Assigning “Send As” Permissions to a user


It was brought to my attention that following the steps listed in KB327000 (http://support.microsoft.com/?kbid=327000), which applies to Exchange 2000 and 2003, to assign a user "Send As" permission as another user did not appear to work.  I too tried to follow the steps and found that they did not work. I know this feature works, so I went looking around for other documentation on this and found KB281208 (http://support.microsoft.com/?kbid=281208) which applies to Exchange 5.5 and 2000.  Following the steps in KB281208 properly gave an user "Send As" permission as another user. But I found the steps listed in KB281208 were not complete either. The additional step that I performed was to remove all other permissions other than "Send As".  Here are the modified steps for KB281208 that I performed (changes noted in blue):

1. Start Active Directory Users and Computers; click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. On the View menu, make sure that Advanced Features is selected.

3. Double-click the user that you want to grant send as rights for, and then click the Security tab.

4. Click Add, click the user that you want to give send as rights to, and then check send as under allow in the Permissions area.

4.5  Remove all other permissions granted by default so only the send as permission is granted.

5. Click OK to close the dialog box.
 
So after I verified that the steps for KB281208 worked, I was curious as to why the steps for KB327000 did not work.  What I found was that Step #7 of KB327000 applied to the permission to "User Objects" instead of "This Object Only".  Here are the modified steps for KB327000 that I performed:

1. On an Exchange computer, click Start, point to Programs, point to Microsoft Exchange, and then click Active Directory Users and Computers.

2. On the View menu, click to select Advanced Features.

3. Expand Users, right-click the MailboxOwner object where you want to grant the permission, and then click Properties.

4. Click the Security tab, and then click Advanced.

5. In the Access Control Settings for MailboxOwner dialog box, click Add.

6. In the Select User, Computer, or Group dialog box, click the user account or the group that you want to grant "Send as" permissions to, and then click OK.

7. In the Permission Entry for MailboxOwner dialog box, click This Object Only in the Apply onto list.

8. In the Permissions list, locate Send As, and then click to select the Allow check box.

9. Click OK three times to close the dialog boxes.
 
The KB articles were updated to include correct information. But, if you had problems with this in the past, this might be why!

- Chris Ahlers

Comments (6)
  1. Adam Woodruff says:

    Thanks for tracking this down. I spent several hours tracking this one down myself.

  2. Adam D says:

    Thanks so much for providing this. I’ve been chasing this problem since I started at my help desk job in November. Any idea why this way works and the other doesn’t?

    Adam

  3. Chris Ahlers says:

    The reason the previous way was not working was because the permission was not being applied onto the appropriate objects. The "Apply Onto" option controls inheritence for the specified permissions. Previously, the "Apply Onto" option was being specified as "User Objects" which was incorrect.

  4. Adam D says:

    Another question,

    When I apply these permissions to a user, they seem to disappear within a day. For example, I’ll follow the steps listed here, and then come back in several hours, or the next day, and the user that I granted Send As permission to is gone from the list of Security settings. Any idea why?

  5. Chris Ahlers says:

    Hmm, I do not know of anything off the top of my head that would be doing this.

    I would start investigating this by enabling "Object Access" auditing for the Active Directory Objects. You will have to go in and edit the default GPO for the domain controllers to enable success auditing for Object Access. After this setting has taken affect, you will then need to view the "Security" tab of the user in question and adding a new auditing entry to audit any writes to the user object. Once that is completed, whenever the specific object is modified you should see a 566 event being logged in the Security Log of the Event Viewer. This should give you some good information on who/what is modifying the object and what is being modified.

Comments are closed.

Skip to main content