Receive/Send as Permission Error for Secondary User/Mailbox
Branching off of this thread, I have configured a new user/mailbox and am trying to assume full control of all its activities from my primary Exchange account. I configured both the "Send As Permission" and "Full Access Permission" to include my primary Exchange account. So far, I can successfully login to the secondary Exchange mailbox from Outlook 2007, but when I try to change the "From" field to the secondary email address, I get the following error message: You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk. I've seen a few comments about flushing Exchange's cache and I've done so by restarting the Exchange Information Store Service. What am I overlooking or doing wrong?
June 2nd, 2011 7:26pm

Ensure that the Send As permission has stuck. If you are a domain admin it may well have been removed. Also try selecting the second account from the GAL, rather than typing the address in, which will ensure that there are no resolution issues. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2011 2:24am

Simon, my primary username "stuck" in both the Send As and Full Access permissions. I additionally went to "Active Directory Users and Computers" and enabled the Advanced View and went to the Security tab in the secondary username - enabled Full Control for my primary username. Interestingly, it didn't work immediately, but when I tried a few hours later it worked!? I'm going to repeat the steps again for a tertiary username just to make sure that I have the solution. I did come across research saying that both Exchange and Active Directory have "refresh" schedules that are a few hours in length. Is this accurate? If so, what are the default values for when the respective components will refresh themselves?
June 3rd, 2011 5:17pm

Full control doesn't do what you think it does. It provides control over the Active Directory object, not the content. It may well be that you don't have inheritance enabled correctly, so the permissions cannot be read. Exchange permissions are cached for around two hours. Active Directory permissions are not cached as far as I am aware. You can reset the cache by restarting the information store service. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2011 5:28pm

That's why I ask. :) I do see some options in the ADUC under the Security tab for permissions that say: Send as Read account restrictions Write account restrictions Read Exchange Information Write Exchange Information Read Exchange Personal Information Write Exchange Personal Information Wouldn't it make sense to allow these for the primary username on the secondary username?
June 3rd, 2011 5:43pm

You can give too many permissions with Exchange, and it can cause you problems. There is no need to grant anything other than Send As. No other permissions are required. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2011 6:43pm

Okay. If I'm having the Send As emails associated to their corresponding account's Exchange Sent Items, is it okay if I enable the Write Exchange Information? On another note, I went ahead and created another sub-account last night and granted the following to the primary username: 1) EMC - Full Access Permission 2) EMC- Send Access Permission 3) ADUC - Send As Permission under "Security" I'm getting the error message today for lack of permissions... any thoughts on what I'm missing?
June 5th, 2011 10:10pm

There was no need to do anything in ADUC. Just granting the two permissions in Exchange Management Console would be enough. Had you attempted to use the account before granting permissions? Have you tried granting another user permissions to confirm it isn't an issue with the primary account that you are trying to use? Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 1:34am

No, I hadn't tested the secondary (and tertiary) domain email accounts before. I just logged in as each user and was able to successfully send from both of them. I'm going to go ahead and create another test account where I just grant the Send As and Full Access permissions from EMC and nothing else. Will restart the Information Store Service afterwards and report back in a little. *UPDATE* Successfully sent emails from the secondary accounts on the new primary account. Now I'm at a loss on what I did to the first primary account... the only changes I knowingly made to it were the additional ADUC permissions and the registry change you had previously suggested for Exchange 2007 to have SEND AS emails drop into the corresponding SENT ITEMS mailbox.
June 7th, 2011 7:36pm

I've been digging into it, and can tell you there is one other area the two accounts are different. One is the SBS Network Administrator account that seems to have permissions everywhere... Is there a more detailed log that can illuminate on what permissions are lacking?
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2011 5:44am

If an account is a domain admin, then it will have an explicit deny on a number of settings. It is also not possible to set a Domain Admin account with certain other permissions - you can set it, but Exchange will remove it. That will be causing your problems. You can undo the protection, but I think SBS will put it back. Ideally you should be using a split account system - an admin account and a regular user account. This doesn't use more licences. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.
June 10th, 2011 2:48pm

Thanks for your help Simon. I'm sure there's logic to the madness, but what a pain! :) I converted the primary account to a non-Admin account and still couldn't as the secondary/tertiary accounts. After some digging, it turned out Outlook was using an existing OAB for that account and the Default Global Address List wasn't populating with the test accounts I was trying to send as. (Deleting the OAB files solved it) For anyone who is looking on how to do what I originally asked, here are my summarized, recommended steps: primary user account should be a "Standard User" in the SBS control panel go into the Exchange Managment Console ("EMC") and create a new mailbox for a new user under "Recipient Configuration" right-click on that account and grant both "Send As" and "Full Access" permission to the aforementioned primary user account restart the Microsoft Exchange Information Store Service (optional) logon with the secondary Exchange account and do a test send (optional) if you've previously used Outlook for the primary user, delete the .OAB files for that account Outlook should open with the newly added secondary account shown in the Navigation Pane. When opening a new message in Outlook and clicking the "From" field, you should see the other accounts you want to send as. It will not work otherwise.
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2011 12:07am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics