In Active Directory SEND AS permissions can be granted and then if we look at that mailbox via Exchange Tools it does not show up, yet the user granted permissions is allowed to send as. WHY?Jason Meyer

Hi Jason, Please use this to check whether the send as permission has been granted well: Get-ADPermission –identity User | ?{ $_.Extendedrights -like “Send-As”} | select User, Extendedrights If you can see the user and the send as right, please re-open EMC to check again for the issue. If you cannot see it, I suggest you re-set for the send as permission, then use EMC to check again. Manage Send As Permissions for a Mailbox http://technet.microsoft.com/en-us/library/bb676368.aspx Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

Hi Jason, Any updates on this issue? Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

The Get-ADPermission is a Exchange 2010 command, we're a Exchange 2007 shop. What we are looking for is a command that will give us a report of all users that have been granted the 'Send As' permission via Exchange or Active Directory.Jason Meyer

Hi Jason, Get-ADPermission is also a command in Exchange 2007, you can know more information from this document: Get-ADPermission http://technet.microsoft.com/en-us/library/bb125183(EXCHG.80).aspx You also can use this command to check in Exchange 2007: Get-ADPermission –identity User | ?{ $_.Extendedrights -like “Send-As”} | select User, Extendedrights If you want to check all users that have been granted the “Send As” permission via Exchange or Active Directory, you can use this command: Get-Mailbox| Get-ADPermission –identity User | ?{ $_.Extendedrights -like “Send-As”} | select identity, User, Extendedrights Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comEvan Liu TechNet Community Support

Hi Jason, Get-ADPermission is also a command in Exchange 2007, you can know more information from this document: Get-ADPermission http://technet.microsoft.com/en-us/library/bb125183(EXCHG.80).aspx You also can use this command to check in Exchange 2007: Get-ADPermission –identity User | ?{ $_.Extendedrights -like “Send-As”} | select User, Extendedrights If you want to check all users that have been granted the “Send As” permission via Exchange or Active Directory, you can use this command: Get-Mailbox| Get-ADPermission| ?{ $_.Extendedrights -like “Send-As”} | select identity, User, Extendedrights Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

Hi Jason, How about the issue now? Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

What we are finding is that if a user or group has Full Access permissions to a user object it is not part of the extended rights. So we are having to dig deeper into AD to get an accurate account of who has Send AS permissions. These groups that have permissions set this way do not show up in Exchange tools when we click "Manage Send AS permissions".Jason Meyer

What we are finding is that if a user or group has Full Control permissions to a user object it is not part of the extended rights. So we are having to dig deeper into AD to get an accurate account of who has Send AS permissions. These groups that have permissions set this way do not show up in Exchange tools when we click "Manage Send AS permissions". Jason Meyer

Hi Jason, In my lab, If you grant one user (group) send as permission on one account in AD, you can see the user (group) in EMC. If you grant the permission in AD, but cannot see in EMC, use this command to do a check, check whether you can see the user (which has been given the send as permission): Get-ADPermission –identity User | ?{ $_.Extendedrights -like “Send-As”} | select User, Extendedrights Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

In your lab don't grant "Send AS" permissions, grant "Full Control" permissions. In our environment Full Control is also granting Send As permissions, and then Exchange tools do not see this.Jason Meyer

Hi Jason, Yes, in my lab, if you grant “full control” permission, the “send as” permission will not show in the EMC. I think the way you grant the “send as” by “full control” will not show in EMC (I checked in Exchange 2007 SP3 and Exchange 2010 SP1). If you want to check the AD permission (full control), you can use the command Get-ADPermission. Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

Hi Jason, Yes, in my lab, if you grant “full control” permission, the “send as” permission will not show in the EMC. I think the way you grant the “send as” by “full control” will not show in EMC (I checked in Exchange 2007 SP3 and Exchange 2010 SP1). If you want to check the AD permission (full control), you can use the command Get-ADPermission. Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

OK, so we have established that Exchange Management Tools do not accurately represent who has SEND AS permissions. Could we add that to the bugs or features list? We are currently trying the Get-ADpermission command to find results but so far have not had good success.Jason Meyer

Hi Jason, This may Exchange Management Tool it only search for the send as permission in AD, but when you use “full control” it show as “GenericAll” , so it will not show in EMC. When you try to check for that, you can use this command to know the user who has been granted “full control” or “send as” permission: Get-ADPermission –identity user | ?{ $_.ExtendedRights -like “Send-As” –or $_.AccessRights -like “GenericAll”} | select User, AccessRights, ExtendedRights Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

Hi Jason, How about the issue, any updates? Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

I'm running: D:\>get-mailbox -resultsize unlimited | Get-ADPermission | ?{ $_.ExtendedRights -like "Send-As" -or $_.AccessRights -like "GenericAll"} | select User, Identity, AccessRigh ts, ExtendedRights > mailboxpermissions.txt and waiting for the output now. With 20k mailboxes to go through it takes a while to complete. Thanks for the continued work on this issue. Jason Jason Meyer

Hi Jason, Any updates on this issue? If you still have any question on this issue, please feel free to let me know. Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

The results came back but the identity was cut off so running again as: [PS] D:\>get-mailbox -resultsize unlimited | Get-ADPermission | ?{ $_.ExtendedRights -like "Send-As" -or $_.AccessRights -like "GenericAll"} | select User, Identity, AccessRights, ExtendedRights | Format-Table -AutoSize | Out-File mailboxpermissions2.txt -Width 250 On one mailbox it appeared to give me the results I expected. Thank you for your continued efforts. Jason Meyer