locked
exchange 2007 'send as' permissions disapearing after 1 hour (its not a problem with system groups) RRS feed

  • Question

  • Hi All,

    trying to add send as permissions on any mailbox in exchange 2007, the permissions are automaticly removed after 1 hour. I have done some googling and have found if the user is in a particular group then it is setup by design.

    I have done some testing. I created 2 brand new users with the only group permission being 'domain user'. I created each of them a brand new mailbox and set them up to both be able to send as. 1 hour later and permissions have disapeared again. Can anyone assist on this?

    Friday, May 6, 2011 5:16 AM

Answers

  • I'm thinking either the default behavior of the adminsdholder got changed from default behavior of only applying this behavior to protected groups to applying to other groups.

     

    1. After 1 hr if you check the 2 new users, in the security tab of ADUC, advanced, does inheritance also get unchecked?

    2. Can you verify that domain user group is not nested in any protected built in groups?


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, May 6, 2011 2:56 PM
  • I suspect at some point your Domain Users group got added to a protected group.  Check the AdminCount property on that group.  If it's anything but 0, all the memebers of that group will be treated as protected accounts.

    When you add a user or group to a protected group, the AdminCount gets incremented.  Removing it from that protected group does not decrement it, you have to do that manually.

    If a group is added to a protected group, that group will get it's AdminCount property incremented, and then the AdminSDHolder process will increment the AdminCount of every member of that group. 

    The only way to fix it is to remove the group from the protected group, then set the AdminCount of all the members to 0, and set the AdminCount of the group to 0.

     


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Friday, May 6, 2011 5:53 PM

All replies

  • I'm thinking either the default behavior of the adminsdholder got changed from default behavior of only applying this behavior to protected groups to applying to other groups.

     

    1. After 1 hr if you check the 2 new users, in the security tab of ADUC, advanced, does inheritance also get unchecked?

    2. Can you verify that domain user group is not nested in any protected built in groups?


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, May 6, 2011 2:56 PM
  • Yes, as for # 2. in James'post, you could try (at the command line):

    whoami /groups

    When logged on as one of the users encountering the problem.

    Send As is an AD permission - if that makes any difference.

    Friday, May 6, 2011 5:17 PM
  • I suspect at some point your Domain Users group got added to a protected group.  Check the AdminCount property on that group.  If it's anything but 0, all the memebers of that group will be treated as protected accounts.

    When you add a user or group to a protected group, the AdminCount gets incremented.  Removing it from that protected group does not decrement it, you have to do that manually.

    If a group is added to a protected group, that group will get it's AdminCount property incremented, and then the AdminSDHolder process will increment the AdminCount of every member of that group. 

    The only way to fix it is to remove the group from the protected group, then set the AdminCount of all the members to 0, and set the AdminCount of the group to 0.

     


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Friday, May 6, 2011 5:53 PM
  • On Fri, 6 May 2011 05:16:20 +0000, Mattstar wrote:
     
    >trying to add send as permissions on any mailbox in exchange 2007, the permissions are automaticly removed after 1 hour. I have done some googling and have found if the user is in a particular group then it is setup by design.
    >
    >I have done some testing. I created 2 brand new users with the only group permission being 'domain user'. I created each of them a brand new mailbox and set them up to both be able to send as. 1 hour later and permissions have disapeared again. Can anyone assist on this?
     
    Check the adminCount property on those two AD User objects. Is it "1"?
    If it is, then they're a member of a protected group. That membership
    may be direct, or indirect (i.e. they may be a member of a group that
    a member of a protected group).
     
    If the only group they're a direct member of is "Domain Users" then
    you may have included a built-in group such as "Everyone" or
    "Authenticated Users" as a member of a protected group.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, May 6, 2011 5:53 PM
  • Yes, please follow mjolinor and Rich’s suggestion to check for the user.

     

    Here is a related document for you, hope it can give you some help:

     

    Active Directory

    AdminSDHolder, Protected Groups and SDPROP

    http://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx

     

    Thanks,

     

    Evan


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, May 9, 2011 2:25 PM
    Moderator
  • Hi Matt,

    Yes this problem is due to Domain user group got added to a protected group. Hence the AdminSDHolder is doing its job and 1 hour later you see send as permissions getting disappeared.

    Please go through the below mentioned article which will explain it in more detail

    http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx

    http://blogs.technet.com/b/exchange/archive/2009/09/23/3408362.aspx

    http://activedirectoryfaq.blogspot.com/2007/09/authentication-and-authorization.html

    Let me know if this helps

     

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Prateek
    Monday, May 9, 2011 2:44 PM