locked
Send As Permission Removing Itself! - Exchange 2010 RRS feed

  • Question

  • Hi,

    When I manage the send as permission on a mailbox in my Exchange 2010 environment the permission seems to remove itself within an hour. I realised after looking at some threads on TechNet that it was because the admincount attribute for the user account was set to 1 and therefore is a protected group. I then went about making sure that everything I needed to add send as permissions to had an admincount attribute value that was not set. I then reset the send as permissions and thought that would be the end of it.

    I went to check that the permissions had stayed and noticed that they had been removed again. I went into active directory and looked at the two accounts associated with the mailboxes I had added in send as permissions for and these two accounts both now had an admincount attribute of 1 again. Every other standard user and group in AD has an admincount value not set!

    So it seems that adding send as permission to a mailbox is changing the users admincount attribute to 1, making it think that it is protected and then removing the permissions!!! Why is this happening and how can I stop this happening???

    Thanks in Advance.

    Friday, February 8, 2013 10:06 AM

Answers

  • "Send as" isnt a group but a permissions, so it shouldn't flag the admincount attributes. If that the case, I don't know of any KB about it.

    Did you check nested groups or did you give Exchange permissions trough RBAC? Sometime those include users into groups whose include protected group (like server administrator or like).

    • Marked as answer by IT_DAVE Friday, February 8, 2013 3:28 PM
    Friday, February 8, 2013 10:41 AM

All replies

  • Hi

    Are these accounts members of a protected group like Domain Admins?  Setting send is not changing the AdminCount, this will be set back to 1 on any account that is a member of a protected group so you will need to remove them from those groups, then set the AdminCount to 0 and then add the send as permissions.

    Cheers, Steve

    Friday, February 8, 2013 10:14 AM
  • It the other way : because your account are part of protected group, there admincount are reset to 1 and you loose the inheritance rights.

    You have different ways to solve the problem :

    • Remove those user from the protected groups, then reset admincount (not set) and put back permissions inheritance
    • Remove the protected groups from the AdminSDHolder then reset admincount (not set) and put back permissions inheritance
    • Add the missing Exchange permissions to the AdminSDHolder AD object and wait a couple minute

    Read http://technet.microsoft.com/fr-fr/magazine/2009.09.sdadminholder.aspx

    YOu can try this to add the relevent permissions on adminsdholder (using ActiveDirectory powershell module), however I didn't tested it before.

    Get-ADpermission -Identity "yourdomain" -user "yourdomain\exchange servers" | foreach { `

    add-adpermission -Identity "adminsdholder" -User "yourdomain\exchange servers" -AccessRights $_.-AccessRights `

    -Properties $_.Properties }

    Friday, February 8, 2013 10:18 AM
  • The strange thing is I have already made sure that any groups that any of the users are in are not protected groups and that the group has an admincount value as not set. I have also made sure that all of the users have an admincount value of not set. Out of all of the users and groups that I manually checked to make sure they had an admincount value of not set, the only 2 that now have a value of 1 again are the 2 accounts that I configured the send as permissions on.

    How is this possible?

    Friday, February 8, 2013 10:31 AM
  • "Send as" isnt a group but a permissions, so it shouldn't flag the admincount attributes. If that the case, I don't know of any KB about it.

    Did you check nested groups or did you give Exchange permissions trough RBAC? Sometime those include users into groups whose include protected group (like server administrator or like).

    • Marked as answer by IT_DAVE Friday, February 8, 2013 3:28 PM
    Friday, February 8, 2013 10:41 AM
  • I have had another look at the groups in AD and noticed that the domain users group is a member of the builtin\administrators and that is so that each user is a local administrator when they log onto any domain PC. This group had an admincount value of 1 I have changed this to value not set and as that is not a member of any other group hopefully that will fix it.

    It still doesn't explain why the admincount values only changed back to 1 for users that I set a send as permission on but I suppose that won't matter as long as this fixes it. I have set the permissions back now and I will let you know what happens.

    Friday, February 8, 2013 10:55 AM
  • Right, so I just checked again and the send as permissions have once again been removed. Both the users admincount attributes have changed back to 1. The domain users group and the builtin\administrators group that the domain users is a member of both still have the attribute of value not set. So basically any user I try to set send as permissions on gets their admincount attribute changed to 1 automatically and the permissions are removed. How can this still happen!?!?
    Friday, February 8, 2013 11:44 AM
  • http://blogs.technet.com/b/exchange/archive/2009/09/23/3408362.aspx

    Hope this provides you with some clue !!!!


    OM (MCITP) | Blog

    Friday, February 8, 2013 12:44 PM
  • Silly question but Which builtin\administrators group are domain users added to, the local one on the PC or the domain?

    What other groups are these 2 users a member of?


    Sukh

    Friday, February 8, 2013 1:41 PM
  • We had a GPO which made any user who logged onto a PC on the network a local administrator. I thought that was why the domain users were showing as a member of the builtin\administrators group but I just looked on another server where we have the same GPO applied and the domain users are not a member of the group on that server. Maybe this has been added in as an error and that is why the attribute is being reset. I will remove domain users from this group, set the send as permissions back up and see if that fixes the problem.

    The users are not members of any other group so it must be the groups that domain users are in that is the issue.

    Friday, February 8, 2013 2:14 PM
  • Does users have RBAC permissions role assigned ?
    Friday, February 8, 2013 2:26 PM
  • They just have the default settings.
    Friday, February 8, 2013 2:37 PM
  • It's been over an hour and the send as permissions are still there. Looks like the domain users were in the wrong group after all, an oversight on my part.
    • Proposed as answer by Sukh828 Friday, February 8, 2013 5:43 PM
    Friday, February 8, 2013 3:30 PM