Solved

How to give permission for one user ability to ‘Send As’ anyone?

Posted on 2014-10-09
25
68 Views
Last Modified: 2014-10-29
Temporarily I need to give one user the ability to ‘Send As’ other users in our Exchange 2013 server. When testing is done, I will need to take that permission off from that user.

I know how to use PowerShell command (or Exchange admin center) to add ‘Send As’ permission for one user (Ex., below).

Add-ADPermission -Identity "Terry Adams" -User AaronPainter -AccessRights ExtendedRight -ExtendedRights "Send As"

However, I am not in a mood to run this command manually few hundred times…

Thanks in advance
0
Comment
Question by:Olevo
  • 12
  • 10
  • 3
25 Comments
 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
Comment Utility
Not sure about 2013 hope its will be same as 2007.

Eg.
User A
User B who needs to Send as User A
Open Exchange Management Console -> Recipient Configuration -->
Right click on User A
Select "Manage Send as Permissions"
Add User B
0
 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
Comment Utility
Sorry please discard my previous comment, 2013 is different
following article might help you to perform it from GUI
http://msexchangeguru.com/2013/10/28/mbx-permissions/
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Thanks for a quick reply. However, your suggestion in not what I’m looking for. As I have said in my original post, I already know how to do it ‘one-by-one’. What I’m asking is how to give a particular user ability to send as anyone in our Exchange environment…
0
 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
Comment Utility
Sorry My bad, i misunderstood
btw that's a very good question, i am just firing my test server i will give a try and update you
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
You can create a CSV with one column containing the mailboxes you wish to grant the user Send As access to, then use the code below:

Import-Csv c:\scripts\sendasaccess.csv | foreach { Add-ADPermission -Identity $_.mailbox -User <name of user> -AccessRights ExtendedRight -ExtendedRights "Send As" }

Open in new window


CSV/Text file would look like this:
mailbox
John Doe
Jane Doe
etc.

EDIT: It might be better to use the mailbox alias instead as the spaces might cause issues.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Thanks VB ITS, that's more like it... Now, I need to find out how to export users from the OU onto *.csv file so I can use it with your PowerShell command example. How do I do that please ;-)
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Try this in the Exchange Management Shell:
Get-Mailbox -ResultSize Unlimited -OrganizationalUnit "OU=Users,OU=Company,DC=DOMAIN,DC=COM" | Select-Object Name | Export-Csv C:\Temp\Mailboxes.csv -NoTypeInformation 

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Thanks VB ITS again, would it be better to get mailbox names directly from the Exchange database instead of AD container?! Reason for doing this way is that OU might have users without mailboxes...

Could you please check my steps below and let me know what do you think?

1. Creating *.csv file from DB1  
Get-Mailbox -Database DB1| Select-Object Name | Export-Csv C:\Temp\DB1-Mailboxes.csv -NoTypeInformation

2. Giving KSmith "SendAs" permission (KSmith mailbox as an example here)
Import-Csv c:\temp\DB1-Mailboxes.csv | foreach { Add-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" }

3. If we need to remove "SendAs" permission from KSmith
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" }
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Not a problem Olevo. Sorry but I thought you wanted to export mailboxes from a specified OU in AD? If you proceed with your first command, it will export the names from the entire mailbox database. If this is your goal then I would say go for it.

The code I posted in my previous comment will only export the mailbox names for those with an Exchange mailbox from the specified OU, as we're using the Get-Mailbox EMS command. The rest of your code looks fine from my point of view and should work.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
yes I did ask about exporting from OU first. I didn't know that EMS command will only export mailbox names from OU with the Exchange attributes on them.

All looks good so far, except when I run command for my 3rd step (Remove-ADPermission) it's prompting me to confirm permission removal... What do I need to add to my command so I don't need to manually click "Yes"
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Try adding -Confirm:$False to the end of the command.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
nope,... still asking to type "Y" to confirm to perform action
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
I have modified the code from one of your posts above and added in the Confirm switch, see if this works for you.
If we need to remove "SendAs" permission from KSmith
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false } 

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
thanks for your help. I'll test it tomorrow and let you know
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
looks good so far except for one little glitch... I have found that some of the AD users have security inheritance permission disabled (working on this problem too). Because of this, PowerShell gives me a red color warning about INSUFF_ACCESS_RIGHTS when it is trying to add "SendAs" permission. Since error message doesn't tell me on which user "SendAS"  permission wasn't setup correctly I was wondering if you could add something to the script which will generate a log file for failed users... Thanks in advance
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Try this:
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false } > D:\Path\File.log

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Thanks VB ITS... log file is 0KB and empty ;-(
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
Comment Utility
Ah whoops, try this: Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false >> C:\Path\File.log }
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Thanks VB ITS, such a quick response... feels like you're sitting in the room next to me ;-)
log file is still empty ;-(
Screen has red errors "INSUFF_ACCESS_RIGHTS" (because of  disabled inheritance permission) but I cant see anywhere on the screen (error message) which user were effecting by this error?! Now, if the error message (on the screen) doesn't tell me on which user Power Shell is failing... how the log file will have more info?!
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Hmmm, that's very strange indeed. How many users are we talking about here? Might be worth just going into AD and then confirming that each account has inheritance turned on if we're not talking about too many users.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
quite a few... and they are in diff OU's. Most of the AD users have inheritance permission enabled. Just few users here and there with missing inheritance.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Perhaps, it would be faster to create PowerShell script to "fix" AD user inheritance first... And then add "Send AS" permission. Any thoughts on how to do that?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
Comment Utility
Yep that would be the preferred method. Here's a script you can use to achieve this:
$Users = Get-ADUser -LDAPFilter “(ObjectClass=User)” -SearchBase “OU=Users,OU=Company,DC=DOMAIN,DC=COM"
ForEach($User in $Users)
{
    # Bind users
    $OU = [ADSI](“LDAP://” + $User)
    $SecGroup = $OU.PSBase.ObjectSecurity
 
    if ($SecGroup.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## Allows inheritance
        $preserveInheritance = $true ## Preserves inheritance
        $SecGroup.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $OU.PSBase.CommitChanges()
        Write-Host “$User inheritance has been set”;
    }
    else
    {
        Write-Host “$User inheritance already set”
    }
}

Open in new window

0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
sorry to be a pain in a b*** how can I get a list of the AD users with disabled inheritance permission only please ;-)
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
Comment Utility
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now