Exchange Server 2007 SP1We've been having a little trouble with a particular mailbox, on which 3 people have "Send As" permission. Every so often, one or two of the users loses the ability to "Send As" that particular mailbox address, despite having Send As permissions, and despite having had success in the past.Removing their Send As permissions and then re-adding the permissions seems to fix the problem, although not instantaneously.We have not tried just letting things alone to see if the problem goes away by itself--maybe there's some sort of permissions cache problem that might fix itself after a refresh. (?) Our "fix," which should bea no-op, might not really be having any effect.We'll be applying Service Pack 2 soon, so the mailbox service is getting a good shake-up. We're hoping the problem just goes away, but I wanted to know if it's a known issue.Full disclosure: we've also seen isoloated non-Exchange problems in which people will lose access to resources despite being members of AD security groups that provide the needed permissions. Removing them from the relevant group and then re-adding them fixes the problem. So this could be an AD issue rather than an Exchange issue.Thanks,..Jeff

Hi Jeff;Sure sounds like an AD issue - how many DC's do you have? How many GC's?What domain level are you running?Do you have replication problems between DC's?Karl

Are the accounts having problems member of any elevated groups? If so , that is expected as they have the AdminSDHolder descriptor associated with their account. More info: http://support.microsoft.com/kb/907434/If this is the case, best practices are to not mail-enable accounts that have elevated privs.

Karl -- Our DC/GC configuration seems more than adequate for our domain/forest, which is at the Windows Server 2003 Domain and Functional forest levels. I'd suspect replication if the permissions had been set recently, or if the users had been added recently, but neither is the case. We don't have any obvious replication problems, but sometimes problems aren't obvious. :-)Andy --Good question, but no. The users aren't in any elevated groups. -- Jeff

Karl -- Our DC/GC configuration seems more than adequate for our domain/forest, which is at the Windows Server 2003 Domain and Functional forest levels. I'd suspect replication if the permissions had been set recently, or if the users had been added recently, but neither is the case. We don't have any obvious replication problems, but sometimes problems aren't obvious. :-)Andy --Good question, but no. The users aren't in any elevated groups. -- Jeff And they have inheritance enabled for their accounts?

Andy,I might not have made it clear in my initial report, but the Send As capability on the mailbox works just fine for these users for days, weeks . . . the failure is completly out of the blue and with no change to the mailbox or the user accounts--or at least not that we know of. But, yes, inheritance is enabled...Jeff

Jeff;You also say " we've also seen isoloated non-Exchange problems in which people will lose access to resources despite being members of AD security groups that provide the needed permissions." - so I still say it's an AD issue.Karl

Karl,I tend to agree. Ijust wish I knew what to look for. The permissions look fine (on both DCs, for that matter) when either problem occurs...Jeff

I have never seen this myself. - especially when you say that it works for weeks then suddenly doesnt. Sure there isnt some outside process or script/job being run on AD that is removing permissions? ( However crazy that sounds?)

Hi Jeff, I would like to explain that when Outlook submit a message to Exchange Mailbox Server, the Information Store will check IS cache or DC whether you has permission to send as the user. Therefore, I agree with Karl and Andy that the issue may relate to AD. From your description, I think that the Send As permission for the users still can to be located in AD when the issue occurs. If I am off base, please let me know. At this time, I suggest you perform following method to troubleshoot the issue: 1. Please configure the Exchange Mailbox Server to use specific DC/GC server. You can use Set-ExchangeServer with StaticGlobalCatalogs and StaticDomainControllers parameter: Set-ExchangeServer http://technet.microsoft.com/en-us/library/bb123716.aspx When the issue occurs, please check whether the Send As permission for the user can be found on the mailbox object on the DC/GC you specified in the command. Would you please let me know whether the issue always occurs on specific users? For example, if you create a new user and grant the user send as permission to the mailbox, whether the issue can be reproduced? 2. If user has correct Send As permission set and the user does not belong to any groups which may deny to send as the mailbox, I also suggest you restart the Exchange Information Store service to check whether the issue persists. Mike Shen TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com

Check if these permissions are intact..OpenActiveDirectory users and computersand from the View menu select "Advanced Features". Then go to each user open their properties, go to the security tab and add the user"User1" and add the security permission "Send As".

Hi Jeff, Any updates regarding the Send As permission issue?Thanks,Mike

Mike, I'm sorry about dropping out for this long . . .I always checked both of the 2 DCs in the relevant domain, and the permission was appropriately set on each.I applied Update Rollup 9 to our Exchange servers and rebooted them, including the mailbox cluster pair (Windows Failover clustering). The Send As permission issue hasn't come up since. Maybe this was a cache problem--I don't think that there were relevant fixes in UR9.Thanks for the information and advice...Jeff