locked
Exchange 2007 - Send As Permission keeps on resetting after 30 mins to 1 hour RRS feed

  • Question

  • Hi All,

    We have a few users who need to send an email as user A; however every time we provide them send as permission, it keeps resetting back every after 30 mins-1 hour. I have also tried checking the" include the inheritable permissions but still no luck

    Users was part of 2 security groups and we have already removed the security group itself. User A is part of an administration group and from what I have read on other forums I have set the admin count to "0", hoping that it would resolve the issue.

    ....but just in case anyone of you encountered and already resolved the issue, I'm posting this for some inputs..

    Thanks in advance.

    -Jheycie

    Monday, September 10, 2012 11:08 AM

Answers

  • That behavior is by design as you found out, the workaround is in the article below.

    The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server

    http://support.microsoft.com/kb/907434


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Proposed as answer by Castinlu Tuesday, September 11, 2012 3:09 AM
    • Marked as answer by Castinlu Monday, September 24, 2012 2:29 AM
    Monday, September 10, 2012 1:57 PM
  • On Mon, 10 Sep 2012 11:08:17 +0000, jheycie wrote:
     
    >
    >
    >Hi All,
    >
    >We have a few users who need to send an email as user A; however every time we provide them send as permission, it keeps resetting back every after 30 mins-1 hour. I have also tried checking the" include the inheritable permissions but still no luck
    >
    >Users was part of 2 security groups and we have already removed the security group itself. User A is part of an administration group and from what I have read on other forums I have set the admin count to "0", hoping that it would resolve the issue.
     
    If "A" is still a member of a group that is "privileged" the
    adminCount will be set back to 1. You have to remove the user from any
    groups (direct or transitive membership) that the adminSDHolder
    manages.
     
     
    http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx
    http://support.microsoft.com/kb/817433
    http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
     
     
    >....but just in case anyone of you encountered and already resolved the issue, I'm posting this for some inputs..
     
    Permissions don't disappear on their own. ;-)
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Castinlu Monday, September 24, 2012 2:29 AM
    Monday, September 10, 2012 2:07 PM
  • On Wed, 12 Sep 2012 03:10:51 +0000, jheycie wrote:
     
    >Yes, it does say send on behalf, but this is after the permission for send as disappeared.
    >
    >I added her back on the setting and she was able to send again, but I am afraid that after 1 hour I need to place her as a delegate again.
     
    You can't have both "Send As" and "Send on behalf of" permission on
    the same mailbox.
     
    >Can you help me on how to run the Dsacls.exe tool in exchange 2007 or is there a similar tool I can use?
     
    Dsacls.exe isn't an Exchange tool, it's an AD tool.
     
    http://technet.microsoft.com/en-us/library/cc771151(v=ws.10).aspx
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Castinlu Monday, September 24, 2012 2:29 AM
    Wednesday, September 12, 2012 3:38 AM

All replies

  • That behavior is by design as you found out, the workaround is in the article below.

    The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server

    http://support.microsoft.com/kb/907434


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Proposed as answer by Castinlu Tuesday, September 11, 2012 3:09 AM
    • Marked as answer by Castinlu Monday, September 24, 2012 2:29 AM
    Monday, September 10, 2012 1:57 PM
  • On Mon, 10 Sep 2012 11:08:17 +0000, jheycie wrote:
     
    >
    >
    >Hi All,
    >
    >We have a few users who need to send an email as user A; however every time we provide them send as permission, it keeps resetting back every after 30 mins-1 hour. I have also tried checking the" include the inheritable permissions but still no luck
    >
    >Users was part of 2 security groups and we have already removed the security group itself. User A is part of an administration group and from what I have read on other forums I have set the admin count to "0", hoping that it would resolve the issue.
     
    If "A" is still a member of a group that is "privileged" the
    adminCount will be set back to 1. You have to remove the user from any
    groups (direct or transitive membership) that the adminSDHolder
    manages.
     
     
    http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx
    http://support.microsoft.com/kb/817433
    http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
     
     
    >....but just in case anyone of you encountered and already resolved the issue, I'm posting this for some inputs..
     
    Permissions don't disappear on their own. ;-)
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Castinlu Monday, September 24, 2012 2:29 AM
    Monday, September 10, 2012 2:07 PM
  • Thank you all for the input, however I am not quite sure how to use the Dsacls.exe in exchange 2007.

    Also, if it would help I have asked the user to send the error report to me, and this is what it shows:

    #MSEXCH:MSExchangeIS:/DC=local/DC=loopartners:LNP-EXCH-2K7[578:0x000004DC:0x0000001D] #SMTP#

     /O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=joanne #MSEXCH:MSExchangeIS:/DC=local/DC=loopartners:LNP-EXCH-2K7[578:0x000004DC:0x0000001D] #EX#

    Does this mean that this is caused of the user being a part of the first organization unit and an organization unit at the same time? Sorry for my ignorance, but consider this as a question from a newbie=)

    Tuesday, September 11, 2012 11:05 AM
  • thanks for the input too Rich, im still reading through some of them they definitely give me an idea..I will read and try again once I get home=)
    Tuesday, September 11, 2012 11:06 AM
  • On Tue, 11 Sep 2012 11:05:22 +0000, jheycie wrote:
     
    >Thank you all for the input, however I am not quite sure how to use the Dsacls.exe in exchange 2007.
    >
    >Also, if it would help I have asked the user to send the error report to me, and this is what it shows:
    >
    >#MSEXCH:MSExchangeIS:/DC=local/DC=loopartners:LNP-EXCH-2K7[578:0x000004DC:0x0000001D] #SMTP#
    >
    > /O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=joanne #MSEXCH:MSExchangeIS:/DC=local/DC=loopartners:LNP-EXCH-2K7[578:0x000004DC:0x0000001D] #EX#
     
    What does it say _above_ the diagnostic information? Does it mention
    "send on behalf"?
     
    Is the person you're trying to grant "Send As" permission already a
    delegate on the mailbox?
     
    >Does this mean that this is caused of the user being a part of the first organization unit and an organization unit at the same time?
     
    Say what?!
     
    >Sorry for my ignorance, but consider this as a question from a newbie=)
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, September 12, 2012 12:59 AM
  • Hi Rich

    Yes, it does say send on behalf, but this is after the permission for send as disappeared.

    I added her back on the setting and she was able to send again, but I am afraid that after 1 hour I need to place her as a delegate again.

    Can you help me on how to run the Dsacls.exe tool in exchange 2007 or is there a similar tool I can use?


     

    Wednesday, September 12, 2012 3:10 AM
  • On Wed, 12 Sep 2012 03:10:51 +0000, jheycie wrote:
     
    >Yes, it does say send on behalf, but this is after the permission for send as disappeared.
    >
    >I added her back on the setting and she was able to send again, but I am afraid that after 1 hour I need to place her as a delegate again.
     
    You can't have both "Send As" and "Send on behalf of" permission on
    the same mailbox.
     
    >Can you help me on how to run the Dsacls.exe tool in exchange 2007 or is there a similar tool I can use?
     
    Dsacls.exe isn't an Exchange tool, it's an AD tool.
     
    http://technet.microsoft.com/en-us/library/cc771151(v=ws.10).aspx
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Castinlu Monday, September 24, 2012 2:29 AM
    Wednesday, September 12, 2012 3:38 AM