Is user whom member of domain admins group unable to send on behalf?

Posted on 2014-02-04
Medium Priority
Last Modified: 2014-02-23
I have a share mailbox and and run delegate to grant send on behalf user who member of this domain admins group

After several testing, the user still not able to send on behalf instead user able to use Send-As and found this:


I checked on AD Security tab, domain admins group has Send-As permission

I tried to deny it by Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny, but failed

Add-ADPermission : There are multiple users/groups matching the identity "domain admins". Please specify a unique value
At line:1 char:17

Domain Admins is AD Group not AD User. I will tried to deny it using ADUC.

Is denied Send-As permission will enable the user whom member of domain admins group able to send on behalf?
Question by:suriyaehnop
  • 2
  • 2
LVL 53

Accepted Solution

Will Szymkowski earned 600 total points
ID: 39832036
Enabled to do this you need to configure this from Exchange. Send on Behalf is an Exchange attribute and Send As is an AD attribute. You should really be using one or the other. If you want to setup Send on behalf then remove the permission for Send As on the account. Open the ECP and specifically allow Send on Behalf permission. Then test again.

LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39832114
Be aware that a permission change can take two hours to be fully effective in Exchange.
Exchange will remove some permissions from members of the protected groups, which includes Domain Admins. It is bad practise to have a regular mail enabled account also a member of domain admins, you should run the split account admin model, where admins have two accounts.

You will always be able to set the permission, but Exchange may well take it away again.

LVL 19

Author Comment

ID: 39839027

Basically, I did removed the account being able "Send-AS" from shared mailbox and the account is able to send of behalf if the account is not member of "Domain Admins" groups.

They put back the account to "Domain Admins" group, I asked them using ADUC to "denied" the "Send-AS" on Domain Admins group at Security tab and the account not able to send on behalf, however the account being able to "Send-AS"

I not sure how long, we wait after denied the send-as of group admins before test but it seem that it is not working.

How to run Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny successfully? Since, it was failed see above.

I believe that this cmdlet is similar to denied the Send-As at Security tab...right

I don't environment to proof that this concept is correct, i really need help on this
LVL 19

Author Comment

ID: 39839250

Did checked with my user, the can use send on behalf.

To run Add-ADPermission successfully, they used as below:

Add-ADPermission "Shared Mailbox" -User "Domain Name\Domain Admins" -ExtendedRights Send-As -Deny

Open in new window

And confirmed that this cmdlet is same as check the denied Send-As at security tab
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 600 total points
ID: 39839342
Domains Admins cannot be granted Send As.
The permission will be removed by Exchange shortly after it has been set. You should not be using Domain Admins for permissions within Exchange.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Watch the video to know how one can repair corrupt Exchange OST file effortlessly and convert OST emails to MS Outlook PST file format by using Kernel for OST to PST converter tool. It can convert OST to MSG, MBOX, EML to access them. It can migrate…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question