locked
Delegate permissions GONE on 80% of Distribution list in Exchange Hybrid. RRS feed

  • Question

  • Hope someone can help me on this one, pretty weird.

    First here is the break down of my exchange environment.

    Hybrid with office365

    Funky multi-forest that may come in to play with this issue. Not very confident it is but maybe. It's been running this way for years.

    On-Prem Dag with 2 Exchange, 2 Cas, 1 Witness all running Server 2012, Exchange 2013 CU20.

    We have one domain that is purposely restricted from outside so it has a **.local FQDN

    Here what's going on, have roughly 80 Distribution lists that reside ON-Prem and are sync'd to Office365. others reside on 365.

    almost all of my DL's that reside on-prem have lost all of their delegate permissions. For example Send-as, Send on Behalf, Full access. However my mailboxes, shared mailboxes have their respective delegate permissions. 

    I've hit them with PowerShell to see  if the show with no luck. I thought to my self how can anyone send to them then quickly realized "Because all Delegate Permissions are gone" this means they are wide open.

    Now nothing had changes as far as configurations, did apply updates the prior week, along with a restart.

    So what have I tried to resolve.

    First could not find much about this issue, doesn't seem like anyone has run into it before. 

    I rebuilt the ECP, OWA, and PowerShell, Virtual Directories in a hope it was just a hiccup with data being presented.

    Now the one thing that may have impacted it was had an issue right after this happen with our primary Exchange server having a couple BSOD episodes, but resolved that issue, it was due to a VEEAM backup when snapshotting the server. during the STUN netfs.sys timed out or went into protection. adjusted thresholds to give some fudge room. 

    Thank you, Thank you, Thank you, for even reading this one..


    Saturday, July 18, 2020 10:15 PM

All replies

  • Hope someone can help me on this one, pretty weird.

    First here is the break down of my exchange environment.

    Hybrid with office365

    Funky multi-forest that may come in to play with this issue. Not very confident it is but maybe. It's been running this way for years.

    On-Prem Dag with 2 Exchange, 2 Cas, 1 Witness all running Server 2012, Exchange 2013 CU20.

    We have one domain that is purposely restricted from outside so it has a **.local FQDN

    Here what's going on, have roughly 80 Distribution lists that reside ON-Prem and are sync'd to Office365. others reside on 365.

    almost all of my DL's that reside on-prem have lost all of their delegate permissions. For example Send-as, Send on Behalf, Full access. However my mailboxes, shared mailboxes have their respective delegate permissions. 

    I've hit them with PowerShell to see  if the show with no luck. I thought to my self how can anyone send to them then quickly realized "Because all Delegate Permissions are gone" this means they are wide open.

    Now nothing had changes as far as configurations, did apply updates the prior week, along with a restart.

    So what have I tried to resolve.

    First could not find much about this issue, doesn't seem like anyone has run into it before. 

    I rebuilt the ECP, OWA, and PowerShell, Virtual Directories in a hope it was just a hiccup with data being presented.

    Now the one thing that may have impacted it was had an issue right after this happen with our primary Exchange server having a couple BSOD episodes, but resolved that issue, it was due to a VEEAM backup when snapshotting the server. during the STUN netfs.sys timed out or went into protection. adjusted thresholds to give some fudge room. 

    Thank you, Thank you, Thank you, for even reading this one..


    Assuming its enabled, search the admin audit log for any changes

    https://practical365.com/exchange-server/use-admin-audit-logging-track-admin-changes/

    P.S. There is a serious exploitation in Exchange fixed in updated versions of Exchange, I would get to the latest CU23 as soon as possible. 
    Sunday, July 19, 2020 11:18 AM
  • Hi,

    As Andy suggested above, check the admin audit log to verify whether the permissions are changed by administrators.

    In addition, where are the delegators located? You may also try adding the delegate permissions manually and check the result again.

    Below is the official document introduces about the permission in Exchange hybrid for your reference as well:

    Permissions in Exchange hybrid deployments

    This Exchange Server 2013 - Administration, Monitoring, and Performance Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Joyce Shen


    Microsoft Online: Migration and Coexistence forum will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Monday, July 20, 2020 7:41 AM
  • Hi,

    Do suggestions above help? If you have any questions or needed further help on this issue, please feel free to post back. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.

    This Exchange Server 2013 - Administration, Monitoring, and Performance Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Joyce Shen


    Microsoft Online: Migration and Coexistence forum will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Thursday, July 23, 2020 1:02 AM