locked
send as permissions set but not working Exchange 2007 RRS feed

  • Question

  • My boss's assistant gets "you cannot send on behalf of this user... unless you have permissions..." error. She has Send as and full control permissions set on Exchange. After renaming .ost file and when it creates a new one it worked for awhile and then stopped again. I gave her a different computer with clean installation and it happened again in 2 days or so. Any idea what might cause it? The mailbox is over 5Gb.
    Friday, March 16, 2012 8:52 PM

Answers

  • Hi,

    As per my knowledge, this situation is possible due to AdminSDHolder object. Detailly speaking, you can refer to the link http://support.microsoft.com/kb/907434/en-us :

    Cause:

    • 'The Active Directory directory service has a process that makes sure that members of protected groups do not have their security descriptors manipulated. If a security descriptor for a user account that is a member of a protected group does not match the security descriptor on the AdminSDHolder object, the user's security descriptor is overwritten with a new security descriptor that is taken from the AdminSDHolder object.

      The Send As right is delegated by modifying the security descriptor of a user object. Therefore, if the user is a member of a protected group, the change is overwritten in about one hour.'

    If yes and you want to set send-as permission to the specific user user1, you can run the dsacls command:

    dsacls "cn=adminsdholder,cn=system,dc=yourdomain,dc=com" /G "user1:CA;Send As"

    Hope it helps.

    Thanks


    Sophia Xu

    TechNet Community Support

    • Marked as answer by Sophia Xu Monday, April 2, 2012 5:31 AM
    Tuesday, March 20, 2012 2:31 AM

All replies

  • Size of the mailbox should have nothing to do with it.

    Do ensure that delegates have not been set, as that can confuse things if you are setting Send As permissions as well.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Proposed as answer by Shabarinath Monday, March 19, 2012 6:01 PM
    Friday, March 16, 2012 9:27 PM
  • Would the boss be a member of any administrator groups by any chance (domain, enterprise, etc.)??

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, March 16, 2012 9:46 PM
  • no, he is not.
    Friday, March 16, 2012 10:20 PM
  • Size of the mailbox should have nothing to do with it.

    Do ensure that delegates have not been set, as that can confuse things if you are setting Send As permissions as well.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.


    sounds like worth checking but will have to wait until Monday
    Friday, March 16, 2012 10:22 PM
  • I've decided to remove send as and full control permissions completely, and just added exchange account providing bosses user name password. Should be safer. I guess that would be a solution only if credentials are known.
    Monday, March 19, 2012 5:47 PM
  • Hi,

    As per my knowledge, this situation is possible due to AdminSDHolder object. Detailly speaking, you can refer to the link http://support.microsoft.com/kb/907434/en-us :

    Cause:

    • 'The Active Directory directory service has a process that makes sure that members of protected groups do not have their security descriptors manipulated. If a security descriptor for a user account that is a member of a protected group does not match the security descriptor on the AdminSDHolder object, the user's security descriptor is overwritten with a new security descriptor that is taken from the AdminSDHolder object.

      The Send As right is delegated by modifying the security descriptor of a user object. Therefore, if the user is a member of a protected group, the change is overwritten in about one hour.'

    If yes and you want to set send-as permission to the specific user user1, you can run the dsacls command:

    dsacls "cn=adminsdholder,cn=system,dc=yourdomain,dc=com" /G "user1:CA;Send As"

    Hope it helps.

    Thanks


    Sophia Xu

    TechNet Community Support

    • Marked as answer by Sophia Xu Monday, April 2, 2012 5:31 AM
    Tuesday, March 20, 2012 2:31 AM