Solved

Issues setting Send-As permissions in Exchange 2013 on particular Distribution group

Posted on 2016-11-09
2
25 Views
Last Modified: 2016-11-09
I had this question after viewing Setting Send As Permissions on a Mail Distribution Group.

I have the same issue as above and I've seen the proposed solution before, but I'm not sure if/how it applies here.  

In my situation, I just migrated from 2007 to 2013.  It appears any groups that have existed prior to being migrated (and upgraded) to 2013 now prevent me from being able to manage send-as rights.  I get the insufficient permissions error as indicated in the link above.

With the EAC I created a brand new DL in the same OU as the groups I cannot manage.  I have zero issues managing this group, including its send-as rights.

The test above would indicate that the Exchange Trusted Subsystem only has issues with the pre-existing DL, but I exported the AD permissions of a pre-existing group with the issue and my new test group.  The permissions are 100% identical.

I don't understand what's going on here.  Further I don't understand the statement that Exchange Trusted Subsystem by default does not have permissions to manage send-as.  This makes no sense to me as why would MS give you ability to manage the groups via EAC/Powershell but not assign the necessary permissions to do so?

At any rate, I'm looking forward to any suggestions as to how to remedy my issue as well as explain why the previous solution was even proposed and why it's necessary (when it seems not to be necessary for newly created groups).
0
Comment
Question by:mcdonamwION
  • 2
2 Comments
 

Accepted Solution

by:
mcdonamwION earned 0 total points
ID: 41881405
After copious amounts of searching I was able to track down this is in fact something that occurs by default (shame MS):  https://support.microsoft.com/en-us/kb/2983209

Further I was able to even find that the reason I am able to set send-as permissions on the new group is because in 2013 when Exchange creates the objects, the owner is set to the account of the actual Exchange server that created it.  This allows that Exchange server to continually modify it as needed.  If I ended up on another Exchange server via EAC, even the new group would throw the error as any other Exchange server would not have the needed permission.  https://blogs.technet.microsoft.com/manjubn/2014/06/04/exchange-2010-manage-send-as-permission-only-works-on-the-mailbox-server-where-public-folder-was-created/

In my case, my pre-existing groups all have Domain Admins set as the owner, as that's how things were done in 2007 (under the context of the user(s) who created the groups), but in 2013 it's instead done under the context of Exchange.

It would be nice if the Exchange setup set the correct permissions to the Exchange Windows Permissions group (for which Exchange Trusted Subsystem resides) as it seems to use this group vs. ETS for setting other necessary AD permissions.  I have provided the 'modify permission' to Exchange Windows Permissions group at the root of the domain and my issue is now resolved.
0
 

Author Closing Comment

by:mcdonamwION
ID: 41881412
I found my own solution.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
how to add IIS SMTP to handle application/Scanner relays into office 365.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now