none
Users from OU can send as everyone in organization

    Question

  • I have a problem with Exchange 2013 in our organization users from one OU  can send messages as anyone on their parent OU. They haven't permission on Exchange to do it and they not have permission in AD to send as another user.

    In security tab, advanced they only have permission to send as SELF (applies to This object only) and their own account with paarmeters: Inheriteded from - none; Applies to - This object and all descendand object).

    Users in this OU are admins but they aren't in Enterprise Admins and Domain Admins group.

    Tuesday, February 21, 2017 10:09 AM

All replies

  • I have a problem with Exchange 2013 in our organization users from one OU  can send messages as anyone on their parent OU. They haven't permission on Exchange to do it and they not have permission in AD to send as another user.

    In security tab, advanced they only have permission to send as SELF (applies to This object only) and their own account with paarmeters: Inheriteded from - none; Applies to - This object and all descendand object).

    Users in this OU are admins but they aren't in Enterprise Admins and Domain Admins group.

    Try this command:

    Mailbox -Identity <user who they are sending as> | Get-ADPermission | where { $_.ExtendedRights -like "*send*" } | FT -auto User,ExtendedRights

    See if this outputs the OU you are talking about.  What happens if you move the users out of that OU and into another OU can they still send as users in the parent?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Tuesday, February 21, 2017 2:28 PM
  • Hi,

    Are your users members of a group they shouldn't be? Meanwhile, an explicit allow at a lower level overrides an inherited deny at a higher level. If you don't want domain admins to access all mailboxes, remove the explicit allow and check the results.

    If it doesn’t work please run the command below to check who has what rights:

    Get-Mailbox | Get-ADPermission | Where-Object { ($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self") } | Select Identity, User

    Or

    Get-mailbox | where {$_.GrantSendOnBehalfTo -eq "cn=name,OU=organization name,DC=domain,dc=com"} | select name

    If you find any that have rights and they shouldn't you can adjust them.

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 22, 2017 7:05 AM
    Moderator