I have a share mailbox and and run delegate to grant send on behalf user who member of this domain admins group
After several testing, the user still not able to send on behalf instead user able to use Send-As and found this:
I checked on AD Security tab, domain admins group has Send-As permission
I tried to deny it by Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny, but failed
Add-ADPermission : There are multiple users/groups matching the identity "domain admins". Please specify a unique value
At line:1 char:17
Domain Admins is AD Group not AD User. I will tried to deny it using ADUC.
Is denied Send-As permission will enable the user whom member of domain admins group able to send on behalf?