Figure out WHY/HOW user has Send As permission on mailboxes

Today I was informed that some employees are able to send from other users mailboxes. We're talking Send As, not Send on Behalf. I did some initial looking around and cannot find any obvious reason why. I enabled mailbox auditing with powershell and sent an email to myself with the users mailbox in From field, auditing showed the following:

Operation                     : SendAs

OperationResult               : Succeeded

LogonType                     : Delegate

I'm hoping someone can give me some pointers on how to track down what group or delegation is grating the Send As permission. I am fairly new in this organization and the Exchange platform was set up by people no longer working for the organization. We are currently running Exchange 2010 with latest SP.

All suggestions appreciated. In advance, thank you.

March 24th, 2015 12:56pm

My question is how you guys would troubleshoot trying to track down where or how the SendAs permission is granted.

I assume it's some group being granted permissions it shouldn't have, or some group being a member of a group it shouldn't be a member of. 

Free Windows Admin Tool Kit Click here and download it now
March 24th, 2015 1:04pm

Try this...

Get-Mailbox "username" | Get-ADPermission | ? {$_.ExtendedRights -like "*send-as*"}

This will show you who all as 'Send As' permissions over that mailbox. 

March 24th, 2015 1:12pm

Hi, no output, just like when I check Send As permissions on the same mailbox in Exchange Management Console. 

What's next on the list ? :)

PS: To ensure the powershell command was run correctly I ran the same command towards an account I personally have added Send As permission on, and the output was correct.

Free Windows Admin Tool Kit Click here and download it now
March 24th, 2015 1:37pm

I agree with Josh, this is an AD setting, which is not always populated in EMC. This behavior is normal, see: https://support.microsoft.com/en-us/kb/2401524

You can easily disable manually in ADUC if these accounts have Send As enabled.

This might be helpful as well: https://technet.microsoft.com/en-us/library/bb676368(v=exchg.141).aspx

March 24th, 2015 1:43pm

Based on https://support.microsoft.com/en-us/kb/2401524 I ran the following command:

Get-ADPermission <mailboxname> | where {($_.extendedrights -like "*send-as*") -or ($_.accessrights -like "*Generical*")} |fl *

..and the following "users" are listed on User1, the account we are testing to send from:

NT AUTHORITY\SELF

nt authority\system

<Domain>\domain admins
<Domain>\organization management
<Domain>\exchange trusted subsystem
<Domain>\exchange servers
<Domain>\enterprise admins

Both me and two other colleagues on IT can send emails with User1 in From field. I am member of one of these groups, my 2 colleagues are not.

User2: I am able to send from this users account, my 2 colleagues can't. I ran the same powershell command on User2 and the following "users" have Send As permission:

nt authority\system
<Domain>\organization management
<Domain>\exchange trusted subsystem

...however I am not a member of any of these groups. So this is very, very strange. Based on the output I do not understand how my 2 colleagues can send from User1, and I do not understand how I can send from User2.

Any other suggestions ? 


  • Edited by ptbNO 12 hours 30 minutes ago
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2015 2:41pm

Based on https://support.microsoft.com/en-us/kb/2401524 I ran the following command:

Get-ADPermission <mailboxname> | where {($_.extendedrights -like "*send-as*") -or ($_.accessrights -like "*Generical*")} |fl *

..and the following "users" are listed on User1, the account we are testing to send from:

NT AUTHORITY\SELF

nt authority\system

<Domain>\domain admins
<Domain>\organization management
<Domain>\exchange trusted subsystem
<Domain>\exchange servers
<Domain>\enterprise admins

Both me and two other colleagues on IT can send emails with User1 in From field. I am member of one of these groups, my 2 colleagues are not.

User2: I am able to send from this users account, my 2 colleagues can't. I ran the same powershell command on User2 and the following "users" have Send As permission:

nt authority\system
<Domain>\organization management
<Domain>\exchange trusted subsystem

...however I am not a member of any of these groups. So this is very, very strange. Based on the output I do not understand how my 2 colleagues can send from User1, and I do not understand how I can send from User2.

Any other suggestions ? 


  • Edited by ptbNO Tuesday, March 24, 2015 6:53 PM
March 24th, 2015 6:40pm
Anyone ? There must be some kind of way to trace or audit to get info on where the Send As permissions comes from :S
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2015 5:58am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics