I was trying to grant send-as permissions on a shared mailbox to a user recently and I noticed some strange happenings: * When trying to use the Send As Permission wizard in the Exchange Management Console, it takes about 30 seconds before the wizard appears. By comparison, the Full Permission wizard appears almost straight away * Attempting to grant the permission or even check permissions in the Management Shell with Get-ADPermissions results in an error message: Get-ADPermission : The operation could not be performed because object 'username' could not be found on domain controller 'DC.domain.com'. * I've tried granting the user Send As access to the mailbox's AD account via AD users and computers. I've confirmed this is listed under the effective permissions tab yet the user still can't send as that mailbox. Am I missing something or is there something to explain this behavour? I can't see anything obvious in the event log of the Exchange server to explain it. The environment is a Windows 2003 level forest/domain with Exchange 2007. We recently migrated to Exchange 2007 from 2003. Thanks.

Does the user account migrate from another forest? Please make sure the account that performs the task has “Active Directory Permissions” role on it Get-ManagementRoleAssignment -Role “Active Directory Permissions” -RoleAssignee Account If the account doesn’t have the role, please add the role into the account, or you can just add the account into the “Organization Management” group Then, please remove the “Send As” permission that you added before in ADUC, try to add the “Send As” permission again via EMS, and then wait 2 hours Add-ADPermission -Identity "Ellen Adams" -User AaronPainter -AccessRights ExtendedRight -ExtendedRights "send as" -Verbose If the account has the correct role, but the issue still appears, please perform the cmdlet above on a newly created test mailbox, see if the issue still occur Please also check the application log on the exchange server after reproduced the issue for relevant events Please run ExBPA against the exchange servers for health and permission checkJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

Hi James, No, the user didn't migrate from another forest, the setup is a single forest, single domain. The Get-ManagementRoleAssignment cmdlet doesn't work (maybe it's a 2010 cmdlet?). If I check the organisational configuration, the account I'm using is in a group which is in the Exchange Organization Administrators group. Results from running the command you listed: VERBOSE: Add-ADPermission : Beginning processing. VERBOSE: Add-ADPermission : Searching objects "User_Mailbox" of type "ADRawEntry" under the root "$null". VERBOSE: Add-ADPermission : Previous operation run on global catalog server 'dc.domain.com'. VERBOSE: Add-ADPermission : Failed to read recipient 'User_Mailbox' from domain controller 'dc.domain.com'. Error: The operation could not be performed because 'User_Mailbox' could not be found. VERBOSE: Add-ADPermission : Searching objects "User_Mailbox" of type "ADRawEntry" under the root "$null". VERBOSE: Add-ADPermission : Previous operation run on domain controller 'dc.domain.com'. VERBOSE: Add-ADPermission : Failed to read recipient 'User_Mailbox' from domain controller 'dc.domain.com'. Error: The operation could not be performed because 'User_Mailbox' could not be found. VERBOSE: Add-ADPermission : Searching objects "User_Mailbox" of type "ADRawEntry" under the root "$null". VERBOSE: Add-ADPermission : Previous operation run on global catalog server 'dc.domain.com'. VERBOSE: Add-ADPermission : Failed to read recipient 'User_Mailbox' from domain controller 'dc.domain.com'. Error: The operation could not be performed because 'User_Mailbox' could not be found. Add-ADPermission : User_Mailbox was not found. Please make sure you have typed it correctly. At line:1 char:17 + Add-ADPermission <<<< -identity User_Mailbox -User otheruser -AccessRights Extendedright -ExtendedRights "send as" -Verbose VERBOSE: Add-ADPermission : Ending processing. I've checked the application log of the Exchange server I ran the command on and there's nothing in the event log that seems related to the issue. I get the same sort of error text when I run the command against a new test mailbox. I will run the ExBPA and post the details. Thanks.

Here are the results from the BPA health check: Critical Issue - Unknown Schema extention version - detected version is 14622 Warning Issue - The 'gatewayProxy' attribute for Recipient Update Service 'Recipient Update Service (Enterprise Configuration)' contains old data that was not fully processed. Is there anything I should look for in the permission check? Thanks.

Apologize for giving exchange 2010 cmdlet Please change focus of EMS to entire forest via EMS $AdminSessionADSettings.ViewEntireForest = $True As the id is looking for ADRawEntry, you need to put exact display name of the user into the “Identity” parameter, please verify the display name of the user in ADUC. Other names will cause the identical symptom If the cmdlet still fails, please increase the diagnostic logging level on the following component, reproduce the issue, and then see if there’s any related event in the application log MSExchangeIS\9000 Private\Send As For the error “Unknown Schema extension version”, please check the answer in this thread Resources: $AdminSessionADSettings and you How to Change Logging Levels for Exchange Processes Invalid version attribute on the Exchange organization objectJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

Hi James, It appears that using the display name worked. I had previously been using the login name which had underscores in it (ie. Mailbox_Name) while the display name had spaces (ie Mailbox Name). Thanks.

Glad to helpJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com