Exchange 2003 Mailbox Send As Not working

So I have a Mailbox that I needed a security group Send As permission as well as full access to the mailbox.
I am currently running Exchange 2003 with a Coex Exchange 2010 (In the process of migrating).

When I grant the Security group or the individual user Send As rights the get a message stating they do not have permission to send on behalf of,  

Not sure why this is the case.  I am able to send as user using my account (Domain Admin).

If I do grant Delegate Rights to send on behalf of the users are able to send messages from the mailbox (within the profile) as if it is coming from the mailbox.  If I mount the mailbox to the current user Outlook Profile the message states that the message is sent on behalf of.
LVL 26
yo_beeDirector of Information TechnologyAsked:
Who is Participating?
 
Simon Butler (Sembee)ConsultantCommented:
If the permission is being removed you need to check whether the adminsdholder value is set to 1.
If they have ever been a member of a protected group then removed that value will stay the same.

Simon.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Send As permissions is an AD Security principal. What I would do is find the user in Active Directory and do the following...
Ensure that Advanced Features is checked off (view, advanced features)
- right click the user, select properties
- click on the security tab
- click advanced button
- Sort the permissions column
- look for Send As permissions
- If the user is not listed, select Change Permissions button
- Add the User or Group to this and select the Send As permission
- Apply permission when done

You should then be able to Send As the user. As a best practice I would only use Send As or Send on Behalf of not both.

Will.
0
 
Simon Butler (Sembee)ConsultantCommented:
"Not sure why this is the case.  I am able to send as user using my account (Domain Admin)."

That shouldn't be possible.
Exchange 2003 implemented a procedure where a domain account cannot have certain permissions and they will be removed automatically. The only way that it works is if changes were made to the platform.

Exchange 2010 will enforce those restrictions though - you should really be running a split permission model.

Until you said that, I was pretty sure it was the adminsdholder issue, where an account with Admin or Power User rights gets the permissions removed by Exchange automatically.

Simon.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
yo_beeDirector of Information TechnologyAuthor Commented:
@Simon:
This is a standard user account not part of any Domain Admin or Power user.
Strange

@Will
Thanks for those steps.  It was exactly what I was doing.  

I did add the Group to the AdminSDHolder container to have Send as rights.  That puts the group in the ACL as special permission.  I did manually add the group and users, but they are removed after 15 mins or so.

I gave the user and group Full Rights to the Mailbox as well.
0
 
Simon Butler (Sembee)ConsultantCommented:
"I did add the Group to the AdminSDHolder container to have Send as rights.  That puts the group in the ACL as special permission.  I did manually add the group and users, but they are removed after 15 mins or so."

That is by design. AdminSDHolder stops you from having those permissions and Exchange will remove them.
Furthermore, once an account has been a member of the AdminSDHolder, the setting is not removed automatically. Therefore if they have been a member of a group that setting applies to, the permission will get taken away. You have to remove the AdminSDHolder setting through adsiedit to get the settings to stick.

Simon.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
Just went into ADSIEdit and went to the Security Properties of the System\ADSDHolder and removed that group.
Lets see what happens.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
removing the Group from ADSDHolder did not resolve the removing of the group from the user object security.

Any other suggestion?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
If you add a user that is not part of ANY of the protected groups (regular user) add them and try again. This is a typical symptom when the AdminSDHolder removes people from specific security rights.

In an Active Directory  domain environment it is a best practice to keep users accounts separate for domain admins etc. An example of this is below...

Account
wills

Domain Admin Account
admin-wills

admin-wills is the account that I used when logging into servers etc. Splitting the accounts like this improves security because if your original accounts gets compromised it does not have any domain admin privileges.  This also resolves the AdminSDHolder account that scans every hour.

Will.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
The Users are part of the Domain Users group.  No one is a member of any admin group.  The users are still being removed after a short period of time.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
Where do I look for that Value?
0
 
Simon Butler (Sembee)ConsultantCommented:
ADSIEDIT

Simon.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
Under the Object that I want to add Security to or the object that I want to give access to?
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
I looked at the three objects involved and I do not see adminsdholder in the attributes.
0
 
Simon Butler (Sembee)ConsultantCommented:
Look for AdminCount instead.
If that is set, choose edit and then choose clear, so it is set to <not set>

You are looking on the object that is being granted the permissions. So if you are granting user 2, permissions to user 1 then it is user 2 you look at.

Simon.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
Just Checked and the group admincount is <not set>.  The individual users do have an admincount of 1.  Not sure if that makes a difference?
0
 
Simon Butler (Sembee)ConsultantCommented:
It is the individual users that you need to look at. If they have it set to 1 then that is your problem. You need to change it to not set.

Simon.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
I will try this, but the weird thing is there are other user objects that are set to 1 and the setting sticks when I apply to other user objects.

I will try this now and let you know.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
Clear the AdminCount on the userB. UserB was still removed from UserA Security.
0
 
Simon Butler (Sembee)ConsultantCommented:
How long did you wait?
It can take a couple of hours before a change in security is fully reflected within Exchange.

Simon.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
I will try today since it has been days now.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
So the user AdminCount of for User A was changed back to a count of 1 after some time today.
This is crazy.  I am going to try it with some other User C account and see what happens.
Something must me wrong with the account.
0
 
Simon Butler (Sembee)ConsultantCommented:
"So the user AdminCount of for User A was changed back to a count of 1 after some time today."

That usually means they are a member of a protected group, either directly or via a group membership (so member of a group, which is a member of a protected account).

Simon.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
When you say Protected does it mean Protected from Deleting?
0
 
Simon Butler (Sembee)ConsultantCommented:
No.
Protected groups as defined in this KB article:
https://support.microsoft.com/en-us/kb/907434

Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers

Simon.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
Just checked all the groups that User A is a member of and one did come back with an adminCount of 1.
It was the Domain User Group that is a member of the Print Operators Group.

Lets see what happens now.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
Thank you for your time, effort and patience with this issue.

After removing the Domain User group from the Print Operator Group  and removed adminCount (Cleared). That allowed for the items stick in the security.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.