Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to give permission for one user ability to ‘Send As’ anyone?

Posted on 2014-10-09
25
Medium Priority
?
80 Views
Last Modified: 2014-10-29
Temporarily I need to give one user the ability to ‘Send As’ other users in our Exchange 2013 server. When testing is done, I will need to take that permission off from that user.

I know how to use PowerShell command (or Exchange admin center) to add ‘Send As’ permission for one user (Ex., below).

Add-ADPermission -Identity "Terry Adams" -User AaronPainter -AccessRights ExtendedRight -ExtendedRights "Send As"

However, I am not in a mood to run this command manually few hundred times…

Thanks in advance
0
Comment
Question by:Olevo
  • 12
  • 10
  • 3
25 Comments
 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
ID: 40372259
Not sure about 2013 hope its will be same as 2007.

Eg.
User A
User B who needs to Send as User A
Open Exchange Management Console -> Recipient Configuration -->
Right click on User A
Select "Manage Send as Permissions"
Add User B
0
 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
ID: 40372261
Sorry please discard my previous comment, 2013 is different
following article might help you to perform it from GUI
http://msexchangeguru.com/2013/10/28/mbx-permissions/
0
 
LVL 1

Author Comment

by:Olevo
ID: 40372267
Thanks for a quick reply. However, your suggestion in not what I’m looking for. As I have said in my original post, I already know how to do it ‘one-by-one’. What I’m asking is how to give a particular user ability to send as anyone in our Exchange environment…
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
ID: 40372278
Sorry My bad, i misunderstood
btw that's a very good question, i am just firing my test server i will give a try and update you
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40372296
You can create a CSV with one column containing the mailboxes you wish to grant the user Send As access to, then use the code below:

Import-Csv c:\scripts\sendasaccess.csv | foreach { Add-ADPermission -Identity $_.mailbox -User <name of user> -AccessRights ExtendedRight -ExtendedRights "Send As" }

Open in new window


CSV/Text file would look like this:
mailbox
John Doe
Jane Doe
etc.

EDIT: It might be better to use the mailbox alias instead as the spaces might cause issues.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40379148
Thanks VB ITS, that's more like it... Now, I need to find out how to export users from the OU onto *.csv file so I can use it with your PowerShell command example. How do I do that please ;-)
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40379193
Try this in the Exchange Management Shell:
Get-Mailbox -ResultSize Unlimited -OrganizationalUnit "OU=Users,OU=Company,DC=DOMAIN,DC=COM" | Select-Object Name | Export-Csv C:\Temp\Mailboxes.csv -NoTypeInformation 

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
ID: 40381350
Thanks VB ITS again, would it be better to get mailbox names directly from the Exchange database instead of AD container?! Reason for doing this way is that OU might have users without mailboxes...

Could you please check my steps below and let me know what do you think?

1. Creating *.csv file from DB1  
Get-Mailbox -Database DB1| Select-Object Name | Export-Csv C:\Temp\DB1-Mailboxes.csv -NoTypeInformation

2. Giving KSmith "SendAs" permission (KSmith mailbox as an example here)
Import-Csv c:\temp\DB1-Mailboxes.csv | foreach { Add-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" }

3. If we need to remove "SendAs" permission from KSmith
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" }
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40381368
Not a problem Olevo. Sorry but I thought you wanted to export mailboxes from a specified OU in AD? If you proceed with your first command, it will export the names from the entire mailbox database. If this is your goal then I would say go for it.

The code I posted in my previous comment will only export the mailbox names for those with an Exchange mailbox from the specified OU, as we're using the Get-Mailbox EMS command. The rest of your code looks fine from my point of view and should work.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40381452
yes I did ask about exporting from OU first. I didn't know that EMS command will only export mailbox names from OU with the Exchange attributes on them.

All looks good so far, except when I run command for my 3rd step (Remove-ADPermission) it's prompting me to confirm permission removal... What do I need to add to my command so I don't need to manually click "Yes"
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40381462
Try adding -Confirm:$False to the end of the command.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40381467
nope,... still asking to type "Y" to confirm to perform action
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40381468
I have modified the code from one of your posts above and added in the Confirm switch, see if this works for you.
If we need to remove "SendAs" permission from KSmith
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false } 

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
ID: 40381471
thanks for your help. I'll test it tomorrow and let you know
0
 
LVL 1

Author Comment

by:Olevo
ID: 40385982
looks good so far except for one little glitch... I have found that some of the AD users have security inheritance permission disabled (working on this problem too). Because of this, PowerShell gives me a red color warning about INSUFF_ACCESS_RIGHTS when it is trying to add "SendAs" permission. Since error message doesn't tell me on which user "SendAS"  permission wasn't setup correctly I was wondering if you could add something to the script which will generate a log file for failed users... Thanks in advance
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40386310
Try this:
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false } > D:\Path\File.log

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
ID: 40390950
Thanks VB ITS... log file is 0KB and empty ;-(
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 2000 total points
ID: 40390965
Ah whoops, try this: Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false >> C:\Path\File.log }
0
 
LVL 1

Author Comment

by:Olevo
ID: 40390989
Thanks VB ITS, such a quick response... feels like you're sitting in the room next to me ;-)
log file is still empty ;-(
Screen has red errors "INSUFF_ACCESS_RIGHTS" (because of  disabled inheritance permission) but I cant see anywhere on the screen (error message) which user were effecting by this error?! Now, if the error message (on the screen) doesn't tell me on which user Power Shell is failing... how the log file will have more info?!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40390993
Hmmm, that's very strange indeed. How many users are we talking about here? Might be worth just going into AD and then confirming that each account has inheritance turned on if we're not talking about too many users.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40391031
quite a few... and they are in diff OU's. Most of the AD users have inheritance permission enabled. Just few users here and there with missing inheritance.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40391047
Perhaps, it would be faster to create PowerShell script to "fix" AD user inheritance first... And then add "Send AS" permission. Any thoughts on how to do that?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 2000 total points
ID: 40391067
Yep that would be the preferred method. Here's a script you can use to achieve this:
$Users = Get-ADUser -LDAPFilter “(ObjectClass=User)” -SearchBase “OU=Users,OU=Company,DC=DOMAIN,DC=COM"
ForEach($User in $Users)
{
    # Bind users
    $OU = [ADSI](“LDAP://” + $User)
    $SecGroup = $OU.PSBase.ObjectSecurity
 
    if ($SecGroup.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## Allows inheritance
        $preserveInheritance = $true ## Preserves inheritance
        $SecGroup.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $OU.PSBase.CommitChanges()
        Write-Host “$User inheritance has been set”;
    }
    else
    {
        Write-Host “$User inheritance already set”
    }
}

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
ID: 40391146
sorry to be a pain in a b*** how can I get a list of the AD users with disabled inheritance permission only please ;-)
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 2000 total points
ID: 40400866
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question