Send As Permissions Disappearing
We are currently Running Exchange 2010 SP1 Rollup 6 I have a mailbox called Comfort Care that is shared by a whole department. All of our Customer Care emails come to this mailbox. At first we had all user names listed in the box and the number has grown so large I created a security group and gave it Full Access and Send As access via the EMC It works for most and some it doesnt' and one day it will work and another it will not. This is a very important mailbox for them and i am just not sure what is going on. Any advice would be greatly appreciated. Thanks Jessica Cochran
February 9th, 2012 1:58pm

These are just basic users they are not members of any protected groups.Jessica Cochran
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 2:24pm

Have you tried setting send-as in ActiveDirectory? 1. Open Active Directory. 2. Select the "View" menu and ensure "Advanced Features" is checked. 3. Right mouse click on your domain name and select Properties 4. Select the Security tab 5. Press the Advanced button at the bottom on the security tab 6. Select "Add" 7. When the permissions screen appears change "Apply onto:" to "Descendent User Objects" 8. In the permissions box scroll down and check the Allow box beside "Send As" and press OK 9. Press Apply and OK to exit Restart Exchange services. If it goes away it is a permission issue. I would double check to make sure any groups they are a part of are not part of protected groups like AllBarOne stated.
February 9th, 2012 5:42pm

Hi Jessica, Please also try setting the send as permission within EMS... get-user -identity Comfort.Care@Domain.com | Add-ADPermission -User GroupName -ExtendedRights Send-As Regards
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2012 6:31pm

Thank you for this. I tried this and I am waiting to hear from the user that reported the problem. Jessica Cochran
February 10th, 2012 6:51pm

These are just basic users they are not members of any protected groups. Jessica Cochran Maybe not, but it isn't quite that simple. Every user has a property call admincount. Any user that has this set to anything but 0 get considered a member of a protected group. There's a process call adminSDholder that goes through and applies some restrictions to any account that it thinks is in a protected group. It runs once a day. Here's the kicker - adding someone to one of the protected group increments their admincount property, but removing them doesn't decrement it. To get their admin count back to 0 so that process doesn't modify their permissions, you have to set it back to 0 manually (ADSI edit is usually the quickest way to do that). If they were added to a protected group, even accidentally and then taken back out they will still have their admin count incremented and it will keep resetting their permissions until you change it back. If a security group gets added to a protected group, the admincount of that group gets incremented, and that will cause the admincount of all the memebers to get incremented. If you keep setting permission and inheritance and it keeps change back, check their admincount through adsiedit, and if it's anything but 0, change it to 0.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2012 10:41pm

On Sat, 11 Feb 2012 03:41:49 +0000, mjolinor wrote: >These are just basic users they are not members of any protected groups. > > >Jessica Cochran > >Maybe not, but it isn't quite that simple. > >Every user has a property call admincount. Every user *can* have the adminCount property (it's an optional property), but unless they've been a member of a protected group it isn't present in the set of properties you'll see assigned to the user object. >Any user that has this set to anything but 0 get considered a member of a protected group. There's a process call adminSDholder that goes through and applies some restrictions to any account that it thinks is in a protected group. It runs once a day. Actually, it runs once an hour. I don't think you can change it to run less frequently than once every two hours or mor frequently than one a minute. >Here's the kicker - adding someone to one of the protected group increments their admincount property, but removing them doesn't decrement it. To get their admin count back to 0 so that process doesn't modify their permissions, you have to set it back to 0 manually (ADSI edit is usually the quickest way to do that). > >If they were added to a protected group, even accidentally and then taken back out they will still have their admin count incremented and it will keep resetting their permissions until you change it back. > >If a security group gets added to a protected group, the admincount of that group gets incremented, and that will cause the admincount of all the memebers to get incremented. > >If you keep setting permission and inheritance and it keeps change back, check their admincount through adsiedit, and if it's anything but 0, change it to 0. http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
February 11th, 2012 11:15am

Hi Jessica Any Update? CheersZi Feng TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2012 9:55pm

Where in ADSIEdit do I need to look in order to find if they have the property? I am not familiar with it Jessica Cochran
February 14th, 2012 10:30am

Go to Default naming context, expand the domain, and drill down to the account. Right-click on the account, select "Properties", and look for "adminCount".[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2012 10:43am

I spot checked a handful of the users that are having issues and NONE of them have any value under adminCount in ADSIEdit and the group that I gave SendAs permissions to doesn't have a value there either. I am so confused on this because it's still periodically happening and our users are getting upset. Jessica Cochran
February 14th, 2012 10:54am

Hi Jessica, The EMS command did not improve matters? Thanks
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2012 11:35am

It does not appear to have helped matters I am still receiving complaints from people that are in the group and do not have the AdminCount valueJessica Cochran
February 14th, 2012 11:50am

It is possible that this is down to either poor active directory replication or your exchange server pointing to an incorrect domain controller. Use the following command to confirm that your exchange server is connecting to the most appropriate domain controller... get-exchangeserver | fl At the bottom the Originatingserver will have the value your looking for. If it is not the most appropriate domain controller it might explain the issue, worth checking at least. Regards
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2012 12:03pm

The Domain Controller that shows is one of our active domain controllers... Jessica Cochran
February 14th, 2012 12:13pm

On Tue, 14 Feb 2012 15:54:34 +0000, lzbit2011 wrote: > > >I spot checked a handful of the users that are having issues and NONE of them have any value under adminCount in ADSIEdit and the group that I gave SendAs permissions to doesn't have a value there either. > >I am so confused on this because it's still periodically happening and our users are getting upset. If the adminCount property isn't populated, or has a value of zero then the adminsdholder isn't your problem. If you set the permission on the user and it's being reset then it's either something else that's running in your organization or you have a problem with AD replication. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2012 5:18pm

On Tue, 14 Feb 2012 16:50:37 +0000, lzbit2011 wrote: >It does not appear to have helped matters I am still receiving complaints from people that are in the group and do not have the AdminCount value Continue using ADSIEDIT and connect to each of the domain controllers and verify that each of them has the same setting w/r/t the adminCount property for those users. If they all agree then you have something else resetting the permission, probably 3rd-party or home grown. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
February 14th, 2012 5:24pm

You can use built in PowerShell commands. To get the list of protected users: Get-ADuser -LDAPFilter "(admincount=1)" | select name To get the list of protected groups: Get-ADgroup -LDAPFilter "(admincount=1)" | select name
Free Windows Admin Tool Kit Click here and download it now
June 15th, 2012 7:12pm

HI, In Office 2010 non-cached mode works fine. In Office 2010 cached mode when the "from" address is selected from the GAL it works fine. In Office 2010 cached mode then the "From" address is selected from the suggestion list I get the NDR. I can't figure this out
June 21st, 2012 6:29am

On Tue, 14 Feb 2012 15:54:34 +0000, lzbit2011 wrote: > > >I spot checked a handful of the users that are having issues and NONE of them have any value under adminCount in ADSIEdit and the group that I gave SendAs permissions to doesn't have a value there either. > >I am so confused on this because it's still periodically happening and our users are getting upset. If the adminCount property isn't populated, or has a value of zero then the adminsdholder isn't your problem. If you set the permission on the user and it's being reset then it's either something else that's running in your organization or you have a problem with AD replication. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP Unless I a having a brain cramp here, the problem account where we need to be checking the admincount value is on the mailbox we are setting the permissions. Not the users with the issue. So you would need to check the Customer Care mailbox attributes for the admincount value. Chris Morgan
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 2:47pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics