Solved

Is user whom member of domain admins group unable to send on behalf?

Posted on 2014-02-04
5
1,110 Views
Last Modified: 2014-02-23
I have a share mailbox and and run delegate to grant send on behalf user who member of this domain admins group

After several testing, the user still not able to send on behalf instead user able to use Send-As and found this:

http://social.technet.microsoft.com/Forums/exchange/en-US/70c01860-e199-40b4-bbc8-e34270d46edb/shared-mailboxes-send-on-behalf?forum=exchangesvradmin

I checked on AD Security tab, domain admins group has Send-As permission

I tried to deny it by Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny, but failed

Error:
Add-ADPermission : There are multiple users/groups matching the identity "domain admins". Please specify a unique value
At line:1 char:17

Domain Admins is AD Group not AD User. I will tried to deny it using ADUC.

Is denied Send-As permission will enable the user whom member of domain admins group able to send on behalf?
0
Comment
Question by:suriyaehnop
  • 2
  • 2
5 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 200 total points
ID: 39832036
Enabled to do this you need to configure this from Exchange. Send on Behalf is an Exchange attribute and Send As is an AD attribute. You should really be using one or the other. If you want to setup Send on behalf then remove the permission for Send As on the account. Open the ECP and specifically allow Send on Behalf permission. Then test again.

Will.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39832114
Be aware that a permission change can take two hours to be fully effective in Exchange.
Exchange will remove some permissions from members of the protected groups, which includes Domain Admins. It is bad practise to have a regular mail enabled account also a member of domain admins, you should run the split account admin model, where admins have two accounts.

You will always be able to set the permission, but Exchange may well take it away again.

Simon.
0
 
LVL 18

Author Comment

by:suriyaehnop
ID: 39839027
Hi,

Basically, I did removed the account being able "Send-AS" from shared mailbox and the account is able to send of behalf if the account is not member of "Domain Admins" groups.

They put back the account to "Domain Admins" group, I asked them using ADUC to "denied" the "Send-AS" on Domain Admins group at Security tab and the account not able to send on behalf, however the account being able to "Send-AS"

I not sure how long, we wait after denied the send-as of group admins before test but it seem that it is not working.

How to run Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny successfully? Since, it was failed see above.

I believe that this cmdlet is similar to denied the Send-As at Security tab...right

I don't environment to proof that this concept is correct, i really need help on this
0
 
LVL 18

Author Comment

by:suriyaehnop
ID: 39839250
Update:

Did checked with my user, the can use send on behalf.

To run Add-ADPermission successfully, they used as below:

Add-ADPermission "Shared Mailbox" -User "Domain Name\Domain Admins" -ExtendedRights Send-As -Deny

Open in new window


And confirmed that this cmdlet is same as check the denied Send-As at security tab
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 200 total points
ID: 39839342
Domains Admins cannot be granted Send As.
The permission will be removed by Exchange shortly after it has been set. You should not be using Domain Admins for permissions within Exchange.

Simon.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now