How to give permission for one user ability to ‘Send As’ anyone?

Temporarily I need to give one user the ability to ‘Send As’ other users in our Exchange 2013 server. When testing is done, I will need to take that permission off from that user.

I know how to use PowerShell command (or Exchange admin center) to add ‘Send As’ permission for one user (Ex., below).

Add-ADPermission -Identity "Terry Adams" -User AaronPainter -AccessRights ExtendedRight -ExtendedRights "Send As"

However, I am not in a mood to run this command manually few hundred times…

Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Satheesh AgatheeswaranIT ManagerCommented:
Not sure about 2013 hope its will be same as 2007.

User A
User B who needs to Send as User A
Open Exchange Management Console -> Recipient Configuration -->
Right click on User A
Select "Manage Send as Permissions"
Add User B
Satheesh AgatheeswaranIT ManagerCommented:
Sorry please discard my previous comment, 2013 is different
following article might help you to perform it from GUI
OlevoAuthor Commented:
Thanks for a quick reply. However, your suggestion in not what I’m looking for. As I have said in my original post, I already know how to do it ‘one-by-one’. What I’m asking is how to give a particular user ability to send as anyone in our Exchange environment…
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Satheesh AgatheeswaranIT ManagerCommented:
Sorry My bad, i misunderstood
btw that's a very good question, i am just firing my test server i will give a try and update you
VB ITSSpecialist ConsultantCommented:
You can create a CSV with one column containing the mailboxes you wish to grant the user Send As access to, then use the code below:

Import-Csv c:\scripts\sendasaccess.csv | foreach { Add-ADPermission -Identity $_.mailbox -User <name of user> -AccessRights ExtendedRight -ExtendedRights "Send As" }

Open in new window

CSV/Text file would look like this:
John Doe
Jane Doe

EDIT: It might be better to use the mailbox alias instead as the spaces might cause issues.
OlevoAuthor Commented:
Thanks VB ITS, that's more like it... Now, I need to find out how to export users from the OU onto *.csv file so I can use it with your PowerShell command example. How do I do that please ;-)
VB ITSSpecialist ConsultantCommented:
Try this in the Exchange Management Shell:
Get-Mailbox -ResultSize Unlimited -OrganizationalUnit "OU=Users,OU=Company,DC=DOMAIN,DC=COM" | Select-Object Name | Export-Csv C:\Temp\Mailboxes.csv -NoTypeInformation 

Open in new window

OlevoAuthor Commented:
Thanks VB ITS again, would it be better to get mailbox names directly from the Exchange database instead of AD container?! Reason for doing this way is that OU might have users without mailboxes...

Could you please check my steps below and let me know what do you think?

1. Creating *.csv file from DB1  
Get-Mailbox -Database DB1| Select-Object Name | Export-Csv C:\Temp\DB1-Mailboxes.csv -NoTypeInformation

2. Giving KSmith "SendAs" permission (KSmith mailbox as an example here)
Import-Csv c:\temp\DB1-Mailboxes.csv | foreach { Add-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" }

3. If we need to remove "SendAs" permission from KSmith
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" }
VB ITSSpecialist ConsultantCommented:
Not a problem Olevo. Sorry but I thought you wanted to export mailboxes from a specified OU in AD? If you proceed with your first command, it will export the names from the entire mailbox database. If this is your goal then I would say go for it.

The code I posted in my previous comment will only export the mailbox names for those with an Exchange mailbox from the specified OU, as we're using the Get-Mailbox EMS command. The rest of your code looks fine from my point of view and should work.
OlevoAuthor Commented:
yes I did ask about exporting from OU first. I didn't know that EMS command will only export mailbox names from OU with the Exchange attributes on them.

All looks good so far, except when I run command for my 3rd step (Remove-ADPermission) it's prompting me to confirm permission removal... What do I need to add to my command so I don't need to manually click "Yes"
VB ITSSpecialist ConsultantCommented:
Try adding -Confirm:$False to the end of the command.
OlevoAuthor Commented:
nope,... still asking to type "Y" to confirm to perform action
VB ITSSpecialist ConsultantCommented:
I have modified the code from one of your posts above and added in the Confirm switch, see if this works for you.
If we need to remove "SendAs" permission from KSmith
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false } 

Open in new window

OlevoAuthor Commented:
thanks for your help. I'll test it tomorrow and let you know
OlevoAuthor Commented:
looks good so far except for one little glitch... I have found that some of the AD users have security inheritance permission disabled (working on this problem too). Because of this, PowerShell gives me a red color warning about INSUFF_ACCESS_RIGHTS when it is trying to add "SendAs" permission. Since error message doesn't tell me on which user "SendAS"  permission wasn't setup correctly I was wondering if you could add something to the script which will generate a log file for failed users... Thanks in advance
VB ITSSpecialist ConsultantCommented:
Try this:
Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false } > D:\Path\File.log

Open in new window

OlevoAuthor Commented:
Thanks VB ITS... log file is 0KB and empty ;-(
VB ITSSpecialist ConsultantCommented:
Ah whoops, try this: Import-Csv c:\temp\sendasaccess.csv | foreach { Remove-ADPermission -Identity $_.mailbox -User KSmith -AccessRights ExtendedRight -ExtendedRights "Send As" -Confirm:$false >> C:\Path\File.log }
OlevoAuthor Commented:
Thanks VB ITS, such a quick response... feels like you're sitting in the room next to me ;-)
log file is still empty ;-(
Screen has red errors "INSUFF_ACCESS_RIGHTS" (because of  disabled inheritance permission) but I cant see anywhere on the screen (error message) which user were effecting by this error?! Now, if the error message (on the screen) doesn't tell me on which user Power Shell is failing... how the log file will have more info?!
VB ITSSpecialist ConsultantCommented:
Hmmm, that's very strange indeed. How many users are we talking about here? Might be worth just going into AD and then confirming that each account has inheritance turned on if we're not talking about too many users.
OlevoAuthor Commented:
quite a few... and they are in diff OU's. Most of the AD users have inheritance permission enabled. Just few users here and there with missing inheritance.
OlevoAuthor Commented:
Perhaps, it would be faster to create PowerShell script to "fix" AD user inheritance first... And then add "Send AS" permission. Any thoughts on how to do that?
VB ITSSpecialist ConsultantCommented:
Yep that would be the preferred method. Here's a script you can use to achieve this:
$Users = Get-ADUser -LDAPFilter “(ObjectClass=User)” -SearchBase “OU=Users,OU=Company,DC=DOMAIN,DC=COM"
ForEach($User in $Users)
    # Bind users
    $OU = [ADSI](“LDAP://” + $User)
    $SecGroup = $OU.PSBase.ObjectSecurity
    if ($SecGroup.get_AreAccessRulesProtected())
        $isProtected = $false ## Allows inheritance
        $preserveInheritance = $true ## Preserves inheritance
        $SecGroup.SetAccessRuleProtection($isProtected, $preserveInheritance)
        Write-Host “$User inheritance has been set”;
        Write-Host “$User inheritance already set”

Open in new window

OlevoAuthor Commented:
sorry to be a pain in a b*** how can I get a list of the AD users with disabled inheritance permission only please ;-)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.