Solved

How to give permission for one user ability to ‘Send As’ anyone?

Posted on 2014-10-09
25
73 Views
Last Modified: 2014-10-29
Temporarily I need to give one user the ability to ‘Send As’ other users in our Exchange 2013 server. When testing is done, I will need to take that permission off from that user.

I know how to use PowerShell command (or Exchange admin center) to add ‘Send As’ permission for one user (Ex., below).

Add-ADPermission -Identity "Terry Adams" -User AaronPainter -AccessRights ExtendedRight -ExtendedRights "Send As"

However, I am not in a mood to run this command manually few hundred times…

Thanks in advance
0
Comment
Question by:Olevo
  • 12
  • 10
  • 3
25 Comments
 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
ID: 40372259
Not sure about 2013 hope its will be same as 2007.

Eg.
User A
User B who needs to Send as User A
Open Exchange Management Console -> Recipient Configuration -->
Right click on User A
Select "Manage Send as Permissions"
Add User B
0
 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
ID: 40372261
Sorry please discard my previous comment, 2013 is different
following article might help you to perform it from GUI
http://msexchangeguru.com/2013/10/28/mbx-permissions/
0
 
LVL 1

Author Comment

by:Olevo
ID: 40372267
Thanks for a quick reply. However, your suggestion in not what I’m looking for. As I have said in my original post, I already know how to do it ‘one-by-one’. What I’m asking is how to give a particular user ability to send as anyone in our Exchange environment…
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
ID: 40372278
Sorry My bad, i misunderstood
btw that's a very good question, i am just firing my test server i will give a try and update you
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40372296
You can create a CSV with one column containing the mailboxes you wish to grant the user Send As access to, then use the code below:

Import-Csv c:\scripts\sendasaccess.csv | foreach { Add-ADPermission -Identity $_.mailbox -User <name of user> -AccessRights ExtendedRight -ExtendedRights "Send As" }

Open in new window


CSV/Text file would look like this:
mailbox
John Doe
Jane Doe
etc.

EDIT: It might be better to use the mailbox alias instead as the spaces might cause issues.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40379148
Thanks VB ITS, that's more like it... Now, I need to find out how to export users from the OU onto *.csv file so I can use it with your PowerShell command example. How do I do that please ;-)
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40379193
Try this in the Exchange Management Shell:
Get-Mailbox -ResultSize Unlimited -OrganizationalUnit "OU=Users,OU=Company,DC=DOMAIN,DC=COM" | Select-Object Name | Export-Csv C:\Temp\Mailboxes.csv -NoTypeInformation 

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
ID: 40381350
Thanks VB ITS again, would it be better to get mailbox names directly from the Exchange database instead of AD container?! Reason for doing this way is that OU might have users without mailboxes...

Could you please check my steps below and let me know what do you think?

1. Creating *.csv file from DB1  
Get-Mailbox -Database DB1| Select-Object Name | Export-Csv C:\Temp\DB1-Mailboxes.csv -NoTypeInformation

2. Giving KSmith "SendAs" permission (KSmith mailbox as an example here)
Import-Csv c:\temp\DB1-Mailboxes.csv | foreach { Add-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" }

3. If we need to remove "SendAs" permission from KSmith
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" }
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40381368
Not a problem Olevo. Sorry but I thought you wanted to export mailboxes from a specified OU in AD? If you proceed with your first command, it will export the names from the entire mailbox database. If this is your goal then I would say go for it.

The code I posted in my previous comment will only export the mailbox names for those with an Exchange mailbox from the specified OU, as we're using the Get-Mailbox EMS command. The rest of your code looks fine from my point of view and should work.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40381452
yes I did ask about exporting from OU first. I didn't know that EMS command will only export mailbox names from OU with the Exchange attributes on them.

All looks good so far, except when I run command for my 3rd step (Remove-ADPermission) it's prompting me to confirm permission removal... What do I need to add to my command so I don't need to manually click "Yes"
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40381462
Try adding -Confirm:$False to the end of the command.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40381467
nope,... still asking to type "Y" to confirm to perform action
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40381468
I have modified the code from one of your posts above and added in the Confirm switch, see if this works for you.
If we need to remove "SendAs" permission from KSmith
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false } 

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
ID: 40381471
thanks for your help. I'll test it tomorrow and let you know
0
 
LVL 1

Author Comment

by:Olevo
ID: 40385982
looks good so far except for one little glitch... I have found that some of the AD users have security inheritance permission disabled (working on this problem too). Because of this, PowerShell gives me a red color warning about INSUFF_ACCESS_RIGHTS when it is trying to add "SendAs" permission. Since error message doesn't tell me on which user "SendAS"  permission wasn't setup correctly I was wondering if you could add something to the script which will generate a log file for failed users... Thanks in advance
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40386310
Try this:
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false } > D:\Path\File.log

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
ID: 40390950
Thanks VB ITS... log file is 0KB and empty ;-(
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
ID: 40390965
Ah whoops, try this: Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false >> C:\Path\File.log }
0
 
LVL 1

Author Comment

by:Olevo
ID: 40390989
Thanks VB ITS, such a quick response... feels like you're sitting in the room next to me ;-)
log file is still empty ;-(
Screen has red errors "INSUFF_ACCESS_RIGHTS" (because of  disabled inheritance permission) but I cant see anywhere on the screen (error message) which user were effecting by this error?! Now, if the error message (on the screen) doesn't tell me on which user Power Shell is failing... how the log file will have more info?!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40390993
Hmmm, that's very strange indeed. How many users are we talking about here? Might be worth just going into AD and then confirming that each account has inheritance turned on if we're not talking about too many users.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40391031
quite a few... and they are in diff OU's. Most of the AD users have inheritance permission enabled. Just few users here and there with missing inheritance.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40391047
Perhaps, it would be faster to create PowerShell script to "fix" AD user inheritance first... And then add "Send AS" permission. Any thoughts on how to do that?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
ID: 40391067
Yep that would be the preferred method. Here's a script you can use to achieve this:
$Users = Get-ADUser -LDAPFilter “(ObjectClass=User)” -SearchBase “OU=Users,OU=Company,DC=DOMAIN,DC=COM"
ForEach($User in $Users)
{
    # Bind users
    $OU = [ADSI](“LDAP://” + $User)
    $SecGroup = $OU.PSBase.ObjectSecurity
 
    if ($SecGroup.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## Allows inheritance
        $preserveInheritance = $true ## Preserves inheritance
        $SecGroup.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $OU.PSBase.CommitChanges()
        Write-Host “$User inheritance has been set”;
    }
    else
    {
        Write-Host “$User inheritance already set”
    }
}

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
ID: 40391146
sorry to be a pain in a b*** how can I get a list of the AD users with disabled inheritance permission only please ;-)
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40400866
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question