Solved

Is user whom member of domain admins group unable to send on behalf?

Posted on 2014-02-04
5
1,155 Views
Last Modified: 2014-02-23
I have a share mailbox and and run delegate to grant send on behalf user who member of this domain admins group

After several testing, the user still not able to send on behalf instead user able to use Send-As and found this:

http://social.technet.microsoft.com/Forums/exchange/en-US/70c01860-e199-40b4-bbc8-e34270d46edb/shared-mailboxes-send-on-behalf?forum=exchangesvradmin

I checked on AD Security tab, domain admins group has Send-As permission

I tried to deny it by Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny, but failed

Error:
Add-ADPermission : There are multiple users/groups matching the identity "domain admins". Please specify a unique value
At line:1 char:17

Domain Admins is AD Group not AD User. I will tried to deny it using ADUC.

Is denied Send-As permission will enable the user whom member of domain admins group able to send on behalf?
0
Comment
Question by:suriyaehnop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 200 total points
ID: 39832036
Enabled to do this you need to configure this from Exchange. Send on Behalf is an Exchange attribute and Send As is an AD attribute. You should really be using one or the other. If you want to setup Send on behalf then remove the permission for Send As on the account. Open the ECP and specifically allow Send on Behalf permission. Then test again.

Will.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39832114
Be aware that a permission change can take two hours to be fully effective in Exchange.
Exchange will remove some permissions from members of the protected groups, which includes Domain Admins. It is bad practise to have a regular mail enabled account also a member of domain admins, you should run the split account admin model, where admins have two accounts.

You will always be able to set the permission, but Exchange may well take it away again.

Simon.
0
 
LVL 19

Author Comment

by:suriyaehnop
ID: 39839027
Hi,

Basically, I did removed the account being able "Send-AS" from shared mailbox and the account is able to send of behalf if the account is not member of "Domain Admins" groups.

They put back the account to "Domain Admins" group, I asked them using ADUC to "denied" the "Send-AS" on Domain Admins group at Security tab and the account not able to send on behalf, however the account being able to "Send-AS"

I not sure how long, we wait after denied the send-as of group admins before test but it seem that it is not working.

How to run Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny successfully? Since, it was failed see above.

I believe that this cmdlet is similar to denied the Send-As at Security tab...right

I don't environment to proof that this concept is correct, i really need help on this
0
 
LVL 19

Author Comment

by:suriyaehnop
ID: 39839250
Update:

Did checked with my user, the can use send on behalf.

To run Add-ADPermission successfully, they used as below:

Add-ADPermission "Shared Mailbox" -User "Domain Name\Domain Admins" -ExtendedRights Send-As -Deny

Open in new window


And confirmed that this cmdlet is same as check the denied Send-As at security tab
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 200 total points
ID: 39839342
Domains Admins cannot be granted Send As.
The permission will be removed by Exchange shortly after it has been set. You should not be using Domain Admins for permissions within Exchange.

Simon.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question