Is user whom member of domain admins group unable to send on behalf?
I have a share mailbox and and run delegate to grant send on behalf user who member of this domain admins group
After several testing, the user still not able to send on behalf instead user able to use Send-As and found this:
http://social.technet.microsoft.com/Forums/exchange/en-US/70c01860-e199-40b4-bbc8-e34270d46edb/shared-mailboxes-send-on-behalf?forum=exchangesvradmin
I checked on AD Security tab, domain admins group has Send-As permission
I tried to deny it by Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny, but failed
Error:
Domain Admins is AD Group not AD User. I will tried to deny it using ADUC.
Is denied Send-As permission will enable the user whom member of domain admins group able to send on behalf?
After several testing, the user still not able to send on behalf instead user able to use Send-As and found this:
http://social.technet.microsoft.com/Forums/exchange/en-US/70c01860-e199-40b4-bbc8-e34270d46edb/shared-mailboxes-send-on-behalf?forum=exchangesvradmin
I checked on AD Security tab, domain admins group has Send-As permission
I tried to deny it by Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny, but failed
Error:
Add-ADPermission : There are multiple users/groups matching the identity "domain admins". Please specify a unique value
At line:1 char:17
Domain Admins is AD Group not AD User. I will tried to deny it using ADUC.
Is denied Send-As permission will enable the user whom member of domain admins group able to send on behalf?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Basically, I did removed the account being able "Send-AS" from shared mailbox and the account is able to send of behalf if the account is not member of "Domain Admins" groups.
They put back the account to "Domain Admins" group, I asked them using ADUC to "denied" the "Send-AS" on Domain Admins group at Security tab and the account not able to send on behalf, however the account being able to "Send-AS"
I not sure how long, we wait after denied the send-as of group admins before test but it seem that it is not working.
How to run Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny successfully? Since, it was failed see above.
I believe that this cmdlet is similar to denied the Send-As at Security tab...right
I don't environment to proof that this concept is correct, i really need help on this
Basically, I did removed the account being able "Send-AS" from shared mailbox and the account is able to send of behalf if the account is not member of "Domain Admins" groups.
They put back the account to "Domain Admins" group, I asked them using ADUC to "denied" the "Send-AS" on Domain Admins group at Security tab and the account not able to send on behalf, however the account being able to "Send-AS"
I not sure how long, we wait after denied the send-as of group admins before test but it seem that it is not working.
How to run Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny successfully? Since, it was failed see above.
I believe that this cmdlet is similar to denied the Send-As at Security tab...right
I don't environment to proof that this concept is correct, i really need help on this
ASKER
Update:
Did checked with my user, the can use send on behalf.
To run Add-ADPermission successfully, they used as below:
And confirmed that this cmdlet is same as check the denied Send-As at security tab
Did checked with my user, the can use send on behalf.
To run Add-ADPermission successfully, they used as below:
Add-ADPermission "Shared Mailbox" -User "Domain Name\Domain Admins" -ExtendedRights Send-As -DenyAnd confirmed that this cmdlet is same as check the denied Send-As at security tab
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Exchange will remove some permissions from members of the protected groups, which includes Domain Admins. It is bad practise to have a regular mail enabled account also a member of domain admins, you should run the split account admin model, where admins have two accounts.
You will always be able to set the permission, but Exchange may well take it away again.
Simon.