OK so we have some scripts that manage shared non-user accounts. When creating these accounts we often need to apply a 'Send-as' rule to them so users can send out as the account and not their own ID.

on 2007 I was able to use this command :

Add-ADPermission -Identity $permissIdentity -User $permissUser -ExtendedRights 'Send-as' -DomainController $script:dc

However that now that we're on Exchange 2013 this fails with "INSUFF_ACCESS_RIGHTS" . it appears to be the way RBAC handles permissions and that the Active directory/Exchange  worlds are very separate now. This separation of duties blocks exchange from doing this type of AD permission (and Add-ADPermission is an exchange cmdlet not an AD one).

Now I *can* go into Active Directory Users and Computers (ADUC) drill down into the security tab and grant send as that way. however that's a manual process and we need it to be re-incorporated into our scripts.  However the 'Active Directory' module which I'm also importing does not appear to have any cmdlets that allow me to apply a security rule like that programmatically.

Is there a non-exchange module/snap in that I can use in powershell to apply 'Send-As' Permissions to an account?

Hi,

Based on my knowledge, there is no other related cmdlet to assign send as permission except using Add-ADPermission cmdlet. What's more, about this error "INSUFF_ACCESS_RIGHTS", I recommend you follow the steps below to verify if inheritance permission is enabled in ADUC.

ADUC -> Users -> right click the problematic user -> properties -> Security -> Advanced -> Enable inheritance.

Hope this can be helpful to you.

Best regards,