Send As Permissions Disappearing
We are currently Running Exchange 2010 SP1 Rollup 6 I have a mailbox called Comfort Care that is shared by a whole department. All of our Customer Care emails come to this mailbox. At first we had all user names listed in the box and the number has grown so large I created a security group and gave it Full Access and Send As access via the EMC It works for most and some it doesnt' and one day it will work and another it will not. This is a very important mailbox for them and i am just not sure what is going on. Any advice would be greatly appreciated. Thanks Jessica Cochran
February 9th, 2012 1:58pm

Hi Jessica, "The Active Directory directory service has a process that makes sure that members of protected groups do not have their security descriptors manipulated. If a security descriptor for a user account that is a member of a protected group does not match the security descriptor on the AdminSDHolder object, the user's security descriptor is overwritten with a new security descriptor that is taken from the AdminSDHolder object. The Send As right is delegated by modifying the security descriptor of a user object. Therefore, if the user is a member of a protected group, the change is overwritten in about one hour". From Here Remove the affected accounts from any of the following groups... Administrators Account Operators Server Operators Print Operators Backup Operators Domain Admins Schema Admins Enterprise Admins Cert Publishers Kind regards
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 2:22pm

These are just basic users they are not members of any protected groups.Jessica Cochran
February 9th, 2012 2:24pm

Have you tried setting send-as in ActiveDirectory? 1. Open Active Directory. 2. Select the "View" menu and ensure "Advanced Features" is checked. 3. Right mouse click on your domain name and select Properties 4. Select the Security tab 5. Press the Advanced button at the bottom on the security tab 6. Select "Add" 7. When the permissions screen appears change "Apply onto:" to "Descendent User Objects" 8. In the permissions box scroll down and check the Allow box beside "Send As" and press OK 9. Press Apply and OK to exit Restart Exchange services. If it goes away it is a permission issue. I would double check to make sure any groups they are a part of are not part of protected groups like AllBarOne stated.
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 5:42pm

Hi Jessica, Please also try setting the send as permission within EMS... get-user -identity Comfort.Care@Domain.com | Add-ADPermission -User GroupName -ExtendedRights Send-As Regards
February 10th, 2012 6:31pm

Thank you for this. I tried this and I am waiting to hear from the user that reported the problem. Jessica Cochran
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2012 6:51pm

These are just basic users they are not members of any protected groups. Jessica Cochran Maybe not, but it isn't quite that simple. Every user has a property call admincount. Any user that has this set to anything but 0 get considered a member of a protected group. There's a process call adminSDholder that goes through and applies some restrictions to any account that it thinks is in a protected group. It runs once a day. Here's the kicker - adding someone to one of the protected group increments their admincount property, but removing them doesn't decrement it. To get their admin count back to 0 so that process doesn't modify their permissions, you have to set it back to 0 manually (ADSI edit is usually the quickest way to do that). If they were added to a protected group, even accidentally and then taken back out they will still have their admin count incremented and it will keep resetting their permissions until you change it back. If a security group gets added to a protected group, the admincount of that group gets incremented, and that will cause the admincount of all the memebers to get incremented. If you keep setting permission and inheritance and it keeps change back, check their admincount through adsiedit, and if it's anything but 0, change it to 0.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
February 10th, 2012 10:41pm

On Sat, 11 Feb 2012 03:41:49 +0000, mjolinor wrote: >These are just basic users they are not members of any protected groups. > > >Jessica Cochran > >Maybe not, but it isn't quite that simple. > >Every user has a property call admincount. Every user *can* have the adminCount property (it's an optional property), but unless they've been a member of a protected group it isn't present in the set of properties you'll see assigned to the user object. >Any user that has this set to anything but 0 get considered a member of a protected group. There's a process call adminSDholder that goes through and applies some restrictions to any account that it thinks is in a protected group. It runs once a day. Actually, it runs once an hour. I don't think you can change it to run less frequently than once every two hours or mor frequently than one a minute. >Here's the kicker - adding someone to one of the protected group increments their admincount property, but removing them doesn't decrement it. To get their admin count back to 0 so that process doesn't modify their permissions, you have to set it back to 0 manually (ADSI edit is usually the quickest way to do that). > >If they were added to a protected group, even accidentally and then taken back out they will still have their admin count incremented and it will keep resetting their permissions until you change it back. > >If a security group gets added to a protected group, the admincount of that group gets incremented, and that will cause the admincount of all the memebers to get incremented. > >If you keep setting permission and inheritance and it keeps change back, check their admincount through adsiedit, and if it's anything but 0, change it to 0. http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2012 11:15am

Hi Jessica Any Update? CheersZi Feng TechNet Community Support
February 12th, 2012 9:55pm

Where in ADSIEdit do I need to look in order to find if they have the property? I am not familiar with it Jessica Cochran
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2012 10:30am

Go to Default naming context, expand the domain, and drill down to the account. Right-click on the account, select "Properties", and look for "adminCount".[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
February 14th, 2012 10:43am

I spot checked a handful of the users that are having issues and NONE of them have any value under adminCount in ADSIEdit and the group that I gave SendAs permissions to doesn't have a value there either. I am so confused on this because it's still periodically happening and our users are getting upset. Jessica Cochran
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2012 10:54am

Hi Jessica, The EMS command did not improve matters? Thanks
February 14th, 2012 11:35am

It does not appear to have helped matters I am still receiving complaints from people that are in the group and do not have the AdminCount valueJessica Cochran
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2012 11:50am

It is possible that this is down to either poor active directory replication or your exchange server pointing to an incorrect domain controller. Use the following command to confirm that your exchange server is connecting to the most appropriate domain controller... get-exchangeserver | fl At the bottom the Originatingserver will have the value your looking for. If it is not the most appropriate domain controller it might explain the issue, worth checking at least. Regards
February 14th, 2012 12:03pm

The Domain Controller that shows is one of our active domain controllers... Jessica Cochran
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2012 12:13pm

Ok, please verify that that domain controller has no replication issues. Create a dummy account via exchange, watch that replicate to the above DC and then verify that replicates to all other domain controllers. Addition: I think it would also be useful at this stage if you could test to see if applying the "send as" permission does stay applied for a duration of time. I say this in relation to the discussion above where it covers the protected groups concern and how that process by design strips the "send as" permission hourly if the user is a member of said groups. I appreciate what you have said so far but it would be good to know if when the "send as" permission is applied, it is either... stripped straight away, stays applied but not utilised or gets stripped on a regular cycle? Regards
February 14th, 2012 12:31pm

On Tue, 14 Feb 2012 15:54:34 +0000, lzbit2011 wrote: > > >I spot checked a handful of the users that are having issues and NONE of them have any value under adminCount in ADSIEdit and the group that I gave SendAs permissions to doesn't have a value there either. > >I am so confused on this because it's still periodically happening and our users are getting upset. If the adminCount property isn't populated, or has a value of zero then the adminsdholder isn't your problem. If you set the permission on the user and it's being reset then it's either something else that's running in your organization or you have a problem with AD replication. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2012 5:18pm

On Tue, 14 Feb 2012 16:50:37 +0000, lzbit2011 wrote: >It does not appear to have helped matters I am still receiving complaints from people that are in the group and do not have the AdminCount value Continue using ADSIEDIT and connect to each of the domain controllers and verify that each of them has the same setting w/r/t the adminCount property for those users. If they all agree then you have something else resetting the permission, probably 3rd-party or home grown. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
February 14th, 2012 5:24pm

You can use built in PowerShell commands. To get the list of protected users: Get-ADuser -LDAPFilter "(admincount=1)" | select name To get the list of protected groups: Get-ADgroup -LDAPFilter "(admincount=1)" | select name
Free Windows Admin Tool Kit Click here and download it now
June 15th, 2012 7:25pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics