locked
How do you give the administrator send as and receive as permission to all users in Exchange 2010 RRS feed

  • Question

  • I did this once with the ADSI edit tool.  I can't remember how now.  I did something like: 

    Configuration | Service | Exchange, uncheck send as and receive as explicit deny permission from Exchange Organization Level.

    I can't find this level this time.  Can it be done from the command shell too?  I want the Domain Administrators to have at least read rights to all mailboxes.  We are constantly looking at users outlook and it is easier to be able to do it from our own outlook profiles.


    Thank You, Scott

    Saturday, March 24, 2012 9:05 PM

Answers

  • To test if it is the AdminSDholder process you could do the following:

    1. Create a new user account with a mailbox which is Not a member of the Domain Admins group.
    2. Run the earlier specified powershell command to give the new created user full access permissions to all mailboxes
    3. Try to open a mailbox from another user from within the new created users Outlook


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog | Linkedin | Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

    Saturday, March 24, 2012 11:55 PM
  • It works for everyone that is not in a protected group I'm guessing because other managers use this feature.  I have not created a special user as of yet.

    Thank You, Scott

    Wednesday, March 28, 2012 11:17 AM

All replies

  • Hi Scott,

    Can you try the following command:

    Get-OrganizationConfig | Add-ADPermission -user "Domain\Domain Admins" -ExtendedRights Send-As,Receive-As

    Kind regards,

    Bart Timmermans


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog| Linkedin| Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.



    Saturday, March 24, 2012 9:15 PM
  • How about a single user?  In this case Scott?

    Thank You, Scott

    Saturday, March 24, 2012 9:16 PM
  • Hi Scott,

    To give only Scott rights on all mailboxes use the following command:

    Get-OrganizationConfig | Add-ADPermission -user "Domain\Scott" -ExtendedRights Send-As,Receive-As

    To give a user/group access to the mailbox of Scott use the following command:

    Add-ADPermission -Identity "Scott" -User "Domain\Domain Admins" -ExtendedRights Send-As,Receive-As

    Kind regards,

    Bart


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog| Linkedin| Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.


    Saturday, March 24, 2012 9:20 PM
  • I also found where to do this using ADSI edit.  I assume I can ad my user name there and check send as and receive as since the comand below put this there...  Why not select Full Control?

    [PS] C:\Windows\system32>Get-OrganizationConfig | Add-ADPermission -user "LewisGroup\Scott" -ExtendedRights Send-As,Rece
    ive-As

    Identity             User                 Deny  Inherited
    --------             ----                 ----  ---------
    First Organization   LEWISGROUP\Scott     False False
    First Organization   LEWISGROUP\Scott     False False

    Look correct?


    Thank You, Scott

    Saturday, March 24, 2012 9:35 PM
  • Hi Scott,

    The results looks great. I also use ADSIedit to check if the command did his work or to check AD replication. Fullcontrol or send-/receive-as permissions all depends on your needs and compliance. Some organizations disallow full controll on all mailboxes because you can read all messages from all users. I use send-/receive-as permissions most of the time for service accounts requiring to send mail as an specific user (for example: Blackberry Enterprise Server).

    Kind regards,

    Bart


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog | Linkedin | Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

    Saturday, March 24, 2012 9:39 PM
  • I need to actually just access the mailbox.  I will never send as.  I tried to access a mailbox after applying the command and cannot.  Should I apply full permisions?  If yes what would the command shell command be for  that?  I prefer to stay out of the adsi editor.  :-)

    Also I am a member of the Domain Admins Group that has deny selected for send as and receive as if that matters.


    Thank You, Scott

    • Edited by Scott Tosti Saturday, March 24, 2012 9:43 PM
    Saturday, March 24, 2012 9:42 PM
  • Hi,

    For full access you can change the part after -ExtendedRights to -AccessRights FullAccess. So the command would look like:

    Get-OrganizationConfig | Add-ADPermission -user "LewisGroup\Scott" -AccessRights FullAccess

    Regards,

    Bart


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog | Linkedin | Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

    Saturday, March 24, 2012 9:49 PM
  • Did not like that...

