none
Receive/Send as Permission Error for Secondary User/Mailbox RRS feed

  • Question

  • Branching off of this thread, I have configured a new user/mailbox and am trying to assume full control of all its activities from my primary Exchange account.  I configured both the "Send As Permission" and "Full Access Permission" to include my primary Exchange account.  So far, I can successfully login to the secondary Exchange mailbox from Outlook 2007, but when I try to change the "From" field to the secondary email address, I get the following error message:

    You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk.

    I've seen a few comments about flushing Exchange's cache and I've done so by restarting the Exchange Information Store Service. What am I overlooking or doing wrong?

    Thursday, June 2, 2011 4:26 PM

Answers

  • If an account is a domain admin, then it will have an explicit deny on a number of settings. It is also not possible to set a Domain Admin account with certain other permissions - you can set it, but Exchange will remove it. That will be causing your problems.

    You can undo the protection, but I think SBS will put it back. Ideally you should be using a split account system - an admin account and a regular user account. This doesn't use more licences.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by cnvcap Saturday, June 11, 2011 9:07 PM
    Friday, June 10, 2011 11:48 AM

All replies

  • Ensure that the Send As permission has stuck. If you are a domain admin it may well have been removed.

    Also try selecting the second account from the GAL, rather than typing the address in, which will ensure that there are no resolution issues.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Thursday, June 2, 2011 11:24 PM
  • Simon, my primary username "stuck" in both the Send As and Full Access permissions.

    I additionally went to "Active Directory Users and Computers" and enabled the Advanced View and went to the Security tab in the secondary username - enabled Full Control for my primary username.  Interestingly, it didn't work immediately, but when I tried a few hours later it worked!?  I'm going to repeat the steps again for a tertiary username just to make sure that I have the solution.

    I did come across research saying that both Exchange and Active Directory have "refresh" schedules that are a few hours in length.  Is this accurate? If so, what are the default values for when the respective components will refresh themselves?


    • Edited by cnvcap Friday, June 3, 2011 2:31 PM
    Friday, June 3, 2011 2:17 PM
  • Full control doesn't do what you think it does. It provides control over the Active Directory object, not the content.
    It may well be that you don't have inheritance enabled correctly, so the permissions cannot be read.

    Exchange permissions are cached for around two hours. Active Directory permissions are not cached as far as I am aware.
    You can reset the cache by restarting the information store service.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Friday, June 3, 2011 2:28 PM
  • That's why I ask. :)  I do see some options in the ADUC under the Security tab for permissions that say:

    • Send as
    • Read account restrictions
    • Write account restrictions
    • Read Exchange Information
    • Write Exchange Information
    • Read Exchange Personal Information
    • Write Exchange Personal Information

    Wouldn't it make sense to allow these for the primary username on the secondary username?

    Friday, June 3, 2011 2:43 PM
  • You can give too many permissions with Exchange, and it can cause you problems.
    There is no need to grant anything other than Send As. No other permissions are required.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Saturday, June 4, 2011 3:43 PM
  • Okay.  If I'm having the Send As emails associated to their corresponding account's Exchange Sent Items, is it okay if I enable the Write Exchange Information?

    On another note, I went ahead and created another sub-account last night and granted the following to the primary username:

    1. 1) EMC - Full Access Permission
    2. 2) EMC- Send Access Permission
    3. 3) ADUC - Send As Permission under "Security"

    I'm getting the error message today for lack of permissions... any thoughts on what I'm missing?

    Sunday, June 5, 2011 7:10 PM
  • There was no need to do anything in ADUC. Just granting the two permissions in Exchange Management Console would be enough.

    Had you attempted to use the account before granting permissions?

    Have you tried granting another user permissions to confirm it isn't an issue with the primary account that you are trying to use?

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Sunday, June 5, 2011 10:34 PM
  • No, I hadn't tested the secondary (and tertiary) domain email accounts before.  I just logged in as each user and was able to successfully send from both of them.  I'm going to go ahead and create another test account where I just grant the Send As and Full Access permissions from EMC and nothing else.  Will restart the Information Store Service afterwards and report back in a little.

    *UPDATE* Successfully sent emails from the secondary accounts on the new primary account.  Now I'm at a loss on what I did to the first primary account... the only changes I knowingly made to it were the additional ADUC permissions and the registry change you had previously suggested for Exchange 2007 to have SEND AS emails drop into the corresponding SENT ITEMS mailbox.

    Tuesday, June 7, 2011 4:36 PM
  • I've been digging into it, and can tell you there is one other area the two accounts are different.  One is the SBS Network Administrator account that seems to have permissions everywhere...

    Is there a more detailed log that can illuminate on what permissions are lacking?

    Friday, June 10, 2011 2:44 AM
  • If an account is a domain admin, then it will have an explicit deny on a number of settings. It is also not possible to set a Domain Admin account with certain other permissions - you can set it, but Exchange will remove it. That will be causing your problems.

    You can undo the protection, but I think SBS will put it back. Ideally you should be using a split account system - an admin account and a regular user account. This doesn't use more licences.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by cnvcap Saturday, June 11, 2011 9:07 PM
    Friday, June 10, 2011 11:48 AM
  • Thanks for your help Simon.

    I'm sure there's logic to the madness, but what a pain! :) I converted the primary account to a non-Admin account and still couldn't as the secondary/tertiary accounts.  After some digging, it turned out Outlook was using an existing OAB for that account and the Default Global Address List wasn't populating with the test accounts I was trying to send as.  (Deleting the OAB files solved it)

    For anyone who is looking on how to do what I originally asked, here are my summarized, recommended steps:

    1. primary user account should be a "Standard User" in the SBS control panel
    2. go into the Exchange Managment Console ("EMC") and create a new mailbox for a new user under "Recipient Configuration"
    3. right-click on that account and grant both "Send As" and "Full Access" permission to the aforementioned primary user account
    4. restart the Microsoft Exchange Information Store Service
    5. (optional) logon with the secondary Exchange account and do a test send
    6. (optional) if you've previously used Outlook for the primary user, delete the .OAB files for that account

    Outlook should open with the newly added secondary account shown in the Navigation Pane. When opening a new message in Outlook and clicking the "From" field, you should see the other accounts you want to send as.  It will not work otherwise.

     


    Saturday, June 11, 2011 9:07 PM