removing sendas permission on a mailbox for user builtin\administrators (Network Steve Forum)

removing sendas permission on a mailbox for user builtin\administrators

Hi all,

the following group builtin\administrators has send as permission on nearly 100 user mailboxes in my org.

i would like to revoke this

i ran the following command to view the existing delegation permissions on the mailbox

[PS] C:\Windows\system32>Get-Mailbox samir0884 | Get-ADPermission | Where-Object { ($_.ExtendedRights -like *send-as*) -and -not ($_.User -like nt authorityself) }

Identity User Deny Inherited
-------- ---- ---- ---------
ho.ae.enoc.com/DU... BUILTIN\Administr... False False
ho.ae.enoc.com/DU... S-1-5-32-548 False False
ho.ae.enoc.com/DU... ENOCHO\sayed1157 False False
ho.ae.enoc.com/DU... ENOCHO\samir0884 False False

To Revoke the sendas permission for builtin\administrators i ran the below command

[PS] C:\Windows\system32>Remove-MailboxPermission -Identity samir0884 -User builtin\administrators -AccessRights sendas -InheritanceType all

Confirm
Are you sure you want to perform this action?
Removing mailbox permission "samir0884" for user "builtin\administrators" with access rights "'SendAs'".
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
WARNING: Can't remove the access control entry on the object "CN=DADA\, Mr. SAMIR SHIRAZ,OU=09 I&E
Maint.,OU=DUGAS,DC=ho,DC=ae,DC=enoc,DC=com" for account "BUILTIN\Administrators" because the ACE doesn't exist on the
object.
[PS] C:\Windows\system32>Remove-MailboxPermission -Identity samir0884 -User builtin\administrators -AccessRights sendas
-InheritanceType all -Deny:$True

Confirm
Are you sure you want to perform this action?
Removing mailbox permission "samir0884" for user "builtin\administrators" with access rights "'SendAs'".
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
WARNING: Can't remove the access control entry on the object "CN=DADA\, Mr. SAMIR SHIRAZ,OU=09 I&E
Maint.,OU=DUGAS,DC=ho,DC=ae,DC=enoc,DC=com" for account "BUILTIN\Administrators" because the ACE doesn't exist on the
object.
[PS] C:\Windows\system32>Remove-MailboxPermission -Identity samir0884 -User builtin\administrators -AccessRights sendas
-InheritanceType all -Deny:$false

Confirm
Are you sure you want to perform this action?
Removing mailbox permission "samir0884" for user "builtin\administrators" with access rights "'SendAs'".
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
WARNING: Can't remove the access control entry on the object "CN=DADA\, Mr. SAMIR SHIRAZ,OU=09 I&E
Maint.,OU=DUGAS,DC=ho,DC=ae,DC=enoc,DC=com" for account "BUILTIN\Administrators" because the ACE doesn't exist on the object.

I'm getting the samer error "ACE does not exist" despite adding -Deny$true and -Deny$false switch

I tried finding the send as permission attribute on ADSIEDIT - cannot find this attribute

I also tried to open the EAC and check delegation feature for the mailbox = Page shows me error while trying to open this object

this happens for all the users which have builtin\administrators delegation as -sendas

Please advise who to remove this sendas permission for builtin\administrators group on 100 mailboxes that i have.

June 30th, 2015 2:19am

Hi,

Do you see it using dsa.msc on the user object.

Object->Properties->Security Tab->Advanced (Select the User)->Edit

Here 'Send As' permission is visible.

Try this cmdlet, you seem to be using the FullAccess removing one instead.

Remove-ADPermission -Identity samir0884 -User builtin\administrators -ExtendedRights "Send As"

References:

cann't remove Full Access rights for one user??!!!!
https://social.technet.microsoft.com/Forums/en-US/50a94a45-903e-409e-ba5c-116d84bed7ff/cannt-remove-full-access-rights-for-one-user?forum=exchangesvrdeploylegacy

Remove-ADPermission
https://technet.microsoft.com/en-us/library/aa996048%28v=exchg.150%29.aspx?f=255&MSPPError=-21472173

Free Windows Admin Tool Kit Click here and download it now

June 30th, 2015 5:12am

I got this

[PS] C:\Windows\system32>Remove-ADPermission -Identity samir0884 -User builtin\administrators -ExtendedRights "Send As"
Creating a new session for implicit remoting of "Remove-ADPermission" command...
samir0884 wasn't found. Please make sure you've typed it correctly.
+ CategoryInfo : NotSpecified: (:) [Remove-ADPermission], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=ENOCMBX1,RequestId=d6058a30-f859-43a6-8859-6ab5bc4abc74,TimeStamp=7/1/2015 8:53:
59 AM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 6970DB20,Microsoft.Exchange.Management.Recipient
Tasks.RemoveADPermission
+ PSComputerName : enoccas1.ae.enoc.com

[PS] C:\Windows\system32>

July 1st, 2015 4:55am

Free Windows Admin Tool Kit Click here and download it now

July 1st, 2015 4:56am

Hi tfernandes,

Try this way.

Get-Mailbox  samir0884
Get-Mailbox  samir0884 | Remove-ADPermission -User "builtin\administrators" -ExtendedRights "Send As"

If still failted, Ensure you have the correct permissions\ roles assigned.

Try out the below cmdlets examples in the article to test your access levels across other users.

Remove-ADPermission

https://technet.microsoft.com/en-us/library/aa996048%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

Add-ADPermission and Remove-ADPermission can be run outside the management scope in Exchange Server 2013

https://support.microsoft.com/en-us/kb/2988553#/en-us/kb/2988553

July 1st, 2015 7:37am

Dear Satyajit,

thanks for the cmdlet it works - after running cmdlet the builtin\administrators is now removed from send as.

But my main problem here is that i cannot view the mailbox delegation for this user from EAC> this is the same with all the 100 users. It was suspected that due to send as permission the EAC refused to open mail delegation but after removing the send as permission on this mailbox still getting the same issue. for other users i can view mailbox delegation for these 100 users i cannot view the mailbox delegation through EAC>

Get-Mailbox samir0884 | Remove-ADPermission -User "builtin\administrators" -ExtendedRights "Send As"

[PS] C:\Windows\system32>Get-Mailbox samir0884 | Get-ADPermission | where {($_.ExtendedRights -like *Send-As*)}

Identity User Deny Inherited
-------- ---- ---- ---------
ho.ae.enoc.com/DU... ENOCHO\Domain Admins True False
ho.ae.enoc.com/DU... NT AUTHORITY\SELF False False
ho.ae.enoc.com/DU... NT AUTHORITY\SYSTEM False False
ho.ae.enoc.com/DU... S-1-5-32-548 False False
ho.ae.enoc.com/DU... ENOCHO\sayed1157 False False
ho.ae.enoc.com/DU... ENOCHO\Service & ... False False
ho.ae.enoc.com/DU... S-1-5-21-14228524... False False
ho.ae.enoc.com/DU... S-1-5-21-14228524... False False
ho.ae.enoc.com/DU... ENOCHO\samir0884 False False
ho.ae.enoc.com/DU... S-1-5-21-14228524... False False
ho.ae.enoc.com/DU... ENOCHO\bbadmin False True

[PS] C:\Windows\system32>

Free Windows Admin Tool Kit Click here and download it now

July 2nd, 2015 3:02am

Hi tfernandes,

How about you close this one and start a new thread for this issue(post the link here), we will start from the scratch as you know, now that its not related to the SendAs permission.

Quick search gives this.

"Yes, same solution fixed my problem, removing all S-1-5-32-548."

Get-Mailbox  User1 | Remove-ADPermission -User "S-1-5-32-548" -ExtendedRights "Send As"

July 3rd, 2015 12:28am

Hi,

If the link given by Satyajit can't solve your problem,in order to avoid confusion and keep track of troubleshooting steps, we usually troubleshoot one issue per thread in order to find a resolution efficiently. Concerning your other question, I suggest we create a new post for further analysis.

Thank you for your understanding!

Regards,

David

Edited by David Wang_Microsoft contingent staff 2 hours 11 minutes ago

Free Windows Admin Tool Kit Click here and download it now

July 3rd, 2015 1:18am

Hi,

Thank you for your understanding!

Regards,

David

Edited by David Wang_Microsoft contingent staff Friday, July 03, 2015 5:17 AM

July 3rd, 2015 5:16am

This topic is archived. No further replies will be accepted.