Hello, my scenario is a Exchange 2007 that has been migrated from Exchange 2003 server last year. The problem I'm finding is that for the new users and groups, Send-as permission is not working. I tested from AD advanced security and from cmdlet and didn't work neither. I also remove SELF acount "Send-as" permissions. I applied dsacls commands over adminsdholder to fix the one hour remove send-as permission, but still not working.The strange thing is that "Send-as" permission works propertly over those old users that were created over Exchange 2003. Any idea that could help?Thanks in advanceJonay

You have verified that the SEND AS permissions are still applied? Is inheritance enabled as well?

Yes, they are both applyed.

Can you post the exact powershell command you used to set the SEND AS permissions for an account?Were these accounts at one time linked with the adminsdholder object?

The command was:[PS] C:\Windows\System32>Add-ADPermission -Identity "Buzon Prueba" -User "DOMAIN\user1" -ExtendedRights Send-As Identity User Deny Inherited Rights-------- ---- ---- --------- ------exchange.local/My... DOMAIN\user1 False False Send-AsBut I just check that the permission that I gave him yesterday are lost, as far you can see, the command if permission are applied I guess should give me the following output:[PS] C:\Windows\System32>Add-ADPermission -Identity "Buzon Prueba" -User "DOMAIN\user1" -ExtendedRights Send-AsADVERTENCIA: La ACE apropiada ya está presente en el objeto "CN=Buzon Prueba,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=exchange,DC=local" de la cuenta"DOMAIN\user1". Identity User Deny Inherited Rights-------- ---- ---- --------- ------exchange.local/My... DOMAIN\user1 False False Send-AsThe spanish messages says "WARNING: The ACE is already applied in the object ...In the other hand, I'm not sure how check if the accounts are linked with adminsdholder object, how could I check?Thanks in advanceJonay

Hi, Please check whether your environment has multiple domains. Thanks.

No, we only have 1 domain in our enviroment.ThanksJonay

On Fri, 15-Jan-10 08:20:34 GMT, Jonay Gonzalez wrote:>>>The command was:[PS] C:\Windows\System32>Add-ADPermission -Identity "Buzon Prueba" -User "DOMAIN\user1" -ExtendedRights Send-As >>Identity User Deny Inherited Rights-------- ---- ---- --------- ------exchange.local/My... DOMAIN\user1 False False Send-AsBut I just check that the permission that I gave him yesterday are lost, as far you can see, the command if permission are applied I guess should give me the following output:[PS] C:\Windows\System32>Add-ADPermission -Identity "Buzon Prueba" -User "DOMAIN\user1" -ExtendedRights Send-AsADVERTENCIA: La ACE apropiada ya est presente en el objeto "CN=Buzon Prueba,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=exchange,DC=local" de la cuenta"DOMAIN\user1". >>Identity User Deny Inherited Rights-------- ---- ---- --------- ------exchange.local/My... DOMAIN\user1 False False Send-AsThe spanish messages says "WARNING: The ACE is already applied in the object ...In the other hand, I'm not sure how check if the accounts are linked with adminsdholder object, how could I check?Thanks in advanceJonay Use LDP.exe or ADSIEDIT.msc and see if the adminCount property on the"Buzon Prueba" user account is present and, if it is, if the value isgreater than zero.---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

and to follow up what Rich said, if those objects are no longer members of protected groups and you need to fix in bulk, see this article:http://support.microsoft.com/kb/817433Delegated permissions are not available and inheritance is automatically disabled

Can you post the LDP dump for the user?Also, is the user a blackberry/ handheld device user?- Nagesh

