?
Solved

Is user whom member of domain admins group unable to send on behalf?

Posted on 2014-02-04
5
Medium Priority
?
1,162 Views
Last Modified: 2014-02-23
I have a share mailbox and and run delegate to grant send on behalf user who member of this domain admins group

After several testing, the user still not able to send on behalf instead user able to use Send-As and found this:

http://social.technet.microsoft.com/Forums/exchange/en-US/70c01860-e199-40b4-bbc8-e34270d46edb/shared-mailboxes-send-on-behalf?forum=exchangesvradmin

I checked on AD Security tab, domain admins group has Send-As permission

I tried to deny it by Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny, but failed

Error:
Add-ADPermission : There are multiple users/groups matching the identity "domain admins". Please specify a unique value
At line:1 char:17

Domain Admins is AD Group not AD User. I will tried to deny it using ADUC.

Is denied Send-As permission will enable the user whom member of domain admins group able to send on behalf?
0
Comment
Question by:suriyaehnop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 600 total points
ID: 39832036
Enabled to do this you need to configure this from Exchange. Send on Behalf is an Exchange attribute and Send As is an AD attribute. You should really be using one or the other. If you want to setup Send on behalf then remove the permission for Send As on the account. Open the ECP and specifically allow Send on Behalf permission. Then test again.

Will.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39832114
Be aware that a permission change can take two hours to be fully effective in Exchange.
Exchange will remove some permissions from members of the protected groups, which includes Domain Admins. It is bad practise to have a regular mail enabled account also a member of domain admins, you should run the split account admin model, where admins have two accounts.

You will always be able to set the permission, but Exchange may well take it away again.

Simon.
0
 
LVL 19

Author Comment

by:suriyaehnop
ID: 39839027
Hi,

Basically, I did removed the account being able "Send-AS" from shared mailbox and the account is able to send of behalf if the account is not member of "Domain Admins" groups.

They put back the account to "Domain Admins" group, I asked them using ADUC to "denied" the "Send-AS" on Domain Admins group at Security tab and the account not able to send on behalf, however the account being able to "Send-AS"

I not sure how long, we wait after denied the send-as of group admins before test but it seem that it is not working.

How to run Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny successfully? Since, it was failed see above.

I believe that this cmdlet is similar to denied the Send-As at Security tab...right

I don't environment to proof that this concept is correct, i really need help on this
0
 
LVL 19

Author Comment

by:suriyaehnop
ID: 39839250
Update:

Did checked with my user, the can use send on behalf.

To run Add-ADPermission successfully, they used as below:

Add-ADPermission "Shared Mailbox" -User "Domain Name\Domain Admins" -ExtendedRights Send-As -Deny

Open in new window


And confirmed that this cmdlet is same as check the denied Send-As at security tab
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 600 total points
ID: 39839342
Domains Admins cannot be granted Send As.
The permission will be removed by Exchange shortly after it has been set. You should not be using Domain Admins for permissions within Exchange.

Simon.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question