One of these administrator roles is allowing my help desk personnel to Send As any other mailbox, but I can't tell which one. Is there a way to see exactly what permissions each role grants? Mail Recipient Creation Mail Recipients Mail Tips User Options I'm guessing that Mail Recipients is the culprit, but how can I tell? And if that is the problem, how can I give my helpdesk access to manage mailboxes without giving them blanket permission to Send As any user at any time? I realize that they could always grant themselves Send As, but at least they'd have to go through an extra step and there would be an event log entry.

No roles by default grant Send As permissions. I am not even aware that the roles can be modified to allow the permission to be set by adding them to a role. Therefore the Send As permission is being set in some other manner - probably group membership. Simon. Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

reprac - Usually SendAs permissions are not set by default by any Exchange 2010 RBAC group. One good think to check first would be right click the user account and click on Send-As in the Exchange management console. When that loads you can look at the groups of users and single user accounts that are listed. If the HelpDesk user is listed or a member of a group that is tied to multiple acounts, then that would be what you want to resolve. Roles can be viewed by the following Powershell command: Get-ManagementRoleEntry “<Role>" which will list out all of the commands that the role can perform.Jason Apt Microsoft Certified Master | Exchange 2010

When I add my test user to my custom helpdesk role group, it can Send As any user in my domain. When I remove my test user from that role group, it can't Send As anyone. The only conclusion I can reach is that one of the roles I have assigned to that group is allowing me to Send As any other user.

This test user has not been granted explicit Send As permissions to any mailboxes. That was the first thing I checked.

Hi, If you want to grant Send As permissions in Exchange 2010, you can use the Manage Send As Permission Wizard. In the Exchange Management Console, right-click the desired mailbox and then select Manage Send As Permission from the pop-up menu. In the Manage Send As Permission Wizard, click Add, and then use the Select Recipient dialog box to choose the user or users who should have this permission. To revoke this permission, select an existing user name in the Security Principal list box and then click Remove. Click Manage to set the desired Send As permissions. An option to the Manage Send As Permission Wizard is the Exchange Management Shell. In the Exchange Management Shell, you can use the Add-ADPermission and Remove-ADPermission cmdlets to manage Send As permissions. There are some links for your reference: Title: Manage Send As Permissions for a Mailbox URL: http://technet.microsoft.com/en-us/library/bb676368.aspx Thx, James Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Sembee, I owe you an apology. I'm having two different problems that are confusing my test results. Changing group memberships in AD seems to take about an hour to take effect in Exchange. I don't know the cause of this yet, but that's another topic. You are correct. None of the administrator roles are giving Send As permission. The problem is caused by a permission setting in AD. The same group that has the administrator roles I listed above also has Full Control of the OU which holds these user account objects. I had no idea that granting Full Control in AD could affect Send As permission on a mailbox! I removed the Full Control permissions and then used the delegation wizard to grant only the permissions I wanted the help desk personnel to have. Problem solved. Thank you!

Sembee, I owe you an apology. I'm having two different problems that are confusing my test results. Changing group memberships in AD seems to take about an hour to take effect in Exchange. I don't know the cause of this yet, but that's another topic. You are correct. None of the administrator roles are giving Send As permission. The problem is caused by a permission setting in AD. The same group that has the administrator roles I listed above also has Full Control of the OU which holds these user account objects. I had no idea that granting Full Control in AD could affect Send As permission on a mailbox! I removed the Full Control permissions and then used the delegation wizard to grant only the permissions I wanted the help desk personnel to have. Problem solved. Thank you! Exchange caches permissions. Therefore the delay that you are seeing is correct. In a default environment it can be up to two hours before a permission change is fully effective, and it is not recommended to change that caching configuration. Full Control shouldn't have granted Send As permission either, as the permission model has been changed. Full Control is only the full control of the object, nothing else. TO access the mailbox sspecificallyrequires Full Mailbox Access and to send email as aanotheruser specifically requires Send As Permissions. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

I don't know what specific permission in AD was allowing me to Send As any user, but changing those permissions was definitely the fix. My test account was never listed in the Send As permissions on the mailboxes.

"Send As" is explicitly listed in the permissions for "Descendant User objects" in AD.