locked
Why doesn't the Exchange Management tools represent who has SEND AS permissions accurately? RRS feed

  • Question

  • In Active Directory SEND AS permissions can be granted and then if we look at that mailbox via Exchange Tools it does not show up, yet the user granted permissions is allowed to send as.   WHY?
    Jason Meyer
    Thursday, December 15, 2011 3:34 PM

Answers

  • Hi Jason,

     

    This may Exchange Management Tool it only search for the send as permission in AD, but when you use “full control” it show as “GenericAll” , so it will not show in EMC.

     

    When you try to check for that, you can use this command to know the user who has been granted “full control” or “send as” permission:

     

    Get-ADPermission –identity user | ?{ $_.ExtendedRights  -like  “Send-As” –or  $_.AccessRights  -like “GenericAll”} | select User, AccessRights, ExtendedRights

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

     


    Evan Liu

    TechNet Community Support


    Friday, December 30, 2011 5:44 AM
    Moderator

All replies

  • Hi Jason,

     

    Please use this to check whether the send as permission has been granted well:

     

    Get-ADPermission –identity  User | ?{ $_.Extendedrights  -like “Send-As”} | select User, Extendedrights

     

    If you can see the user and the send as right, please re-open EMC to check again for the issue.

     

    If you cannot see it, I suggest you re-set for the send as permission, then use EMC to check again.

     

    Manage Send As Permissions for a Mailbox

    http://technet.microsoft.com/en-us/library/bb676368.aspx

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    Friday, December 16, 2011 6:38 AM
    Moderator
  • Hi Jason,

     

    Any updates on this issue?

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    Monday, December 19, 2011 7:43 AM
    Moderator
  • The Get-ADPermission is a Exchange 2010 command, we're a Exchange 2007 shop.

    What we are looking for is a command that will give us a report of all users that have been granted the 'Send As' permission via Exchange or Active Directory.


    Jason Meyer
    Monday, December 19, 2011 7:26 PM
  • Hi Jason,

     

    Get-ADPermission is also a command in Exchange 2007, you can know more information from this document:

     

    Get-ADPermission

    http://technet.microsoft.com/en-us/library/bb125183(EXCHG.80).aspx

     

    You also can use this command to check in Exchange 2007:

     

    Get-ADPermission –identity  User | ?{ $_.Extendedrights  -like “Send-As”} | select User, Extendedrights

     

    If you want to check all users that have been granted the “Send As” permission via Exchange or Active Directory, you can use this command:

     

    Get-Mailbox| Get-ADPermission| ?{ $_.Extendedrights  -like “Send-As”} | select identity, User, Extendedrights

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

    Evan Liu

    TechNet Community Support


    Tuesday, December 20, 2011 2:34 AM
    Moderator
  • Hi Jason,

     

    How about the issue now?

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    Wednesday, December 21, 2011 1:53 AM
    Moderator
  • What we are finding is that if a user or group has Full Control permissions to a user object it is not part of the extended rights.  So we are having to dig deeper into AD to get an accurate account of who has Send AS permissions.  These groups that have permissions set this way do not show up in Exchange tools when we click "Manage Send AS permissions".
    Jason Meyer
    • Edited by JMeyer2009 Thursday, December 22, 2011 4:45 PM
    Wednesday, December 21, 2011 7:20 PM
  • Hi Jason,

     

    In my lab, If you grant one user (group) send as permission on one account in AD, you can see the user (group) in EMC.

      

    If you grant the permission in AD, but cannot see in EMC, use this command to do a check, check whether you can see the user (which has been given the send as permission):

     

    Get-ADPermission –identity  User | ?{ $_.Extendedrights  -like “Send-As”} | select User, Extendedrights

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    Thursday, December 22, 2011 10:44 AM
    Moderator
  • In your lab don't grant "Send AS" permissions, grant "Full Control" permissions.  In our environment Full Control is also granting Send As permissions, and then Exchange tools do not see this.
    Jason Meyer
    Thursday, December 22, 2011 4:45 PM
  • Hi Jason,

     

    Yes, in my lab, if you grant “full control” permission, the “send as” permission will not show in the EMC.

     

    I think the way you grant the “send as” by “full control” will not show in EMC (I checked in Exchange 2007 SP3 and Exchange 2010 SP1).

     

    If you want to check the AD permission (full control), you can use the command Get-ADPermission.

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    Friday, December 23, 2011 5:55 AM
    Moderator
  • Hi Jason,

     

    Any updates on this issue?

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    Tuesday, December 27, 2011 1:28 AM
    Moderator
  • OK, so we have established that Exchange Management Tools do not accurately represent who has SEND AS permissions.  Could we add that to the bugs or features list?

    We are currently trying the Get-ADpermission command to find results but so far have not had good success.


    Jason Meyer
    Thursday, December 29, 2011 9:43 PM
  • Hi Jason,

     

    This may Exchange Management Tool it only search for the send as permission in AD, but when you use “full control” it show as “GenericAll” , so it will not show in EMC.

     

    When you try to check for that, you can use this command to know the user who has been granted “full control” or “send as” permission:

     

    Get-ADPermission –identity user | ?{ $_.ExtendedRights  -like  “Send-As” –or  $_.AccessRights  -like “GenericAll”} | select User, AccessRights, ExtendedRights

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

     


    Evan Liu

    TechNet Community Support


    Friday, December 30, 2011 5:44 AM
    Moderator
  • Hi Jason,

     

    How about the issue, any updates?

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    Tuesday, January 3, 2012 1:52 AM
    Moderator
  • I'm running:

    D:\>get-mailbox -resultsize unlimited | Get-ADPermission | ?{ $_.ExtendedRights  -like  "Send-As" -or  $_.AccessRights  -like "GenericAll"} | select User, Identity, AccessRigh
    ts, ExtendedRights > mailboxpermissions.txt

    and waiting for the output now.  With 20k mailboxes to go through it takes a while to complete.

    Thanks for the continued work on this issue.

     

    Jason

     


    Jason Meyer
    Tuesday, January 3, 2012 11:02 PM
  • Hi Jason,

     

    Any updates on this issue?

     

    If you still have any question on this issue, please feel free to let me know.

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    Thursday, January 5, 2012 1:54 AM
    Moderator
  • The results came back but the identity was cut off so running again as:

    [PS] D:\>get-mailbox -resultsize unlimited | Get-ADPermission | ?{ $_.ExtendedRights  -like  "Send-As" -or  $_.AccessRights  -like "GenericAll"} | select User, Identity, AccessRights, ExtendedRights | Format-Table -AutoSize | Out-File mailboxpermissions2.txt -Width 250

     

    On one mailbox it appeared to give me the results I expected.  Thank you for your continued efforts.

     


    Jason Meyer
    Thursday, January 5, 2012 7:28 PM