uses Exchange 2010. Ask me to grant Send As permission to a couple of users so the users can send on behalf or abc@client.com email.

I grant them the Send As permission by sharing the Mailbox abc@client.com and tick the Include inheritable permissions from this object's parent in the Security's tab. Because If i will not tick this one, I will not be able to set the Send As permission and will get an error as below:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00


abc\mel
Failed

Error:
Active Directory operation failed on abcsg.client.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.140).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B

Exchange Management Shell command attempted:
Add-ADPermission -Identity 'CN=Account Dept,CN=Users,DC=abc,DC=com' -User 'abc\mel' -ExtendedRights 'Send-as'

Elapsed Time: 00:00:00

But after a couple of minutes that I successfully granted the users rights to Send As on behalf of abc@client.com, the Send As permission will be strip off or removed. Can you help me advice on how to permanently add the Send As permission for a specific user?

Thanks!
0
Comment
Question by:MezzutOzil
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 4
  • 4
  • +1
19 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37804528
0
 

Author Comment

by:MezzutOzil
ID: 37804602
Thanks for the article Anuroopsundd but the thing is the users are just members of Domain Users. They do not belong to any protected group as adviced on the article.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37804607
Did you also tried to give permission using powershell command?
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37804611
Try using Powershell Send-As permissions

If you want to give the user Pete Peterson the Send-As permission for the John Johnson Mailbox you can use the following command line:

get-user -identity “john.johnson@msexchangeblog.nl” | Add-ADPermission -User “pete.peterson@msexchangeblog.nl” -ExtendedRights Send-As

http://www.msexchangeblog.nl/2010/10/22/exchange-full-access-and-send-as-mailbox-permissions-with-powershell/
0
 

Author Comment

by:MezzutOzil
ID: 37804636
yes, i also did that use the same powershell command to provide Send As permission. I can succefully provide the permission but it will be wiped off after a couple of minutes.
0
 
LVL 23

Expert Comment

by:Malli Boppe
ID: 37804654
I grant them the Send As permission by sharing the Mailbox abc@client.com and tick the Include inheritable permissions from this object's parent in the Security's tab. Because If i will not tick this one, I will not be able to set the Send As permission and will get an error as below:

Thats not how you give sendas or send on bahalf permission.
To give sendas you right'click on the mailbox and set send as permissions.
For send on behalf you go to mailbox properties and set it there
0
 

Author Comment

by:MezzutOzil
ID: 37804704
@mboppe: Okay, I was not clear about my steps. Below are the complete steps that I've done to add Send As permission in Exchange 2010.

1. In EMC, I choose the mailbox that I want the users to have send on behalf.
2. Click the Manage Send As Permission and tried adding the users who i want to send on behalf of the mailbox. But doing this, I encountered the error below:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00


abc\mel
Failed

Error:
Active Directory operation failed on abcsg.client.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.140).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B

Exchange Management Shell command attempted:
Add-ADPermission -Identity 'CN=Account Dept,CN=Users,DC=abc,DC=com' -User 'abc\mel' -ExtendedRights 'Send-as'

Elapsed Time: 00:00:00

Then, I use the powershell script --> Add-ADPermission NameOfTheMailbox -User domain\user -ExtendedRights "Send As"

then I was able to add the Send As permission. The point is, after a couple of minutes, the Send as Permission will be removed again.

I just checked the Include inheritable permissions from this object's parent in the Security's tab. Because If i will not tick this one, I will not be able to issue the powershell command Add-ADPermission if the mailbox is not a shared type.
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 37804705
Try the following:

1. Open the AD user object for abc@client.com on ADUC
2. Select the Security tab
3. Click on Advance
4. Now click on Add and type the first user that needs access and hit enter
5. Now in the permission entry box, scroll down to send as and click on the "allow" check box (You could also click on full control which will add the send as permissions automatically)
6. Now ask the user to restart his machine and test if it works

Hope this helps!!
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37804716
First some solution for  the error that you are getting through EMC. may be it resolves something. below is related to Blackberry but  has the same error that you are getting.

http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=92E895CD30B7D98520B4E4F1D3447E8B?externalId=KB21225&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl
0
 

Author Comment

by:MezzutOzil
ID: 37804741
Hello Hendrik! Thanks for the suggestion. I have also tried this one awhile ago but only difference is that i have an additional step, check the Inherit from object's parent. Let me see if your steps will resolve the issue. Thank you so much!

@Anu - thanks for the continuous reply. I will also look into this article and see if it will resolve my problem id Hendrik's suggestion will not work. :)
0
 

Author Comment

by:MezzutOzil
ID: 37804772
@Hendrik, tried the steps you suggested but still cannot send on behalf. Do i need to restart the Information Store after a have granted them full access?
0
 

Author Comment

by:MezzutOzil
ID: 37804828
I just check again the AD and even the Full Access permission has been removed. it is so crazy! @@ any other suggestions please?
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 37804838
Ensure that the account that you are trying to make the changes with is part of the Organization Management group in AD
0
 

Author Comment

by:MezzutOzil
ID: 37822487
Hi all,

The problem is, the send as permission assigned will be  automatically reverse to the original settings. I tried to run EXBPA > check permissions. Please see the summary as attached.

Where can I find the MyMailDelegation?

Thanks in advance.RDAC---MyMailboxDelegation.pdf
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 37826696
Did you ensure that you are part of the Organization Management group in AD??
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 37827066
Ensure that you have the latest Update Rollup 1 for Exchange Server 2010 Service Pack 2 (KB2645995) installed and try again?
0
 

Author Comment

by:MezzutOzil
ID: 37830888
Hi all,

As in my previous mail, I did a EXBPA on permissions check, and this test completed with 1 issue  as follows:

  RolesGroupsValidation: invalidRoles:

      The 'MyMailBoxDelegation' management role is invalid
      The MyMailboxDelegation management role is in invalid state. This could causes problem assigning permissions through this role.

Where can I find the above role?
0
 

Author Closing Comment

by:MezzutOzil
ID: 37934415
Yes, it works.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This video discusses moving either the default database or any database to a new volume.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question