    [PS] C:\Windows\system32>Get-OrganizationConfig | Add-ADPermission -user "LewisGroup\Scott" -AccessRights FullAccess
    Cannot process argument transformation on parameter 'AccessRights'. Cannot convert value "FullAccess" to type "System.D
    irectoryServices.ActiveDirectoryRights[]". Error: "Cannot convert value "FullAccess" to type "System.DirectoryServices.
    ActiveDirectoryRights" due to invalid enumeration values. Specify one of the following enumeration values and try again
    . The possible enumeration values are "CreateChild, DeleteChild, ListChildren, Self, ReadProperty, WriteProperty, Delet
    eTree, ListObject, ExtendedRight, Delete, ReadControl, GenericExecute, GenericWrite, GenericRead, WriteDacl, WriteOwner
    , GenericAll, Synchronize, AccessSystemSecurity"."
        + CategoryInfo          : InvalidData: (:) [Add-ADPermission], ParameterBindin...mationException
        + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-ADPermission


    Thank You, Scott

    Saturday, March 24, 2012 9:52 PM
  • Sorry Scott my fault. Could you try the following:

    Get-OrganizationConfig | Add-ADPermission -user "LewisGroup\Scott" -AccessRights GenericAll

    Hope this helps. Otherwise use:

    Get-MailboxDatabase | Add-ADPermission –user "LewisGroup\Scott" –AccessRights GenericAll


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog| Linkedin| Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.



    Saturday, March 24, 2012 9:54 PM
  • That command worked but I still cannot open another users mailbox from my outlook.

    Thank You, Scott

    Saturday, March 24, 2012 9:59 PM
  • It could take some time but in the meantime could you run the following command for the problematic user:

    Get-ADPermission -Identity "UserMailbox"


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog| Linkedin| Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.


    Saturday, March 24, 2012 10:03 PM
  • What does this command do?

    Does it matter that I am a member of the domain admin group and they send as and receive as are deny?


    Thank You, Scott

    Saturday, March 24, 2012 10:07 PM
  • Hi,

    This command only lists the current permissions on a user. It doesn't matter if you don't have send-as and receive-as as deny. Because GenericAll gives you full control over a users mailbox.


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog | Linkedin | Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

    Saturday, March 24, 2012 10:09 PM
  • Ran Get-ADPermission -Identity "AP" and got nothing back.


    Thank You, Scott

    Saturday, March 24, 2012 10:16 PM
  • Hi,

    Did you run the Get-OrganizationConfig or the Get-MailboxDatabase command I gave?


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog | Linkedin | Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

    Saturday, March 24, 2012 10:17 PM
  • now I'm not sure...  What would you like me to run?

    My mailbox has full control as seen in adsi editor.  This is odd...


    Thank You, Scott

    Saturday, March 24, 2012 10:23 PM
  • No problem. It really take some time for you can open the users mailbox. The only problem I know about that could arise is a process called AdminSDholder which resets the send-as and receive-as rights on a time schedule. I think we need to check (within ADSIedit) tomorrow. I am going to bed now. I am from the Netherlands and it's almost 0:00 AM. Will contact you tomorrow.


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog | Linkedin | Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

    Saturday, March 24, 2012 10:28 PM
  • Thank You!!!

    FYI I went into the Exchange managment console and checked the permisions.  I am on every mailbox.

    Then I took a test mailbox right clicked it and selected Manage Full Permision Access.  I added another user there.  I logged into their pc and opened outlook.  I went to tools account settings and added the test mailbox.  I hit finished and it showed up in outlook and I was able to access it with out issue.  If it works from that level I wonder why it is not working for me with the shell command.  I will check in the AM.  I am in the Eastern time zone.


    Thank You, Scott

    Saturday, March 24, 2012 11:01 PM
  • If you want to configure Full Access in the EMS (as opposed to EMC), you have to use the Add-MailboxPermissions cmdlet.

    Add-ADPermissions works for Send As (and Receive As).

    http://technet.microsoft.com/en-us/library/aa996343(v=exchg.80).aspx

    I realize that's E2K7 but the concept remains the same.

    Here's for E2K10:

    http://technet.microsoft.com/en-us/library/aa996343.aspx

    ---

    I'm not sure if or how GenericAll would work. I'm also not sure that it would override any Deny permission.

    At least with permissions on folders, Deny usually takes precedence over Allow. 


