Problems with granting Send-As permissions
I was trying to grant send-as permissions on a shared mailbox to a user recently and I noticed some strange happenings:
* When trying to use the Send As Permission wizard in the Exchange Management Console, it takes about 30 seconds before the wizard appears. By comparison, the Full Permission wizard appears almost straight away
* Attempting to grant the permission or even check permissions in the Management Shell with Get-ADPermissions results in an error message: Get-ADPermission : The operation could not be performed because object 'username' could not be found on domain
controller 'DC.domain.com'.
* I've tried granting the user Send As access to the mailbox's AD account via AD users and computers. I've confirmed this is listed under the effective permissions tab yet the user still can't send as that mailbox.
Am I missing something or is there something to explain this behavour? I can't see anything obvious in the event log of the Exchange server to explain it. The environment is a Windows 2003 level forest/domain with Exchange 2007. We recently
migrated to Exchange 2007 from 2003. Thanks.
November 1st, 2010 8:59pm
Does the user account migrate from another forest?
Please make sure the account that performs the task has “Active
Directory Permissions” role on it
Get-ManagementRoleAssignment -Role “Active Directory Permissions” -RoleAssignee
Account
If the account doesn’t have the role, please add the role into the account, or you can just add the account into the “Organization Management”
group
Then, please remove the “Send As” permission that you added before in ADUC, try to add the “Send As” permission again via
EMS, and then wait 2 hours
Add-ADPermission -Identity "Ellen Adams" -User AaronPainter -AccessRights ExtendedRight -ExtendedRights "send as" -Verbose
If the account has the correct role, but the issue still appears, please perform the cmdlet above on a newly created test mailbox, see if the issue
still occur
Please also check the application log on the exchange server after reproduced the issue for relevant events
Please run ExBPA against the exchange servers for health and permission checkJames Luo
TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
If you have any feedback on our support, please contact tngfb@microsoft.com
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2010 11:51pm
Hi James,
No, the user didn't migrate from another forest, the setup is a single forest, single domain.
The Get-ManagementRoleAssignment cmdlet doesn't work (maybe it's a 2010 cmdlet?). If I check the organisational configuration, the account I'm using is in a group which is in the Exchange Organization Administrators group.
Results from running the command you listed:
VERBOSE: Add-ADPermission : Beginning processing.
VERBOSE: Add-ADPermission : Searching objects "User_Mailbox" of type "ADRawEntry" under the root "$null".
VERBOSE: Add-ADPermission : Previous operation run on global catalog server 'dc.domain.com'.
VERBOSE: Add-ADPermission : Failed to read recipient 'User_Mailbox' from domain controller 'dc.domain.com'. Error:
The operation could not be performed because 'User_Mailbox' could not be found.
VERBOSE: Add-ADPermission : Searching objects "User_Mailbox" of type "ADRawEntry" under the root "$null".
VERBOSE: Add-ADPermission : Previous operation run on domain controller 'dc.domain.com'.
VERBOSE: Add-ADPermission : Failed to read recipient 'User_Mailbox' from domain controller 'dc.domain.com'. Error:
The operation could not be performed because 'User_Mailbox' could not be found.
VERBOSE: Add-ADPermission : Searching objects "User_Mailbox" of type "ADRawEntry" under the root "$null".
VERBOSE: Add-ADPermission : Previous operation run on global catalog server 'dc.domain.com'.
VERBOSE: Add-ADPermission : Failed to read recipient 'User_Mailbox' from domain controller 'dc.domain.com'. Error:
The operation could not be performed because 'User_Mailbox' could not be found.
Add-ADPermission : User_Mailbox was not found. Please make sure you have typed it correctly.
At line:1 char:17
+ Add-ADPermission <<<< -identity User_Mailbox -User otheruser -AccessRights Extendedright -ExtendedRights "send as" -Verbose
VERBOSE: Add-ADPermission : Ending processing.
I've checked the application log of the Exchange server I ran the command on and there's nothing in the event log that seems related to the issue. I get the same sort of error text when I run the command against a new test mailbox. I will run the
ExBPA and post the details. Thanks.
November 2nd, 2010 7:48pm
Here are the results from the BPA health check:
Critical Issue - Unknown Schema extention version - detected version is 14622
Warning Issue - The 'gatewayProxy' attribute for Recipient Update Service 'Recipient Update Service (Enterprise Configuration)' contains old data that was not fully processed.
Is there anything I should look for in the permission check? Thanks.
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2010 9:29pm
Apologize for giving exchange 2010 cmdlet
Please change focus of EMS to entire forest via EMS
$AdminSessionADSettings.ViewEntireForest = $True
As the id is looking for ADRawEntry, you need to put exact display name of the user into the “Identity” parameter, please verify the
display name of the user in ADUC. Other names will cause the identical symptom
If the cmdlet still fails, please increase the diagnostic logging level on the following component, reproduce the issue, and then see if there’s
any related event in the application log
MSExchangeIS\9000 Private\Send As
For the error “Unknown Schema extension version”, please check the answer in
this thread
Resources:
$AdminSessionADSettings and you
How to Change Logging Levels for Exchange Processes
Invalid version attribute on the Exchange organization
objectJames Luo
TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
If you have any feedback on our support, please contact tngfb@microsoft.com
November 2nd, 2010 10:23pm
Hi James,
It appears that using the display name worked. I had previously been using the login name which had underscores in it (ie. Mailbox_Name) while the display name had spaces (ie Mailbox Name). Thanks.
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2010 7:58pm
Glad to helpJames Luo
TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
If you have any feedback on our support, please contact tngfb@microsoft.com
November 3rd, 2010 9:57pm