• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Send As permission not really working

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Management >> Send As permission not really working Page: [1]
Login
Message << Older Topic   Newer Topic >>
Send As permission not really working - 1.Aug.2008 7:38:30 AM   
mellimik

 

Posts: 6
Joined: 14.Jul.2008
Status: offline
I've now been toying around with this Send As issue for the whole day and to no avail. I mean, either I don't know what I am doing or then there's a definitive bug in Exchange 2007 SP1. Actually, to be more precise, this probably has to do with AD more than Exchange.

I am able to give Send of Behalf right to any given user and to any given mailbox, just like I can give Full Permissions to whatever mailbox and to whoever user. It is only this Send As that just does not work.

I fully understand by now that Send As right is in the user object ACL, whereas the Send on Behalf is in the mailbox. When I give Send As right through EMC to any given user and to which ever mailbox, it stays there for some time until some minutes pass and it just simply disappears! I can also give the Send As permission though the EMS but the same problem remains; the added permission for the given user disappears after some time.

I've read some documents saying something about users in Domain Admins group being affected by some Active Directory maintanence service, but neither the mailbox to which I modify or the user whom I delegate the rights have Domain Admins security group.

I got the Send As right briefly working by modifying the desired mailbox using ADSIedit, but only for some minutes.

Am I the only only one with this issue? We have two 2003 R2 Domain Controllers with the Domain and Forest functional levels set to Windows Server 2003, and also one Exchange 2007 SP1 server with HT, MB and CAS roles. Both Domain Controllers are acting as Global Catalogs.

EDIT: I just verified that I can see the Send As permision in the ACL list (user object ictservices@<domain>.com) on both of our Domain Controllers (so replication has occured), but this user I'm testing it with (John Doe@<domain>.com) is still unable to send as. John Doe just receives the below from Exchange:

quote:

You are not allowed to send this message because you are trying to send on behalf of another sender without permission to do so. Please verify that you are sending on behalf of the correct sender, or ask your system administrator to help you get the required permission.


< Message edited by mellimik -- 1.Aug.2008 8:17:12 AM >
Post #: 1
RE: Send As permission not really working - 1.Aug.2008 9:15:22 AM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
You can't have both Send As and Send on Behalf of on the same account.
The only time that Send As is removed is because of the Protected User account behaviour - which you have already found.

However I have seen the problem caused by a misbehaving domain controller or poor replication. The change was made and then removed by the old setting being replicated back. In that occasion I ended up removing the other domain controllers to get down to just one and then recreating them fresh from what I believed to be the "master" domain controller.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to mellimik)
Post #: 2
RE: Send As permission not really working - 1.Aug.2008 12:02:47 PM   
John Weber

 

Posts: 1236
Joined: 20.Apr.2005
From: Portland, Oregon
Status: offline
Hopefully, you are not using a domain admin account for this testing of your setup.
You need to create a few test users that are at the level of "joe user" so that the domain admin AD rewrite does not affect you.

I cannot remember the exact specifics, but the perms for domain admins are checked and changed to defaults on a regular basis.  If you add something there, a little bit later, el poofo! they are changed back to the defaults.

_____________________________

John Weber [Lync MVP] http://tsoorad.blogspot.com

(in reply to mellimik)
Post #: 3
RE: Send As permission not really working - 1.Aug.2008 5:30:02 PM   
Elan Shudnow

 

Posts: 897
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
quote:

I cannot remember the exact specifics, but the perms for domain admins are checked and changed to defaults on a regular basis.  If you add something there, a little bit later, el poofo! they are changed back to the defaults.


That is due to the AdminSDHolder.  If your account is part of certain security groups, inheritance is reset and permissions are reset.  It's there to ensure that certain groups don't get elevated permissions they shouldn't be getting to compromise people in higher security groups.

As for the original poster, check out my following article:
http://www.shudnow.net/2007/08/12/send-on-behalf-and-send-as/

The article was written early in RTM and I haven't updated it for configuring Send As via the EMC.  I do talk about the issues when enabling both Send As, Send on Behalf both together and how delegate access in Outlook can conflict.

Hope that helps,

_____________________________

Elan Shudnow
Exchange MVP
http://www.shudnow.net

(in reply to John Weber)
Post #: 4
RE: Send As permission not really working - 4.Aug.2008 5:28:58 AM   
mellimik

 

Posts: 6
Joined: 14.Jul.2008
Status: offline
quote:

ORIGINAL: Elan Shudnow

quote:

I cannot remember the exact specifics, but the perms for domain admins are checked and changed to defaults on a regular basis.  If you add something there, a little bit later, el poofo! they are changed back to the defaults.


That is due to the AdminSDHolder.  If your account is part of certain security groups, inheritance is reset and permissions are reset.  It's there to ensure that certain groups don't get elevated permissions they shouldn't be getting to compromise people in higher security groups.


Neither one of those two users are in the Domain Admins group. They are both  members of Domain Users security group only. I'm going to look more closer into this once I have the time. Thanks for all the input!

quote:

ORIGINAL: Elan Shudnow
As for the original poster, check out my following article:
http://www.shudnow.net/2007/08/12/send-on-behalf-and-send-as/


Thank you for this. I will go through it ASAP.

