OK, I know this has been asked befaore, but the answer was not clear or did not apply to our set-up (see thread http://social.technet.microsoft.com/forums/en-US/exchangesvrgeneral/thread/c5efdfaf-33e4-4b35-8535-57aaaece401e/)So, we have the same issue. Domain Admins can send email from their account as any other user on the network including THE boss. (Still, my pay-rise got approved! thanks "boss")Obviously this needs to stop (I am removing users from the Domain Admins group, but this is going to take some time and it wasn't my fault. I inherited this set-up), but there is no settings for Domain Admins within Exchange, nor is Domain Admins a member of any Exchange groups in AD.Running the Powershell command Remove-ADPermission for any user results in an error saying it cannot remove domain admins "Send As" permission as they dont exist.YET... if I go into ADUC and go to the security tab on any user, there it is...just sitting there, laughing at me...SEND AS...with a great big tick in it. GrrrrrrrSo the question isdo I go through all 4000 users and remove this blot one at a time or can I remove it from the top level OU? Is removing this permission from all AD objects going to adversly affect Exchanges ability to send mail or will the world end abruptly with a "Guru Meditation" error flashing over what used to be the UK? (Yeah, go on. pretend you can't remember the Guru Mediatation eroor, I dare you!)

The permission may be assigned via ADSIEdit. You could leverage ADSIEdit to set up a deny permission of domain admins to Send As other users. You should be careful when using ADSIEdit.You can look at this article that explains delegating using ADSIedit: http://msexchangeteam.com/archive/2006/11/03/430350.aspxBP

Thanks Barda, Appreciated, but again AdsiEdit will only let me do one user at a time or a whole OU much the same as ADUC will. If these are the only ways of removing or denying "Send As", so be it, but it would be really fluffy and warm if I could do it in batches or the whole OU whilst being happy in the knowledge that Exchange is not going to stop swimming, roll over and float to the surface in a vain attempt to be flushed into the great messaging sea of defunct servers....if you get my drift

Are the users on Exchange 2003 or Exchange 2007? If it is Exchange 2003 you should be able to configure this in the ESM. I don't have access to my exchange org atm but I recall there being an option to configure server settings for these types of permissions.BP

Oh yeah, sorry. Its a 2007 server (Well actually 5 of them, but who's counting?)I'm just trying to secure the servers, but without restricting it's functionality. It seems that MS havegot a lot right with 2007, but sometimes simple stuff just seems a little complicated. Maybe its just me being simple, not Exchange being complicated.

Hi, We recommend that accounts with elevated permissions such as Domain Admin or Enterprise Admin accounts, should only be used for Administration purposes, and should not be used for daily activities such as email. These accounts should not even be mailbox enabled. It is by design. So far, the workaround is that we can set Explicit Deny for Send As at the User Level for the existing User Accounts. Add-adpermission -identity <DN of the User> Domain Admins -ExtendedRights Send-As -deny For new users will still receive explicit permissions, we may go through the steps below to remove Send As from Domain Admins in the Schema. For the existed user, we can run command below to set explicit deny for send as. 1. Click "Start", click "Run", type "mmc" in the "Open" box, and then click "OK".2. On the "Console" menu, click "Add/Remove Snap-in".3. Click "Add", click "Active Directory Schema", and then click "Add".4. Click "Close", and then click "OK" to return to the console.5. Expand "Active Directory Schema", and then expand "Classes".6. Right-click "user", and then click "Properties".7. Click the "Security" tab.8. Click the "Account Operators" group.9. For the "Send As" permission, click to clear the "Allow" check box.10. Click the "Domain Admins" group.11. For the "Send As" permission, click to clear the "Allow" check box.12. Click "OK".13. Quit the Active Directory Schema console. More information to share with you: 285172 Schema Updates Require Write Access to Schema in Active Directoryhttp://support.microsoft.com/?id=285172 Exchange 2007 Permissions: Frequently Asked Questionshttp://technet.microsoft.com/en-us/library/bb310792.aspx Using Scripts to Manage Active Directory Security http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx Regards, Xiu

Thanks Xiu,Never thought about setting "Deny" rather than removing "Send As". That should work as I canbatch it for all users.As for the Domain Admins thing. I realise that itis a big no-no and I am taking steps to remove all users from this group, but as I said I inherited this domain and all the work needed is just taking some time as I have to do all this with 0% downtime...Sweet!.Top answer from Top people. Thnaks to all who contributed.UPDATE:- For those who want to know the command is:-Add-adpermission -identityidentity -user user -extendedrights SendAs -denywhere identity is the mailbox you want the permission changed onand user is the person who you want to deny permission to.This can be instigated in Powershell to an entire organisation by the following (Beware the -resultsize switch. Lots of mailboxes could cause major issues):-$mailboxes = get-mailbox -resultsize unlimitedforeach ($mailbox in $mailboxes){Add-adpermission -identity $mailbox.name -user "Domain Admins" -extendedrights send-as -deny} Or you could do it by each server$server = read-host "enter server name"$mailboxes = get-mailbox -server $server -resultsize unlimitedforeach ($mailbox in $mailboxes){Add-adpermission -identity $mailbox.name -user "Domain Admins" -extendedrights send-as -deny}