On Exchange 2007 SP2 we have permission configured for some users to send mail as a group. Other users of this group who are not given send as rights are also able to send mails as this group to sensitive mail groups.I want to restrict this behaviour so that only specific users are allowed to release mails as a group . We have included both 'authorized user' and 'send as group' in Mail flow settings>Message delivery restrictions>Accept messages from-only senders in the following list on the target sensitive distribution groups these mails are released to. Please suggest.

This should help http://technet.microsoft.com/en-us/library/aa996343(EXCHG.80).aspx http://technet.microsoft.com/en-us/library/aa996343.aspx

Below post will be helpful. http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/ae21404e-568b-473d-860c-cbba7dcba9eaDinesh

Hi, Based on your description, I understand that some user can send emails as a group but actually you have not grant them the send as permission, am I right? Please run the following cmdlet and check whether the users who can send email as the group are listed. Get-ADPermisison –Identity your group name | fl I look forward to hearing from you.best regards, serena

You are right Serena, The cmdlet does not return any user names. On the target sensitive group's properties >Mail flow settings> under Message Delivery Restrictions >Accept messages from >Only senders in the following list>We have added - Groups to be sent as & authorised user names who are part of this group and are given send as permissions User A is able to send mails as one of this group to the target sensitive group without having any send as permissions just because he is part of one of these groups allowed to send.

Hi, As I understand your last reply the user you don't want to give access to sending is actually a member of one of the Groups allowed to sent, am I correct? If so you either need to remove him from the group and if that is not possible you will have to create a new group with send as permission and then remove the current group that he is a member of. /MartinExchange is a passion not just a collaboration software.

Yes Martin thats correct. Removing the user is not possible since this group is also used by team for their internal communication. It wont let create a new group with the same name which is required to appear as sending group to the target sensitive group. Last time we had this issue we had no option but to remove that group from the list of allowed senders but thats not the solution.

Hi, So you won't remove the user and you won't create a new group, is that correct? If that is correct there is nothing to do, you allowed the user to send mails and therefor he will be able to. Creating a new group and allow that send as seems like a pretty easy task to do, so I would go in that direction. /MartinExchange is a passion not just a collaboration software.

Ok I created a shared mailbox and changed its display name as the one I wanted this mail to appear coming from ,chose to keep it hidden in the address list .I allowed this mailbox and the user's name as sender,gave required send as permissions. Now at this point I only have the person and the group allowed as I require.If I send a mail now the sensitive group recipients get the mail fine appearing the mail coming from the expected group because of the display name. But the problem is that the mail carries the email address of the hidden mailbox,so the users replying back would not be replying to the expected group as the display name,but to the reply address of the shared mailbox created for this workaround. Am I missing a point somewhere.

Ok I created a shared mailbox and changed its display name as the one I wanted this mail to appear coming from ,chose to keep it hidden in the address list .I allowed this mailbox and the user's name as sender,gave required send as permissions. Now at this point I only have the person and the group allowed as I require. The problem is if I send a mail, I can only send the mail using the new ID using its mail address to the sensitive group recipients who get the mail fine appearing from the desired source due to the display name. also that the mail carries the email address of the hidden mailbox,so the users replying back would not be replying to the expected group as the display name,but to the reply address of the shared mailbox created for this workaround. I can however set delivery options and forward the mails to the required group.bu could there be a better workaround. Am I missing a point somewhere.

Hi, The best solution I can think of with the setup you made is to use the "Reply to" option in Outlook when you send the mail. That way any reply should be sent to the E-mail address you put in there. It is manual, but given the setup it's either that or forwarding it seems. /MartinExchange is a passion not just a collaboration software.