Exchange 2007 Send As permission with a Distribution Group not working for DG members.
Greetings,I consider myself a seasoned Exchange engineer with 10+ years in the product, so as you can imagine what I am trying to do is frustrating me as it *should* work, and I know I had it working in older versions of Exchange. :)The desired outcome is to have a Distribution Group of users, and for anyone in that Group to be able to Send-As that group.Here is the scenario I have reproduced in my lab:Take an average user mailbox and add it to a new mail-enabled Universal Security Group. When I add the AD object of the same Group with Send-As permissions to itself, or even add Send-As to the Self object on the Group's permissions, I always get back the error:"You are not allowed to send this message because you are trying to send on behalf of another sender without permission to do so. Please verify that you are sending on behalf of the correct sender, or ask your system administrator to help you get the required permission. "Now if I add the user individually to the Group with Send-As permissions, it works fine.So why isn't Exchange 2007 looking at Self or the Group being added to itself with Send-As permissions?This is not an Exchange permissions caching issue, as I have restarted the Store between every test.I am pretty sure the permissions are working correctly as I have added them through the EMS as well as the ADUC Security tab with the same effect (the user versus the group).The user and group are not members of any group affected by AdminSDHolder.The user has logged off and on to confirm their security token reflects the change (not that this should matter to Exchange's logic checking in this scenario).AD replication isn't an issue as there are only 2 DCs in the lab, they are in the same site, and a few minutes is given after each change before restarting the store.Ultimately we are looking for a way to tell Exchange that every member of the DG can send email as that DG by placing it on the FROM: line.The current enviornments experiencing this issue are Exchange 2007 SP2 w/ RU1 and Exchange 2007 SP2 w/ RU2.Has anyone gotten this to work in Exchange 2007? If so did you do anything special?
February 10th, 2010 7:36pm

I think I know what's going on, but it's hard to explain. Because it's a mail-enabled security group, it becomes ambiguos as to whether that send-as ace is intended to apply to the group itself (as a discrete security principal), or to the members of the group.Does it work if you use a separate, non-mail enabled security group to assign the send-as permission to the mail-enabled group?
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2010 8:19pm

I had to have the user log off and back on again, and this time it worked with the second group being applied to the send-as permissions.So is there anything to be done about this? It used to work in older versions of Exchange where you didn't need 2 groups or individual user permissions to let members of a DL/DG send email as that DL/DG? I.E. I would prefer to not re-invent the wheel because we are moving Exchange versions.Thank you for the response btw, at least I know I am not crazy.
February 10th, 2010 9:21pm

I think it changed when send-as became a AD permission. I'm afraid I don't have any more answers than that.
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2010 9:50pm

So the steps below work but let me add this disclaimer, since you are a 10 year vet of Exchange you already know but, for those who don't here it is. You need to make the group a security group to allow members send as permission using the step below but, in most cases mail enabled groups should be distribution groups and not security groups. The reason I make this statement is because the more security groups users are members of, the larger their token size. I have seen large companies take down Exchange and many many other applications because they let their toke size grow out of control. With that said here are the steps below. 1. Went to the mail enabled security group in ADUC and brought up the properties of the group 2. Click on the security tab and added the security group and provided Send As permissions 3. Now the waiting game starts, you can determine when the permissions will be added to the user accounts by navigating back to the security tab in the security groups and click advance > Effective Permissions > and typing in a name of a member of the security group 4. When you see the permission of Send As added to the account you should be good to go. Now if you are planning on doing this for a large number of groups I would write a powershell script that adds send as permissions to groups they are members of. It should be a pretty simple script to put together. If you’re interested in putting the script together let me know and I can help you out.Chris cbfive.com
February 11th, 2010 12:13am

Thanks for the reply Chris.I did add the Univeral mail-enabled Security Group to itself as permisisons in ADUC with the Send As right, and even restarted the store (in produciton I waited a whole business day) with no luck.So having followed your instructions I am unable to get a group to grant its own users permissions to send as itself, I have to use the individual users or another security group like mjolinor suggested.Anyone have any ideas why you can't use a group on itself, or even the self permissions in this manner?Thanks!
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2010 3:03am

I have tried the steps from my earlier post in a multitude of environments (pure Exchange 2007, mixed exchange 2003 and Exchange 2007, mixed Exchange 2003, Exchange 2007, and Exchange 2010, modified the settings on domain controllers running windows 2003, and windows 2008). When I add the mail enabled security group to the security tab and provide Send As permissions it works in all my lab environments. I am able to send as the security group. The only thing that I have to wait for is AD to replicate the permission. So Hotfix let me ask you this, can you confirm under the Effective Permission tab in the advanced security of the mail enabled security group that a member of the group shows as having Send As permission.Thanks Chris cbfive.com
February 11th, 2010 7:48pm

The second after I add the Mail Enabled Universal Security Group "Email Admins" to the Security tab of "Email Admins" with the Send As right, the group then shows up with Send As rights under Effective Permissions tab when I select the "Email Admins" object as the "Group or user name" to check. In my lab I have only 2 DCs in the same site on the same switch pretty much doing nothing but waiting to replicate. Even then I waited a few minutes after each security change before cycling the IS and trying again.One thing to note, AD is Windows 2008 and Exchange is running on Windows 2008 in both instances. Is your enviornmen 2008 or 2003 (both Exchange and AD)?I have no idea why this isn't working. It *should* be working.
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2010 11:00pm

Hi,That's by design in Exchange 2007.Principal Self (or Self):http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsfe_sid_yokv.mspxA placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object.The DL object doesn’t have the “Security Principal” field filled, so the reverse look-up needed when DL members try to send message doesn’t work.ThanksAllen
February 12th, 2010 8:12am

Thanks for the response Allen. Assuming you mean that a mail-enabled Universal Security Group doesn' thave a "security principal" field (which I don't quite understand why it wouldn't based upon the text in the link you provided), then that information explains why the Self permission doesn't work with the Universal Groups then. However why wouldn't adding the group to its own permissions (I.E. using the actual group object and not the Self object) work in this send-as scenario?Honestly I don't care if Self or the group object is required to make this work, but you should be able to say anyone in the group can send as the group.
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2010 7:43pm

Would it work any better using a DDG based on the membership of the of a non-mailenabled security group ? It's not perfect, but at least you'd only have one group to maintain.
February 13th, 2010 7:53pm

Sorry it took me so long to get back to you my customers kept me pretty busy. Nevertheless what I did is downloaded a VHD file from Microsoft’s website for Exchange 2007. Since I wanted to add pictures and provide better instructions I posted this as a blog at our site. Please let me know if you have any questions.http://cbfive.com/blog/post/Send-As-Permissions-for-a-Mail-Enabled-Security-Group.aspxThanks,ChrisChris cbfive.com
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2010 6:48pm

Did this fix your issue?Chris cbfive.com
February 22nd, 2010 7:14am

I am unable to say this fixed the issue as my testing in the lab has produced inconsistent results, even with rebooting the Exchange server to clear out anything cached. Your steps, which are the same ones I tried, should work. I just don't understand why they don't sometimes.I will mark you previous post as the answer because it should be the answer, and will just tell my customers we can't guarantee it will work.
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2010 5:07pm

Is the mail-enabled security group you're using a member of a protected group, or has it ever been a member of a protected group (does the group have a non-zero admincount property)?
March 8th, 2010 5:20pm

ok, to be able to send as the group name, you can ADD the users into the Universal distribution group and then go to permission and make sure SELF is allowed./* Server Support Specialist */
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2011 10:22pm

Interesting point. I will try that the next time this comes up at work.
February 25th, 2011 4:27am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics