rstuemke
asked on
Send As Permissions Disappearing From User Mailboxes
We have the need for our admin assistants to be able to send email "as" a number of other users. We have a security group call "Administrative Assistants Group" to which they are all members. To add SendAs permissions to every user mailbox, we ran this command:
get-mailbox | Add-ADPermission –ExtendedRights “Send As” -user “calvaryspringfield.org\Ad
Command works fine. Check the user mailboxes thru the EMC > Manage SendAs Permissions and every user shows that group having SendAs permissions. BUT, the problem is after a while, those persmissions disappear on every user mailbox. I have researched this and there are numerous reports of this occurring. One site indicated AD replication was not happening across all DCs. Checked AD Sites and found 2 decommissioned DCs still listed. Deleted those. Re-applied permissions but again they disappeared after a while. The funny thing is that this used to work and SendAs permissiones never disappeared, so maybe some correction changed the way it works. Needless to say, this can be frustrating for the admin assistancts, since they never know if it will work or not....... mostly not, because the permissions disappear shortly after being applied. Did not find a real resolution to the problem in research. Anybody got a fix for this? Exchange 2010 running on Windows 2012 Server. Please advise. Thanks.
get-mailbox | Add-ADPermission –ExtendedRights “Send As” -user “calvaryspringfield.org\Ad
Command works fine. Check the user mailboxes thru the EMC > Manage SendAs Permissions and every user shows that group having SendAs permissions. BUT, the problem is after a while, those persmissions disappear on every user mailbox. I have researched this and there are numerous reports of this occurring. One site indicated AD replication was not happening across all DCs. Checked AD Sites and found 2 decommissioned DCs still listed. Deleted those. Re-applied permissions but again they disappeared after a while. The funny thing is that this used to work and SendAs permissiones never disappeared, so maybe some correction changed the way it works. Needless to say, this can be frustrating for the admin assistancts, since they never know if it will work or not....... mostly not, because the permissions disappear shortly after being applied. Did not find a real resolution to the problem in research. Anybody got a fix for this? Exchange 2010 running on Windows 2012 Server. Please advise. Thanks.
What other groups are these users part of? I've seen this happen when the user / group is part of a protected group. Members of protected groups return to default every hour hence the setting drops off.
As stated already this is most likely a Protected Group issue. The ADminSDHolder service is run every hour and will remove all permissions where users are part of these groups.
AdminSDHolder Explained
https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
Will.
AdminSDHolder Explained
https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
Will.
ASKER
OK. Here are the all groups that the normal users are members (those users which get Send As permssions assigned to for the Admin Assist. Group ):
Several local security groups used to assign permissions to network shares: such as - Church Office Group, Church Compliance Group, etc, There are about 6 of these.
Domain Users is the only other one
Several local security groups used to assign permissions to network shares: such as - Church Office Group, Church Compliance Group, etc, There are about 6 of these.
Domain Users is the only other one
ASKER
Should I give Admin Assist Group Send As permissions to Domain Users Group?????
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK..... ran this command:
Get-ADGroup -LDAPFilter "(objectcategory=group)(ad
And DOMAIN USERS Group shows up as protected.-
Get-ADGroup -LDAPFilter "(objectcategory=group)(ad
And DOMAIN USERS Group shows up as protected.-
Ok so check what groups the domain users have been put under. Sounds like someone has dropped that group into the Administrators or Domain Admins Group etc.