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Saturday, March 24, 2012 11:23 PM
  • Hi Scott,

    Just tested it on my environment. Full access permissions on a users mailbox from an domain admin account is not possible because of the AdminSDholder process. Fullaccess (GenericAll), send-as, receive-as permissions on a mailbox are resetted by the AdminSDholder process. The AdminSDholder process is a process which protects Active Directory and Exchange funtionality. For more information read http://tsmith.co/2011/what-is-adminsdholder/

    Microsoft best practices is to use an admin account for default Exchange management and to create a separate (non-domain admin) account to access mailboxes.


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog | Linkedin | Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

    Saturday, March 24, 2012 11:47 PM
  • To test if it is the AdminSDholder process you could do the following:

    1. Create a new user account with a mailbox which is Not a member of the Domain Admins group.
    2. Run the earlier specified powershell command to give the new created user full access permissions to all mailboxes
    3. Try to open a mailbox from another user from within the new created users Outlook


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog | Linkedin | Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

    Saturday, March 24, 2012 11:55 PM
  • I have a test enviornment.  I removed the send as and receive as in Exchange SP1 on Domain Admin group and it worked fine.  This is a likely feature of SP2.

    I would be happy to test this.  What command shoud I run for user called "email Admin"?

    Thanks


    Thank You, Scott


    • Edited by Scott Tosti Sunday, March 25, 2012 12:11 AM
    Sunday, March 25, 2012 12:11 AM
  • Hi Scott,

    When you want to access another mailbox you can use this way to grant the permission:

    Add-mailboxpermission -identity usermailbox -User Domain Admin  -AccessRights FullAccess

    You can know more detail from this document:

    Manage Full Access Permissions
    http://technet.microsoft.com/en-us/library/bb676551.aspx

    Per my knowledge, the full access permission is a mailbox permssion, add-adpermission is used to add permission on AD object. So you cannot use ad-adpermission to add permission on the mailboxes. When you set send as, receive as permission, you can use add-adpermission, when you want to grant permission on the mailbox, you should use add-mailboxpermission.

    Thanks,

    Evan Liu

    TechNet Subscriber Supportin forum

    If you have any feedback on our support, please contact tngfb@microsoft.com 



    Evan Liu

    TechNet Community Support

    Monday, March 26, 2012 5:28 AM
    Moderator
  • It did not work...  We tried this already.

    Thank You, Scott

    Monday, March 26, 2012 11:05 AM
  • That command did just as you did(grant full access permission) in Exchange Management console.

    Please run this command to check whether your Domain Admin has been added on usermailbox or not:

    Get-mailboxPermission -identity usermailbox

    If you cannot see Domain Admin there, please follow Bart's suggestion to check whether that user is in the protected group.

    Thanks,

    Evan Liu

    TechNet Subscriber Supportin forum

    If you have any feedback on our support, please contacttngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Tuesday, March 27, 2012 2:07 AM
    Moderator
  • I see my account there.  I am a member of the domain admins group.  I cannot access mailboxes.  If I give a regular user full permisions from the EMC to a mailbox they can open that mailbox.  I believe Bart to be correct.  This is a feature of SP1 or SP2.  When exchange came out I was able to access all mailboxes.  This is not a problem for me.  I was just wondering why it stopped working.  I will make a special user for this and call it EmailAdmin.  I have no doubt this will work.  I will add it from the ADSI editor in place of my account today.  I'm not a huge commandlet guy...  :-)

    Thank You, Scott

    Tuesday, March 27, 2012 10:12 AM
  • If you see your acocunt has been granted full access permission, go to check whether you can open that mailbox in OWA.

    If you use one new created account (instead of your account) to test, will this issue occur or not?

    Thanks,
    Evan Liu

    TechNet Subscriber Supportin forum

    If you have any feedback on our support, please contacttngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Wednesday, March 28, 2012 7:07 AM
    Moderator
  • It works for everyone that is not in a protected group I'm guessing because other managers use this feature.  I have not created a special user as of yet.

    Thank You, Scott

    Wednesday, March 28, 2012 11:17 AM
  • If so, this is because your account in the protected group.

    Thanks,

    Evan Liu

    TechNet Subscriber Supportin forum

    If you have any feedback on our support, please contacttngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Thursday, March 29, 2012 9:35 AM
    Moderator
  • Hello,

    Any updates on this issue?

    Thanks,

    Evan Liu

    TechNet Subscriber Supportin forum

    If you have any feedback on our support, please contacttngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Friday, March 30, 2012 3:00 AM
    Moderator