none
Grant send as on Distribution group Access Denied

    Question

  • Hi All,

    the following command working on Exchange 2007 but not Exchange 2010.

    Get-distributionGroup "Group A" | Add-adpermission -user "UserB" -AccessRights exntendright -extendrights "Send-as"

    In Exchange 2010, it will have error "This error is not retriable. Additional information " Access is Denied"

    I know I can modify in ADUC, ->security

    but if ok, i would like to grant using powershell

     

    Wednesday, November 20, 2013 7:18 AM

Answers

  • Hello,

    RBAC can be used to provide granular permissions to anyone/anygroup and with RBAC you need to create a management role group and associate role group policies to it and add users accordingly. However, since we are talking about the "Top Most" level of permissions - Organizational Management. Does not matter what you do, when someone is an Organizational Managment group member, FULL permissions will be allowed to that ID - this is by design.

    Simply put - you cannot edit the Organizational Management role assignments and policies.

    best!


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Regards, Siva

    Thursday, November 21, 2013 3:03 PM

All replies

  • Please post the exact command and the exact error message you receive.  What you posted is in error.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Wednesday, November 20, 2013 7:25 AM
  • HI the command and error are on the 1st post.
    Wednesday, November 20, 2013 9:38 AM
  • You will need Organization Management rights to make this change. Do you have those rights?

    HossFly, Exchange Administrator

    Wednesday, November 20, 2013 7:56 PM
  • Hello, the error is because of the AD parameter in the command. You need to have sufficient permissions to invoke AD parameters in your PS command. AD commands could simply be permissions on the AD OU that the Group resides. You can easily check with getting with your domain admins and ask them to delegate permissions for your ID on the AD OU and try again. Also, you must be an Org Admin wiht Exchange.

    Make sure to check any GPO's restricting the AD OU for ACL changes.

    One thing I noticed is your command is incorrect - please use this one

    Add-ADPermission -Identity "SourceMailbox" -User "DestinationMailbox" -AccessRights ExtendedRight -ExtendedRights "send as"


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Regards, Siva

    Wednesday, November 20, 2013 9:17 PM
  • Hello,

    I am using the domain admin to run and I can use the ADUC to update the permission. On the other hand, I have exchange 2007 and exchange 2010 on the production, and I can run the command on Exchange 2007 and for mailbox 2010, also work

    My acct didn't have exchange Organization Management , if it requirement the role of organization Management, do u know how to customize the role so that we can update group permission without let the acct to modify global setting

    Thanks

    Thursday, November 21, 2013 5:37 AM
  • Hello,

    RBAC can be used to provide granular permissions to anyone/anygroup and with RBAC you need to create a management role group and associate role group policies to it and add users accordingly. However, since we are talking about the "Top Most" level of permissions - Organizational Management. Does not matter what you do, when someone is an Organizational Managment group member, FULL permissions will be allowed to that ID - this is by design.

    Simply put - you cannot edit the Organizational Management role assignments and policies.

    best!


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Regards, Siva

    Thursday, November 21, 2013 3:03 PM