Answered by:
Grant send as on Distribution group Access Denied

-
Hi All,
the following command working on Exchange 2007 but not Exchange 2010.
Get-distributionGroup "Group A" | Add-adpermission -user "UserB" -AccessRights exntendright -extendrights "Send-as"
In Exchange 2010, it will have error "This error is not retriable. Additional information " Access is Denied"
I know I can modify in ADUC, ->security
but if ok, i would like to grant using powershell
Question
Answers
-
Hello,
RBAC can be used to provide granular permissions to anyone/anygroup and with RBAC you need to create a management role group and associate role group policies to it and add users accordingly. However, since we are talking about the "Top Most" level of permissions - Organizational Management. Does not matter what you do, when someone is an Organizational Managment group member, FULL permissions will be allowed to that ID - this is by design.
Simply put - you cannot edit the Organizational Management role assignments and policies.
best!
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Regards, Siva
- Marked as answer by Simon_WuMicrosoft contingent staff, Moderator Saturday, December 07, 2013 6:22 PM
All replies
-
-
-
-
Hello, the error is because of the AD parameter in the command. You need to have sufficient permissions to invoke AD parameters in your PS command. AD commands could simply be permissions on the AD OU that the Group resides. You can easily check with getting with your domain admins and ask them to delegate permissions for your ID on the AD OU and try again. Also, you must be an Org Admin wiht Exchange.
Make sure to check any GPO's restricting the AD OU for ACL changes.
One thing I noticed is your command is incorrect - please use this one
Add-ADPermission -Identity "SourceMailbox" -User "DestinationMailbox" -AccessRights ExtendedRight -ExtendedRights "send as"
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Regards, Siva
-
Hello,
I am using the domain admin to run and I can use the ADUC to update the permission. On the other hand, I have exchange 2007 and exchange 2010 on the production, and I can run the command on Exchange 2007 and for mailbox 2010, also work
My acct didn't have exchange Organization Management , if it requirement the role of organization Management, do u know how to customize the role so that we can update group permission without let the acct to modify global setting
Thanks
-
Hello,
RBAC can be used to provide granular permissions to anyone/anygroup and with RBAC you need to create a management role group and associate role group policies to it and add users accordingly. However, since we are talking about the "Top Most" level of permissions - Organizational Management. Does not matter what you do, when someone is an Organizational Managment group member, FULL permissions will be allowed to that ID - this is by design.
Simply put - you cannot edit the Organizational Management role assignments and policies.
best!
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Regards, Siva
- Marked as answer by Simon_WuMicrosoft contingent staff, Moderator Saturday, December 07, 2013 6:22 PM