locked
Unable to Assign SendAs Permission to an user on a Shared Mailbox RRS feed

  • Question

  • Issue Description : Not able to assign Send As permission for a particular user on a Shared Mailbox (Both Shared Mailbox and User Mailbox are located in On-Prem Exchange 2013)

    Troubleshooting Attempts:
    While adding the send as permission for the user using the PowerShell command in the Exchange Management Shell, 

    Add-ADPermission -Identity "Shared Mailbox" -User localuser -ExtendedRights "Send As”

    It gave an advisory that the appropriate permission for the user are already present. However, when checked in the Exchange Control Panel, the user was not listed in the ‘Send As’ list of the shared mailbox.
    When decided to remove the permission, with an intension to re-add it later. 

    However, we got the following error:

    Remove-ADPermission -Identity "Shared Mailbox" -User localuser -ExtendedRights "Send As"

    Confirm
    Are you sure you want to perform this action?
    Removing Active Directory permission "Shared Mailbox" for user "localuser" with access rights "'Send As'".
    [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y
    WARNING: Can't remove the access control entry on the object "CN=STCW
    Booking,OU=Resources,OU=,OU=,OU=,DC=domain,DC=com" for attribute "ExtendedRight (ObjectType:
    ab721a54-1e2f-11d0-9819-00aa0040529b)" because the ACE isn't present.

    Based on the error message, we tried to troubleshoot following the steps mentioned in the below article : 

    https://social.technet.microsoft.com/wiki/contents/articles/31321.exchange-serveronline-the-ace-doesn-t-exist-on-the-object.aspx


    According to the above article, the “Root Cause of the warning is an orphaned SID is pending on the mailbox which is conflicting with rest all delegate user's permissions.”
    We looked up the mailbox permissions of the particular shared mailbox to look for any such orphaned SID pending, using following PowerShell command, 

    Get-MailboxPermission -Identity "Shared Mailbox" | Select User | fl

    We observed that there was an orphaned SID in the list i.e. "S-1-5-21-2316237041-1940185418-1848012276-1111"

    We tried removing the permissions of the orphaned SID from the shared mailbox, with an intension to resolve any conflicts that it might be causing (based on the below article:)

    Ref: https://social.technet.microsoft.com/wiki/contents/articles/31321.exchange-serveronline-the-ace-doesn-t-exist-on-the-object.aspx) 

    But we were getting the following error while attempting to do the same:

    Remove-mailboxpermission "domain.com/OU/Resources/Shared Mailbox" -user "S-1-5-21-2316237041-1940185418-1848012276-1111" -InheritanceType All -AccessRights "FullAccess, ReadPermission"

    Confirm
    Are you sure you want to perform this action?
    Removing mailbox permission "domain.com/OU/Resources/Shared Mailbox" for user
    "S-1-5-21-2316237041-1940185418-1848012276-1111" with access rights "'FullAccess, ReadPermission'".
    [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): A

    WARNING: An inherited access control entry has been specified: [Rights: CreateChild, ReadControl, ControlType: Allow]
    and was ignored on object "CN=SharedMailbox,OU=Resources,DC=domain,DC=com;.


    We also tried to lookup any differences in the attributes of a working users and the affected user, but we couldn’t find any issues here.
    In order to check of is a cosmetic issue in the GUI that is not enlisting the user in the ‘Send As’ list but the PowerShell queries suggests the user to be already having the appropriate permissions, we tried sending a test email from the affected user’s outlook, but it thrown the error that the user does not have the permissions on the mailbox.
    After performing all the possible troubleshooting steps I am clueless how to fix it. Please help
    Tuesday, October 17, 2017 5:50 PM

Answers

  • Thank you very much for posting all your suggestions!!

    I Removed the User from AD Object and it started working.

    I think the SendAs Permission Should be given using Exchange powershell but in our case it was added to the Shared Mailbox User Object directly. This is the reason why while setting up SendAs Permission it was throwing an error "appropriate permission for the user are already present".

    Tuesday, October 24, 2017 7:01 AM

All replies

  • Look closely and verify that the right you're trying to add isn't there as an inherited right.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, October 17, 2017 11:20 PM
  • Hi,

    Based on your description, I know that you are getting the errors above when you tried remove AD and mailbox permissions of then shared mailbox.

    For the user “localuser”: run the Remove-ADPermission cmdlet with the "-Deny " switch.

    Remove-ADPermission -Identity "Shared Mailbox" -User localuser -ExtendedRights "Send As" -Deny


    For the user “S-1-5-21-2316237041-1940185418-1848012276-1111”: removed this user from Organization, Administrative Group and Database level using the ADSIEdit tool.

    Follow steps below: 
    1. Open ADSIEdit, connect to Configuration Naming Context.
    2. Navigate to Configuration/Services/Microsoft Exchange/<Organization>/Administrative Groups/Exchange Administrative Group 
    3. Right Click the Databases folder and choose Properties.
    4. Click on the Security tab and click Advanced
    5. Check if the user above was added here, if so, remove the user. 
    6. If we don’t find the user in the database level, check if it is in the Microsoft Exchange, Organization, Administrative Group and Exchange Administrative Group folder.

    Hope it helps.


    Best Regards,

    Manu Meng
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    • Edited by Manu Meng Friday, October 20, 2017 3:00 AM
    • Proposed as answer by Manu Meng Monday, October 23, 2017 1:39 AM
    Friday, October 20, 2017 3:00 AM
  • Thank you very much for posting all your suggestions!!

    I Removed the User from AD Object and it started working.

    I think the SendAs Permission Should be given using Exchange powershell but in our case it was added to the Shared Mailbox User Object directly. This is the reason why while setting up SendAs Permission it was throwing an error "appropriate permission for the user are already present".

    Tuesday, October 24, 2017 7:01 AM
  • The Exchange PowerShell cmdlet is Add-ADPermission, which adds the right to the AD object.  That's how the Send As right is conferred.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, October 24, 2017 2:34 PM