locked
Exchange Send As Permissions RRS feed

  • Question

  • Hey guys,

    Kind of a strange issue here. I am trying to make it so a user can 'Send As' a mailbox. I can give her full control of the mailbox but when I try to do send as it gives me this error message:

    Summary: 1 item(s). 0 succeeded, 1 failed.

    Elapsed time: 00:00:00

     

     

    Domain\User

    Failed

     

    Error:

    Active Directory operation failed Domain.gbl. This error is not retriable. Additional information: Access is denied.

    Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

     

     

    The user has insufficient access rights.

    Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B

     

    Exchange Management Shell command attempted:

    Add-ADPermission -Identity 'CN=fmb,OU=Domain Mailboxes/Calenders,DC= ,DC= ,DC=gbl' -User 'Domain\User' -ExtendedRights 'Send-as'

     

    Elapsed Time: 00:00:00

     

    We have Exchange 2010 running and the user has full control over the mailbox already. After one of our other admins plays around in AD and confirms that her account should have permissions we notice that it is fixed but a few minutes later she is removed from the send as group and can't be added again without more tinkering. Any ideas on this would be great!

     

    Thanks,

    Dave


    Dave G. "Doing nothing is not an option."
    Monday, November 21, 2011 7:49 PM

Answers

  • Hi Dave,

    Please vevify that Allow inheritable permissions was checked on the User account .

    Thanks.


    Best Regards!
    • Edited by Rowen-Xu Tuesday, November 29, 2011 8:26 AM
    • Marked as answer by Dave Grina Monday, December 19, 2011 9:36 PM
    Tuesday, November 29, 2011 8:25 AM
  • Hey guys,

    Haven't posted on what we found but we have resolved the issue. Upon sitting with my exchange admin and going through the permissions we found that one of our admins was blowing accounts away in AD but not removing their permissions in exhange. This causes broken associations to accounts and Exchange gets angry when it cant find the user object active. You also can't delete these accounts by just going into exchange. Instead we find where the mailbox lives in active directory and use ADSI to remove the bad accounts manually.

    Thanks! 


    Dave G. "Doing nothing is not an option."

    • Marked as answer by Dave Grina Wednesday, April 25, 2012 8:56 PM
    Wednesday, April 25, 2012 8:56 PM

All replies

  • Hi Dave,

    You need to be assigned permissions Organization Management, Recipient Management roles before you can perform this procedure. You can use the command below to get the result:

    Get-RoleGroupMember "Organization Management"

    Get-RoleGroupMember "Recipient Management"


    Best Regards!
    Tuesday, November 22, 2011 5:43 AM
  • Hi Rowen,

    I went ahead and looked at that information and it doesn't seem to be what we are looking to get done. This appears to be administration groups. We went in and confirmed that other users who have the same permissions as this user can send from the mailbox. We upgraded the user to 2010 to see if upgrading the mailbox would resolve our issue but it still yielded no results. What is strange is that she pointed out that she used to be able to send from this mailbox but suddenly she can't. I'm wondering if it has to do with bringing down our old exchange server and moving all the accounts to our new 2010 server.

    We have another development. Another user that had access and was able to send as no longer can. She says that she experiences the same issue of being added to the send as permissions and it works for a period of time then the permission to do so is gone.   

    Thanks,

    Dave G. 


    Dave G. "Doing nothing is not an option."
    • Edited by Dave Grina Wednesday, November 23, 2011 12:30 AM update
    Wednesday, November 23, 2011 12:21 AM
  • Hi Dave,

    Sorry for misunderstanding you.

    If there's only one user please move him/her mailbox to other DB then give it a try.

    If it doesn't work please feedback here.

    Thanks.


    Best Regards!
    Friday, November 25, 2011 6:13 AM
  • Hey Rowen,

    No worries. We have everyone moved over to the new DB and it still is having Send As permissions. I am wondering if it has something to do with the user accounts in the group having send as issues and not the individual users. Any ideas or insight is always helpful. 

    Thank you,

    Dave G.


    Dave G. "Doing nothing is not an option."
    Monday, November 28, 2011 9:54 PM
  • Hi Dave,

    Please vevify that Allow inheritable permissions was checked on the User account .

    Thanks.


    Best Regards!
    • Edited by Rowen-Xu Tuesday, November 29, 2011 8:26 AM
    • Marked as answer by Dave Grina Monday, December 19, 2011 9:36 PM
    Tuesday, November 29, 2011 8:25 AM
  • Hi Rowen,

    I have been running around as we are a few men down over here but we came up with a sort of workaround for the issue as a temp fix. I check the inheritance and it was on for each user. But what we did was to log in as the mailbox we wanted to send as and delegated control of the mailbox to each of our users that utilize that mailbox. They are fine with it saying 'Sent on behalf of...' We would like to isolate the actual problem still.

     

    Thank you,

    Dave Grina 


    Dave G. "Doing nothing is not an option."
    Friday, December 2, 2011 8:48 PM
  • Hi Dave,

    How about trying below:

    http://blogs.technet.com/b/richardroddy/archive/2010/07/12/exchange-2010-and-the-exchange-trusted-subsystem.aspx

    Note: If your server was in "Exchange Trusted Subsystem" Group, please move it out and then add it again.

    Thanks.


    Rowen

    TechNet Community Support

    • Proposed as answer by Rowen-Xu Wednesday, December 7, 2011 8:09 AM
    Monday, December 5, 2011 6:02 AM
  • Hi,

    Any update?


    Rowen

    TechNet Community Support

    Wednesday, December 7, 2011 8:09 AM
  • Hi Rowen, 

    Sorry about the slow reply. We went a man down for awhile and have been swamped on issues. I did the inherit permissions and the ability to get the Send As to go through worked. However, the user gets bounce backs on sending as the mailbox. 

    Thank you,

     

    Dave G 


    Dave G. "Doing nothing is not an option."
    Wednesday, December 14, 2011 8:05 PM
  • Have another development. 

    Upon researching the user's account has been removed form the send as we gave it. And the same error we got before happens when trying to re add it. Please advise

    Dave G. 


    Dave G. "Doing nothing is not an option."
    Wednesday, December 14, 2011 8:08 PM
  • Is this user a member of any special AD groups like domain admins, account operators, print operators or any other group which may be nested that has this permission, if yes remove and test.

    Create a new user with only the default membership and give them access to send as to the mailbox, does it retain?


    Sukh
    Thursday, December 15, 2011 12:09 AM
  • Hey guys,

    Thanks for the advice. Sukh: no they are not members of any special groups. A new user also has the same issue. Upon talking to one of our network admins/IT engineer we determined that our AD servers are the cause of our issue. What happens is inherit is granted on both servers and we replicate. Both AD servers have global catalogs so they are getting angry at each other and removing the inheritance. We know they are upset but we are trying to determine if there is another cause or if it is just them going at it.

    Thanks,

    Dave G.  


    Dave G. "Doing nothing is not an option."
    Thursday, December 15, 2011 10:15 PM
  • Hey guys,

    Haven't posted on what we found but we have resolved the issue. Upon sitting with my exchange admin and going through the permissions we found that one of our admins was blowing accounts away in AD but not removing their permissions in exhange. This causes broken associations to accounts and Exchange gets angry when it cant find the user object active. You also can't delete these accounts by just going into exchange. Instead we find where the mailbox lives in active directory and use ADSI to remove the bad accounts manually.

    Thanks! 


    Dave G. "Doing nothing is not an option."

    • Marked as answer by Dave Grina Wednesday, April 25, 2012 8:56 PM
    Wednesday, April 25, 2012 8:56 PM