locked
After migration (2003->2008) unable to "Send on Behalf" with Exchange 2007 RRS feed

  • Question

  • This has been discussed many times, but I still haven't found a solution for our case.

    Affected users so far have been administrative, which makes me think it's something to do with the Protected Group issue where it removes every hour, the ability to send email.  However these admins sent email just fine in the old domain, so I'm still not sure how that applies.

    I tried running the PS command to add the external domain\user with SendAs rights.   For some reason, I can't see this in the EMC, but the EMS says it's there. ????

    Added NT Authority/SELF as well under the EMC Full Access and Send As - no luck.

    To clarify, it's is the "Unable to send on BEHALF" message that we're getting, not the "Send As" - so maybe this is where I'm going wrong with the above commands.

    Also to clarify - the Exchange 2007 server still resides in the old domain, there is a full trust between them.

    Thank you for any suggestions!

    Wednesday, September 19, 2012 11:19 PM

All replies

  • Hi,

    As you noted Send As and Send on Behalf are two different permissions. Can you run: -

    Set-Mailbox UsersMailbox -GrantSendOnBehalfTo UserWhoSendsonBehalf

    Also send of behalf won't work if the mailboxes are hidden from any address lists.


    Sean Massey | Consultant, iUNITE

    Feel free to contact me through My Blog, Twitter or Hire Me.
    Please click the Mark as Answer or Vote As Helpful button if a post solves your problem or is helpful!

    Thursday, September 20, 2012 2:36 AM
  • hi,

    Could you explain your topology and your issue in more detail?

    Per my understanding, it is:

    Two forest: one is windows2003 and the new is windows2008/Trust between them.

    You only have one exchange 2007 and still reside in windows 2003 forest.

    You migrate your user account to the new forest.(so now your exchange topology is exchange resourse forest, you are now using linked mailbox)

    Then you grant send on behalf permission to migrated user and it doesn't work.

    If i am wrong, please feel free to correct me.

    thanks,


    CastinLu

    TechNet Community Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    • Edited by Castinlu Thursday, September 20, 2012 3:10 AM
    Thursday, September 20, 2012 3:09 AM
  • Castinlu,

    One clarification on your original post - everything you said is correct, that is our model.  However what is the definnition of a "linked mailbox" - I didn't do anything to the mailboxes to link them to the domain.  I have test users who moved over without incident and work fine without any meddling.  However, other users who are getting the error message about not being able to send "on behalf of" the logged in user, when attempting to send an email from their Outlook client.

    thnx

    Thursday, September 20, 2012 3:36 AM
  • hi,

    So the user account is reside in new forest and the mailbox is reside in old forest.

    For example:

    You have a user, his name is test. And his mailbox is test@exchange.com.

    Now you migrate the user to the new forest. But maibox still reside in the old forest.

    Can they send/receive message successful when you finish the migration?

    So i think your mailbox is linked mailbox.

    About exchange resource forest you can see this link:http://technet.microsoft.com/en-us/library/aa998031.aspx

    hope can help you

    thanks,


    CastinLu

    TechNet Community Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    • Edited by Castinlu Thursday, September 20, 2012 9:58 AM
    Thursday, September 20, 2012 9:57 AM
  • Hi,

    As you noted Send As and Send on Behalf are two different permissions. Can you run: -

    Set-Mailbox UsersMailbox -GrantSendOnBehalfTo UserWhoSendsonBehalf

    Also send of behalf won't work if the mailboxes are hidden from any address lists.


    Sean Massey | Consultant, iUNITE


    Sean,

    I can't get this to work.    Does this command work with an user in another domain?  There is a trust and users are accessing resources such as file shares in the old domain OK.

    I've tried the following syntax for UserWhoSendsOnBehalf:

    newdomain\user

    user@newdomain

    user@newdomain.local

    Error is:

    Object "Domain\User" could not be found. Please make sure that it was spelled correctly or specify a different object.
    At line:1 char:1
    +  <<<< set-mailbox -Identity user@domain.com -GrantSendOnBehalfTo DOMAIN\user
        + CategoryInfo          : NotSpecified: (:) [], ManagementObjectNotFoundException
        + FullyQualifiedErrorId : B08C1DB0

    Any ideas?

    I also want to highlight - users do not have mailboxes in the new domain.   The strange thing is, I have two non administrative test users who moved over OK and work just fine.   Other production (administrative) users get the "Unable to send on behalf of" error when attempting to send email.  They can access their mailboxes fine though.

    Thank you

    • Edited by meddle01 Thursday, September 20, 2012 5:08 PM
    Thursday, September 20, 2012 5:07 PM
  • Castinlu,

    Thanks for your posts.  Are Linked Accounts required in a case like this?    Users exist in both domains and accounts are active in both.  SID History is working.  Trust is working.  Conditional DNS forwarding is enabled and working for each respective domain.

    What confuses me the most is I have two test accounts, that once copied to the new domain, can log into a new domain PC, with their new domain credentials, and automatically access their Exchange account in the old domain without problem.  And send mail OK.

    Two other administrative users are similarily set up.  They can access their email, but not send. Error is "unable to send on behalf of user".

    Why would two users work, and two not?  The issue surrounding Protected Groups is in relation to SendAs, not SendOnBehalfOf.

    Thanks

    Thursday, September 20, 2012 8:44 PM
  • hi,

    >>>  Are Linked Accounts required in a case like this?    Users exist in both domains and accounts are active in both.

    You should disable the account in old domain. Only leave the account in new domain is enabled.  Grant the send on behalf permission see if it can work.

    >>>automatically access their Exchange account in the old domain without problem.  And send mail OK.

    How about login in the new forest?

    >>>Two other administrative users are similarily set up.  They can access their email, but not send. Error is "unable to send on behalf of user".

    Where do they login? Also old domain? Please post the whole NDR here and could you tell me more about the two administrative users.

    hope can help you

    thanks,


    CastinLu

    TechNet Community Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com



    • Edited by Castinlu Sunday, September 23, 2012 3:08 AM
    Sunday, September 23, 2012 3:05 AM
    • Edited by Castinlu Friday, September 28, 2012 9:35 AM
    Friday, September 28, 2012 9:35 AM
  • Yes.  The problem very simple.   I misunderstood the syntax of the command:

    Set-Mailbox UsersMailbox -GrantSendOnBehalfTo UserWhoSendsonBehalf

    I was putting in the newdomain\user in place of the UserWhoSendsonBehalf - instead of simply the username (of the original domain, where Exchange resides).

    This seemed to fix the the problem right away.

    Thanks for your help

    • Proposed as answer by Castinlu Tuesday, October 2, 2012 1:51 AM
    Friday, September 28, 2012 3:16 PM