Hi, I need a hand to restore the security on an Exchange 2010 infrastructure (2 mailbox, 2 hub/cas, TMG 2010). During the migration from Exchange 2003, I noticed that all the members of Account Operators, Domain Admins and Enterprise Admins are able to send-as as every user in the domain. Active directory is based on Windows 2008 R2 Domain Controllers, single-site, single-domain forest, Domain and forest functional level is 2003. What I think I knew from my previous experience, is that Domain Admins and Enterprise Admins get full control on AD user objects, but then there is a deny on the Exchange Org. I checked on adsi, and the deny for send-as receive-as is still in place for domain admins, inherited from the Exchange Org. After reading dozens of post asking how to actually grant send-as to service account for exmerge, export-pst or BES, I need to do the opposite. I would like to know if there's a procedure to restore permission or if there's something I missed. Thanks in advance

Hi, If its a bes account related permission then you can try : Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin & have look into this KB :http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB02276, do let us know if in case we understand it right & in case more info id required.Ripu Daman Mina | MCSE 2003 & MCSA Messaging

Hi Ripu, thanks for the answer. Actually there's a BES server, and a BESAdmin service account with send-as right on all the mailboxes. My problem is that any user in the security groups Account Operators, Domain Admins and Enterprise Admins have also send-as on all AD user objects and the deny send-as inherited at the Exchange Organization level doesn't seem to work as intended. This means that members of Account Operators have the ability to spoof the identity of other users. Regards

Hi, I'd suggest checking your permissions with adsiedit. check the permission on the following DN: CN=<your organisation name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain name>,DC=<domain suffix> The permissions for the following users/groups should be denied at least for the following permissions, be sure the permissions are Inherited for "this and all chield objects" : Domain Admins: deny: send-as, receive-as, store constrained delegation, store transport access, store read only access, store read and write access Exchange Organization Administrators: deny: send-as, receive-as, Organization Admins: deny: send-as, receive-as, store constrained delegation, store transport access, store read only access, store read and write access Organization Management: deny: send-as, receive-as Administrator: deny: send-as, receive-as Maybe you can post a "Get-MailboxPermission -id <anymailboxid> | fl" for further investigation. I hope this helps. Regards,

Hi, thanks for the hint. The correct deny permission are in place in adsi at the Exchange Org level, as per your instructions. Here's a dump of a mailbox permssion. Again, I cannot find nothing wrong here, but still administrators accounts have the ability to spoof emails sending-as different users. RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess, SendAs, ReadPermission} Deny : False InheritanceType : All User : NT AUTHORITY\SELF Identity : fakedomain.local/testOU/testAccount IsInherited : False IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess} Deny : False InheritanceType : All User : Netbios\BesAdmin Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess} Deny : True InheritanceType : All User : Netbios\Domain Admins Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess} Deny : True InheritanceType : All User : Netbios\Enterprise Admins Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess} Deny : True InheritanceType : All User : Netbios\Organization Management Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess} Deny : True InheritanceType : All User : Netbios\Administrator Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess} Deny : False InheritanceType : All User : Netbios\Exchange Servers Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess} Deny : False InheritanceType : All User : Netbios\Exchange Domain Servers Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {ReadPermission} Deny : False InheritanceType : All User : Netbios\Organization Management Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {ReadPermission} Deny : False InheritanceType : All User : Netbios\Public Folder Management Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess} Deny : False InheritanceType : All User : NT AUTHORITY\SYSTEM Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {ReadPermission} Deny : False InheritanceType : All User : NT AUTHORITY\NETWORK SERVICE Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {ReadPermission} Deny : False InheritanceType : All User : Netbios\Exchange Servers Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {ReadPermission} Deny : False InheritanceType : All User : Netbios\Exchange Domain Servers Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {ReadPermission} Deny : False InheritanceType : All User : Netbios\Delegated Setup Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : Netbios\Organization Management Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : Netbios\Exchange Trusted Subsystem Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : Netbios\Administrator Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : Netbios\Enterprise Admins Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True RunspaceId : a4bd1031-4d15-4761-8b4f-f1154ff3c46f AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : Netbios\Domain Admins Identity : fakedomain.local/testOU/testAccount IsInherited : True IsValid : True

The dump looks fine. I noticed there is no send-as permission for besadmin, and FullAccess does not include send-as, but I'm pretty sure your blackberry user can send e-mails as otherwise you'd have mentioned it. I just remembered that send-as rights are not displayed with Get-MailboxPermission as they are not applied on the mailbox but on the user object in AD. Just check the permissions on the DN DC=<domain name>,DC=<domain suffix> or maybe an OU below. This is where besadmin and others should get their send-as rights.

Hi Kelemvor, Did you try to give the "Deny Send As" permission to the admin groups? eg: Add-Adpermission -identity "user mailbox" -User "account operators" -AccessRights ExtendedRight -ExtendedRights "send as" -Deny You can also run get-mailbox and pipe the results to Add-Adpermission. Add-ADPermission http://technet.microsoft.com/en-us/library/bb124403.aspx After you run the cmdlet, you can check the permission with ADSIEDIT.MSC-> Default naming context-> users properties->Security "Send as" is Deny. Frank Wang

Hi Kelemvor, Any updates on your issue?Frank Wang

Hi Kelemvor, How about your question now?Frank Wang