(in reply to Elan Shudnow)
Post #: 5
RE: Send As permission not really working - 4.Aug.2008 6:39:57 AM   
mellimik

 

Posts: 6
Joined: 14.Jul.2008
Status: offline
Ok, I created two new users to test with: John Doe and Jane Doe. Here are the commands I ran:

Add-ADPermission "John Doe" -ExtendedRights Sends-As -User jane.doe


And to give mailbox permissions:

Add-MailboxPermission "John Doe" -AccessRights FullAccess -User jane.doe


By using Active Directory Users and Computers snap-in I can verify that the user object "John Doe" has been modified in so that user "Jane Doe" is included in the Security tab with "Send As" ACE. Also Jane Doe is able to view John Doe's mailbox with Outlook (or OWA for that matter)

I waited for minute or two, logged in to Windows as the user Jane Doe, configured Outlook for her Exchange mailbox and tried to send mail using John Doe in the "From" field. Result is:

quote:

 
Delivery has failed to these recipients or distribution lists:
<WHATEVER_RECIPIENT_IN_THE_SAME_ORGANIZATION>
You are not allowed to send this message because you are trying to send on behalf of another sender without permission to do so. Please verify that you are sending on behalf of the correct sender, or ask your system administrator to help you get the required permission.


Then if I wait for a bit longer the ACE entry for Jane Doe (Send As) has disappeared from John Doe's user object. The FullAccess mailbox right is there still, though

(in reply to mellimik)
Post #: 6
RE: Send As permission not really working - 8.Oct.2008 11:39:31 PM   
kokeysian19

 

Posts: 1
Joined: 8.Oct.2008
Status: offline
i'm having this problem, too. But managed to do a workaround by restarting the MS Information Store service. I know this isn't advisable in a production environment but since I was working on dev, I was free to restart it anytime.

I can't find anything that Microsoft is already addressing this issue. Any idea?

(in reply to mellimik)
Post #: 7
RE: Send As permission not really working - 9.Oct.2008 12:25:01 AM   
choppol

 

Posts: 720
Joined: 9.Feb.2003
From: sydney
Status: offline
I found this http://www.tech-archive.net/Archive/Exchange/microsoft.public.exchange.admin/2005-06/msg00155.html but I don't think it will need to take up to 2hrs because if you exchange will need to talk to AD database and add that particular permission.

why 2hrs?

(in reply to kokeysian19)
Post #: 8
RE: Send As permission not really working - 11.Oct.2008 3:00:38 PM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
Exchange caches permissions and settings. This cache is only flushed every couple of hours by default. Restarting Exchange services flushes the cache out.
While you can change the time the cache holds the data for, it is not something that is recommended as it can have a performance hit. Without a cache Exchange would have to query the domain controller for everything, and there are lot of settings that are checked. I once saw a domain brought to its knees by an admin changing the cache to 15 minutes, because of complaints about waiting for the setting to take effect. Microsoft don't do these settings on purpose!

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to choppol)
Post #: 9
RE: Send As permission not really working - 12.Oct.2008 10:59:31 PM   
choppol

 

Posts: 720
Joined: 9.Feb.2003
From: sydney
Status: offline
quote:

ORIGINAL: Sembee

Exchange caches permissions and settings. This cache is only flushed every couple of hours by default. Restarting Exchange services flushes the cache out.
While you can change the time the cache holds the data for, it is not something that is recommended as it can have a performance hit. Without a cache Exchange would have to query the domain controller for everything, and there are lot of settings that are checked. I once saw a domain brought to its knees by an admin changing the cache to 15 minutes, because of complaints about waiting for the setting to take effect. Microsoft don't do these settings on purpose!

Simon.


So I'm guessing it's by design then.

(in reply to Sembee)
Post #: 10
RE: Send As permission not really working - 13.Oct.2008 10:09:05 AM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
quote:

ORIGINAL: choppol

quote:

ORIGINAL: Sembee

Exchange caches permissions and settings. This cache is only flushed every couple of hours by default. Restarting Exchange services flushes the cache out.
While you can change the time the cache holds the data for, it is not something that is recommended as it can have a performance hit. Without a cache Exchange would have to query the domain controller for everything, and there are lot of settings that are checked. I once saw a domain brought to its knees by an admin changing the cache to 15 minutes, because of complaints about waiting for the setting to take effect. Microsoft don't do these settings on purpose!

Simon.


So I'm guessing it's by design then.


Yes - it is by design.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to choppol)
Post #: 11
RE: Send As permission not really working - 16.Dec.2010 1:42:50 AM   
eiger3970

 

Posts: 2
Joined: 26.Oct.2010
Status: offline
I received the error:

Delivery has failed to these recipients or distribution lists:


You are not allowed to send this message because you are trying to send on behalf of another sender without permission to do so. Please verify that you are sending on behalf of the correct sender, or ask your system administrator to help you get the required permission.

When I go into EMC
Recipient Configuration
Mailbox
Properties
Mail Flow Settings
Delivery Options
Add, there other other users, however I want to select another mailbox which is under the same useraccount.
I can't select it...what can I do?

(in reply to Sembee)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Management >> Send As permission not really working Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter