Why doesn't the Exchange Management tools represent who has SEND AS permissions accurately?
In Active Directory SEND AS permissions can be granted and then if we look at that mailbox via Exchange Tools it does not show up, yet the user granted permissions is allowed to send as. WHY?Jason Meyer
December 15th, 2011 10:41am
Hi Jason,
Please use this to check whether the send as permission has been granted well:
Get-ADPermission –identity
User | ?{ $_.Extendedrights
-like “Send-As”} | select User, Extendedrights
If you can see the user and the send as right, please re-open EMC to check again for the issue.
If you cannot see it, I suggest you re-set for the send as permission, then use EMC to check again.
Manage Send As Permissions for a Mailbox
http://technet.microsoft.com/en-us/library/bb676368.aspx
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com Evan Liu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2011 1:45am
Hi Jason,
Any updates on this issue?
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com Evan Liu
TechNet Community Support
December 19th, 2011 2:45am
The Get-ADPermission is a Exchange 2010 command, we're a Exchange 2007 shop.
What we are looking for is a command that will give us a report of all users that have been granted the 'Send As' permission via Exchange or Active Directory.Jason Meyer
Free Windows Admin Tool Kit Click here and download it now
December 19th, 2011 2:28pm
Hi Jason,
Get-ADPermission is also a command in Exchange 2007, you can know more information from this document:
Get-ADPermission
http://technet.microsoft.com/en-us/library/bb125183(EXCHG.80).aspx
You also can use this command to check in Exchange 2007:
Get-ADPermission –identity
User | ?{ $_.Extendedrights -like “Send-As”} | select User, Extendedrights
If you want to check all users that have been granted the “Send As” permission via Exchange or Active Directory, you can use this command:
Get-Mailbox| Get-ADPermission –identity
User | ?{ $_.Extendedrights -like “Send-As”} | select identity, User, Extendedrights
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comEvan Liu
TechNet Community Support
December 19th, 2011 9:36pm
Hi Jason,
Get-ADPermission is also a command in Exchange 2007, you can know more information from this document:
Get-ADPermission
http://technet.microsoft.com/en-us/library/bb125183(EXCHG.80).aspx
You also can use this command to check in Exchange 2007:
Get-ADPermission –identity
User | ?{ $_.Extendedrights -like “Send-As”} | select User, Extendedrights
If you want to check all users that have been granted the “Send As” permission via Exchange or Active Directory, you can use this command:
Get-Mailbox| Get-ADPermission| ?{ $_.Extendedrights
-like “Send-As”} | select identity, User, Extendedrights
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Evan Liu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
December 20th, 2011 5:34am
Hi Jason,
How about the issue now?
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com Evan Liu
TechNet Community Support
December 20th, 2011 8:54pm
What we are finding is that if a user or group has Full Access permissions to a user object it is not part of the extended rights. So we are having to dig deeper into AD to get an accurate account of who has Send AS permissions.
These groups that have permissions set this way do not show up in Exchange tools when we click "Manage Send AS permissions".Jason Meyer
Free Windows Admin Tool Kit Click here and download it now
December 21st, 2011 2:23pm
What we are finding is that if a user or group has Full Control permissions to a user object it is not part of the extended rights. So we are having to dig deeper into AD to get an accurate account of who has Send AS permissions.
These groups that have permissions set this way do not show up in Exchange tools when we click "Manage Send AS permissions".
Jason Meyer
December 21st, 2011 10:20pm
Hi Jason,
In my lab, If you grant one user (group) send as permission on one account in AD, you can see the user (group) in EMC.
If you grant the permission in AD, but cannot see in EMC, use this command to do a check, check
whether you can see the user (which has been given the send as permission):
Get-ADPermission –identity
User | ?{ $_.Extendedrights -like “Send-As”} | select User, Extendedrights
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com Evan Liu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2011 5:46am
In your lab don't grant "Send AS" permissions, grant "Full Control" permissions. In our environment Full Control is also granting Send As permissions, and then Exchange tools do not see this.Jason Meyer
December 22nd, 2011 11:46am
Hi Jason,
Yes, in my lab, if you grant “full control” permission, the “send as” permission will not show in the EMC.
I think the way you grant the “send as” by “full control” will not show in EMC (I checked in Exchange 2007 SP3 and Exchange 2010 SP1).
If you want to check the AD permission (full control), you can use the command Get-ADPermission.
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com Evan Liu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
December 23rd, 2011 12:56am
Hi Jason,
Yes, in my lab, if you grant “full control” permission, the “send as” permission will not show in the EMC.
I think the way you grant the “send as” by “full control” will not show in EMC (I checked in Exchange 2007 SP3 and Exchange 2010 SP1).
If you want to check the AD permission (full control), you can use the command Get-ADPermission.
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com Evan Liu
TechNet Community Support
December 23rd, 2011 8:55am
OK, so we have established that Exchange Management Tools do not accurately represent who has SEND AS permissions. Could we add that to the bugs or features list?
We are currently trying the Get-ADpermission command to find results but so far have not had good success.Jason Meyer
Free Windows Admin Tool Kit Click here and download it now
December 29th, 2011 4:44pm
Hi Jason,
This may Exchange Management Tool it only search for the send as permission in AD, but when you use “full control” it show as “GenericAll”
, so it will not show in EMC.
When you try to check for that, you can use this command to know the user who has been granted “full control” or “send as” permission:
Get-ADPermission –identity
user | ?{ $_.ExtendedRights
-like “Send-As” –or
$_.AccessRights -like “GenericAll”} | select User, AccessRights, ExtendedRights
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Evan Liu
TechNet Community Support
December 30th, 2011 12:45am
Hi Jason,
How about the issue, any updates?
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com Evan Liu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
January 2nd, 2012 8:54pm
I'm running:
D:\>get-mailbox -resultsize unlimited | Get-ADPermission | ?{ $_.ExtendedRights -like "Send-As" -or $_.AccessRights -like "GenericAll"} | select User, Identity, AccessRigh
ts, ExtendedRights > mailboxpermissions.txt
and waiting for the output now. With 20k mailboxes to go through it takes a while to complete.
Thanks for the continued work on this issue.
Jason
Jason Meyer
January 3rd, 2012 6:03pm
Hi Jason,
Any updates on this issue?
If you still have any question on this issue, please feel free to let me know.
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com Evan Liu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
January 4th, 2012 8:56pm
The results came back but the identity was cut off so running again as:
[PS] D:\>get-mailbox -resultsize unlimited | Get-ADPermission | ?{ $_.ExtendedRights
-like "Send-As" -or
$_.AccessRights -like "GenericAll"} | select User, Identity, AccessRights, ExtendedRights | Format-Table -AutoSize | Out-File mailboxpermissions2.txt -Width
250
On one mailbox it appeared to give me the results I expected. Thank you for your continued efforts.
Jason Meyer
January 5th, 2012 2:29pm