Hello:-Property adminCount for this object has no value set.-The user is not a blackberry/handled device user.-Our domain server are both win2008 server, so I'm not sure the bug Andy update should apply.Here you are the output of the LDP for the object "buzonprueba": ----------- Expanding base 'CN=Buzon Prueba,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=exchange,DC=local'... Getting 1 entries: Dn: CN=Buzon Prueba,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=exchange,DC=local accountExpires: 9223372036854775807 (never); badPasswordTime: 0 (never); badPwdCount: 0; cn: Buzon Prueba; codePage: 0; countryCode: 0; displayName: Buzon Prueba; distinguishedName: CN=Buzon Prueba,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=exchange,DC=local; dSCorePropagationData: 0x0 = ( ); garbageCollPeriod: 1209600; givenName: Buzon; homeMDB: CN=Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=ESERO,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=INFORMEDICA,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchange,DC=local; homeMTA: CN=Microsoft MTA,CN=ESERO,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=INFORMEDICA,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchange,DC=local; instanceType: 0x4 = ( WRITE ); internetEncoding: 0; lastLogoff: 0 (never); lastLogon: 18/01/2010 8:48:21 Hora estándar GMT; lastLogonTimestamp: 18/01/2010 8:45:22 Hora estándar GMT; legacyExchangeDN: /o=INFORMEDICA/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=buzonprueba; logonCount: 2; mail: buzonprueba@informedica.es; mailNickname: buzonprueba; mDBUseDefaults: TRUE; msExchALObjectVersion: 66; msExchHomeServerName: /o=INFORMEDICA/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ESERO; msExchMailboxGuid: 976a0eb1-a550-4836-9fb9-f5bb2822d988; msExchMailboxSecurityDescriptor: O:PSG:PSD:AI(A;CI;CC;;;S-1-5-21-4018715270-2792350766-2432609846-1138)(A;CIID;RC;;;S-1-5-21-4018715270-2792350766-2432609846-2136)(D;CIID;CC;;;S-1-5-21-4018715270-2792350766-2432609846-1716)(D;CIID;CC;;;LA)(D;CIID;CC;;;DA)(D;CIID;CC;;;EA)(D;CIID;CC;;;S-1-5-21-4018715270-2792350766-2432609846-1717)(A;CIID;RC;;;NS)(A;CIID;CC;;;S-1-5-21-4018715270-2792350766-2432609846-1130)(A;CIID;CC;;;S-1-5-21-4018715270-2792350766-2432609846-1716)(A;CIID;RC;;;S-1-5-21-4018715270-2792350766-2432609846-1720)(A;CIID;CCSDRCWDWO;;;LA)(A;CIID;RC;;;S-1-5-21-4018715270-2792350766-2432609846-1117)(A;CIID;RC;;;S-1-5-21-4018715270-2792350766-2432609846-1130)(A;CIID;RC;;;S-1-5-21-4018715270-2792350766-2432609846-1716)(A;CIID;CCSDRCWDWO;;;S-1-5-21-4018715270-2792350766-2432609846-1717)(A;CIID;RC;;;S-1-5-21-4018715270-2792350766-2432609846-1719)(A;CIID;CCSDRCWDWO;;;EA)(A;CIID;CCSDRCWDWO;;;DA); msExchMDBRulesQuota: 64; msExchPoliciesIncluded: {BF036842-1ACD-4E73-9998-8747618A1ABE},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}; msExchRecipientDisplayType: 1073741824; msExchRecipientTypeDetails: 1; msExchUserAccountControl: 0; msExchVersion: 4535486012416; name: Buzon Prueba; objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=exchange,DC=local; objectClass (4): top; person; organizationalPerson; user; objectGUID: 7f203073-d53a-4e0e-9b30-21c3b3f3e92a; objectSid: S-1-5-21-4018715270-2792350766-2432609846-2622; primaryGroupID: 513 = ( GROUP_RID_USERS ); proxyAddresses (3): smtp:buzonprueba@exchange.local; X400:C=ES;A= ;P=INFORMEDICA;O=Exchange;S=Prueba;G=Buzon;; SMTP:buzonprueba@informedica.es; pwdLastSet: 14/01/2010 17:31:08 Hora estándar GMT; sAMAccountName: buzonprueba; sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT ); showInAddressBook (4): CN=Lista global de direcciones predeterminada,CN=All Global Address Lists,CN=Address Lists Container,CN=INFORMEDICA,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchange,DC=local; CN=Contactos Profesionales IM,CN=All Address Lists,CN=Address Lists Container,CN=INFORMEDICA,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchange,DC=local; CN=Carpetas públicas,CN=All Address Lists,CN=Address Lists Container,CN=INFORMEDICA,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchange,DC=local; CN=Todos los usuarios,CN=All Address Lists,CN=Address Lists Container,CN=INFORMEDICA,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchange,DC=local; sn: Prueba; textEncodedORAddress: C=ES;A= ;P=INFORMEDICA;O=Exchange;S=Prueba;G=Buzon;; userAccountControl: 0x200 = ( NORMAL_ACCOUNT ); userPrincipalName: buzonprueba@exchange.local; uSNChanged: 367453; uSNCreated: 352096; whenChanged: 18/01/2010 8:45:22 Hora estándar GMT; whenCreated: 14/01/2010 17:31:07 Hora estándar GMT; -----------