Domain Admins - gets Send As against all mailboxes!


  • I thought that the Exchange Org cascaded a Deny for Send As/Recieve As against Domain Admins/Enterprise Admins - correction - It does cascade as I can see it.

    BUT - Domain Admins can still Send As/Receive As against every mailbox.

    Seems to come from 'user' class definition in the Schema.

    Has this always been the case or has something changed?

    Thursday, August 17, 2006 9:46 AM

All replies

  • Not sure what you are getting at here.

    The default permissions do include a Deny for Domain Admins/Enterprise Admins, but it also includes an Allow for those same rights.  However, since both permissions are inherited, the Deny trumps the allow.

    Also - Send As/Receive As = Full Mailbox Access, but does NOT include the ability to Send As a user.  Well, at least after applying one of the recent security patches.  Prior to this patch, I believe it did, but even then, the Deny would have applied.

    The only way to allow Domain Admins/Enterprise Admins this access is to manually override it b either removing the inherited Deny, or by explicitly setting an Allow at the Mailbox Store level.  It's been this way since Exchange 2000.

    Thursday, August 17, 2006 5:11 PM
  • What you have said should be true, but I have just run a clean install using the 32bit E2007 Beta 2 on an emptyW2K3 native domain.

    All Domain Admins have got Send As etc against all mailboxes..and the Deny is set at the Org level etc.

    The user objects all get a 'Domain Admins Full Control' explicitly set at the user object level so this overrides the Exchange settings.

    I don't need to change the mailbox store permissions at all.

    You also mention a recent security patch???

    Has my test environment built badly for this to happen?

    Friday, August 18, 2006 12:43 PM
  • Sorry - you didn't specify Exchange 2007.  Checking against my 2007 install.

    Yes - it appears this is right - I see the same thing, though I'd expect this to change prior to RTM.  Remember this is still Beta2.

    Can any of the MS folks comment on if security will be tightened prior to RTM?

    Friday, August 18, 2006 1:15 PM
  • Can anyone from MSFT comment on this finding or will DomAdmins etc get full access to all mailboxes in 2007?

    Tuesday, August 29, 2006 11:03 AM
  • From my whitepaper, Working with Active Directory Permissions in Exchange Server 2003:

    Why can domain administrators spoof mailbox-enabled user accounts in their domain?

    Active Directory includes a base set of permissions that can be applied against objects within the directory. In particular, Active Directory includes the Send As extended permission. By default, the Administrators group, the Domain Admins group, the Enterprise Admins group, and the Account Operators group have Send As permissions for all users. The Administrators group permissions and the Enterprise Admins group permissions are inherited from the domain level. The Account Operators group and the Domain Admins group receive explicit permissions that are based on the definition of the user object that is in the Active Directory schema.

    You may consider implementing a Deny "Send As" access control entry (ACE) against administrators for user objects in the domain. If you decide to implement a Deny "Send As" ACE against administrators for user objects in the domain, consider the following:

    An explicit Allow ACE will override an inherited Deny (in other words, explicit ACEs are applied before inherited ACEs).

    Members of the Domain Admins group are able to remove the Deny ACE and/or add an explicit Allow ACE.

    The addition of a Deny ACE may have additional consequences in your environment. For more information, see Where to Apply Permissions.

    If implementing a Deny "Send As" ACE against administrators for user objects in the domain puts your messaging environment at risk, you should implement one or more of the following:

    Limit the number of domain administrators in the domain by delegating specific tasks. For more information, see “Best Practices for Delegating Active Directory Administration” (

    Use auditing to monitor the account logon events for those accounts that are members of the Domain Admins group.



    Wednesday, August 30, 2006 9:40 PM