Solved

Issues setting Send-As permissions in Exchange 2013 on particular Distribution group

Posted on 2016-11-09
2
33 Views
Last Modified: 2016-11-09
I had this question after viewing Setting Send As Permissions on a Mail Distribution Group.

I have the same issue as above and I've seen the proposed solution before, but I'm not sure if/how it applies here.  

In my situation, I just migrated from 2007 to 2013.  It appears any groups that have existed prior to being migrated (and upgraded) to 2013 now prevent me from being able to manage send-as rights.  I get the insufficient permissions error as indicated in the link above.

With the EAC I created a brand new DL in the same OU as the groups I cannot manage.  I have zero issues managing this group, including its send-as rights.

The test above would indicate that the Exchange Trusted Subsystem only has issues with the pre-existing DL, but I exported the AD permissions of a pre-existing group with the issue and my new test group.  The permissions are 100% identical.

I don't understand what's going on here.  Further I don't understand the statement that Exchange Trusted Subsystem by default does not have permissions to manage send-as.  This makes no sense to me as why would MS give you ability to manage the groups via EAC/Powershell but not assign the necessary permissions to do so?

At any rate, I'm looking forward to any suggestions as to how to remedy my issue as well as explain why the previous solution was even proposed and why it's necessary (when it seems not to be necessary for newly created groups).
0
Comment
Question by:mcdonamwION
  • 2
2 Comments
 

Accepted Solution

by:
mcdonamwION earned 0 total points
ID: 41881405
After copious amounts of searching I was able to track down this is in fact something that occurs by default (shame MS):  https://support.microsoft.com/en-us/kb/2983209

Further I was able to even find that the reason I am able to set send-as permissions on the new group is because in 2013 when Exchange creates the objects, the owner is set to the account of the actual Exchange server that created it.  This allows that Exchange server to continually modify it as needed.  If I ended up on another Exchange server via EAC, even the new group would throw the error as any other Exchange server would not have the needed permission.  https://blogs.technet.microsoft.com/manjubn/2014/06/04/exchange-2010-manage-send-as-permission-only-works-on-the-mailbox-server-where-public-folder-was-created/

In my case, my pre-existing groups all have Domain Admins set as the owner, as that's how things were done in 2007 (under the context of the user(s) who created the groups), but in 2013 it's instead done under the context of Exchange.

It would be nice if the Exchange setup set the correct permissions to the Exchange Windows Permissions group (for which Exchange Trusted Subsystem resides) as it seems to use this group vs. ETS for setting other necessary AD permissions.  I have provided the 'modify permission' to Exchange Windows Permissions group at the root of the domain and my issue is now resolved.
0
 

Author Closing Comment

by:mcdonamwION
ID: 41881412
I found my own solution.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now