"Send As" setting disappearing from AD (Full Version)

All Forums >> [Microsoft Exchange 2003] >> General


SDickson -> "Send As" setting disappearing from AD (27.Jun.2006 4:07:38 AM)

I need to setup "Send as" for my Managing Director's assistant to send emails as him (without the "Sent of behalf" stuff).

I get this to work by going to the AD, properties of the MD, Security Tab and add the assistant with the "Send as" rights allowed.

This works fine.

Problem is....a few hours later it stops working and if I go into AD, the setting has been removed.

Has anyone got any idea what the hell is going on??????

uemurad -> RE: "Send As" setting disappearing from AD (27.Jun.2006 4:46:36 PM)

Sounds like it could be an AD replication issue.  How many domain controllers do you have in your environment?
Also, one of the recent patches (a.k.a. MS security update MS06-019) removes the manually added "Send As" settings.  Was it applied to all of your Exchange servers?

sabel9579 -> RE: "Send As" setting disappearing from AD (27.Jun.2006 8:11:29 PM)

It could also be that the user is a member of a "protected group" which is handled by the adminSDHolder object in AD.  In a nutshell if you try to modify the permissions of a user who is protected by the adminSDholder the background process that runs on the DC's will replace what you do with the default set of perms.  Was or is this user a member of any special groups (administrators, print operators, etc...)

Here is an article that might help you as well if this is the case.


SDickson -> RE: "Send As" setting disappearing from AD (28.Jun.2006 12:52:01 AM)


Thanks for your prompt replies....very impressed.

Unfortunately, neither of these seems to fit.  The AD is replicating fine.  And we have another user setup with the same functionality and it works fine, so no patch has killed the ability to do this.

We also have no protected objects setup and the user is not a member of any groupd that would override her settings.  She only has group access to mailing lists and a departmental group for security.

Anyone else go an idea?

Richard Fleming -> RE: "Send As" setting disappearing from AD (28.Jun.2006 4:02:59 PM)

I know exactly what's going on.

It sounds as if the 'MD' is a member of the Domain Admins group.  The Domain Admin group (as well as a few others) are all a part of a container called AdminSDHolder.  This container acts as a template to it's members and will remove permissions that aren't a part of it.  Microsoft does this as a protection mechanism for those with Administrative privileges in the case that someone deletes important permissions effectively making the account useless.  After around 15 min, all objects are checked and are brought back to what's in the AdminSDHolder container.

I discovered a means to add send as permissions to the AdminSDHolder container, but in your case I'm afraid that it will give the MD's assistant send as permissions to ALL members of the AdminSDHolder group.  I don't think that's what you want :)  If you do want that command, lemme know... I'll post it.


sabel9579 -> RE: "Send As" setting disappearing from AD (29.Jun.2006 3:13:13 PM)

Using this command you can dump all of the users protected by the AdminSDHolder object.  I would recommend you do this and see if the user is in this list.  If they are then this is your issue

ldifde -f Admincount-1.txt -d dc=your domain -r "(&(objectcategory=person)(objectclass=user)(admincount=1))"

sabel9579 -> RE: "Send As" setting disappearing from AD (29.Jun.2006 3:16:23 PM)

As a follow up to my previous post if the user is in this list but is not a member of any "Protected Group" there is a script that Microsoft has that will remove this.  Once run you should then be able to add the "send as" perms back.

Page: [1]