Solved

Is user whom member of domain admins group unable to send on behalf?

Posted on 2014-02-04
5
1,100 Views
Last Modified: 2014-02-23
I have a share mailbox and and run delegate to grant send on behalf user who member of this domain admins group

After several testing, the user still not able to send on behalf instead user able to use Send-As and found this:

http://social.technet.microsoft.com/Forums/exchange/en-US/70c01860-e199-40b4-bbc8-e34270d46edb/shared-mailboxes-send-on-behalf?forum=exchangesvradmin

I checked on AD Security tab, domain admins group has Send-As permission

I tried to deny it by Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny, but failed

Error:
Add-ADPermission : There are multiple users/groups matching the identity "domain admins". Please specify a unique value
At line:1 char:17

Domain Admins is AD Group not AD User. I will tried to deny it using ADUC.

Is denied Send-As permission will enable the user whom member of domain admins group able to send on behalf?
0
Comment
Question by:suriyaehnop
  • 2
  • 2
5 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 200 total points
ID: 39832036
Enabled to do this you need to configure this from Exchange. Send on Behalf is an Exchange attribute and Send As is an AD attribute. You should really be using one or the other. If you want to setup Send on behalf then remove the permission for Send As on the account. Open the ECP and specifically allow Send on Behalf permission. Then test again.

Will.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39832114
Be aware that a permission change can take two hours to be fully effective in Exchange.
Exchange will remove some permissions from members of the protected groups, which includes Domain Admins. It is bad practise to have a regular mail enabled account also a member of domain admins, you should run the split account admin model, where admins have two accounts.

You will always be able to set the permission, but Exchange may well take it away again.

Simon.
0
 
LVL 18

Author Comment

by:suriyaehnop
ID: 39839027
Hi,

Basically, I did removed the account being able "Send-AS" from shared mailbox and the account is able to send of behalf if the account is not member of "Domain Admins" groups.

They put back the account to "Domain Admins" group, I asked them using ADUC to "denied" the "Send-AS" on Domain Admins group at Security tab and the account not able to send on behalf, however the account being able to "Send-AS"

I not sure how long, we wait after denied the send-as of group admins before test but it seem that it is not working.

How to run Add-ADPermission "Shared Mailbox" -User "Domain Admins" -ExtendedRights Send-As -Deny successfully? Since, it was failed see above.

I believe that this cmdlet is similar to denied the Send-As at Security tab...right

I don't environment to proof that this concept is correct, i really need help on this
0
 
LVL 18

Author Comment

by:suriyaehnop
ID: 39839250
Update:

Did checked with my user, the can use send on behalf.

To run Add-ADPermission successfully, they used as below:

Add-ADPermission "Shared Mailbox" -User "Domain Name\Domain Admins" -ExtendedRights Send-As -Deny

Open in new window


And confirmed that this cmdlet is same as check the denied Send-As at security tab
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 200 total points
ID: 39839342
Domains Admins cannot be granted Send As.
The permission will be removed by Exchange shortly after it has been set. You should not be using Domain Admins for permissions within Exchange.

Simon.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now