GrantSendOnBehalfTo Permissions for Mailbox overwrites Existing permission.


Following Blogpost explains how to use Exchange management shell to add / remove values from multivalued property on an object. Multivalued property can Contain more than one value. for Example “GrantSendOnBehalfTo’ property on mailbox.

* How to configure Send on Behalf.

A. Using outlook Delegate tab.

B. Using Exchange management console

C. Using Exchange Management Console.  -- This method is discussed below .

Modifying a Multivalued property is different . when you modify a property with new value, The stored value is overwritten.

 

Example : Assume that the mailbox ‘HelpDesk’ has two users listed in ‘GrantSendOnBehalf’ property on mailbox.

GrantSendOnBehalfto : John@contoso.com, Chris@contoso.com

A new user joined the company and needs send on Behalf access to ‘HelpDesk’ mailbox.

administrator run a following command

set-mailbox Helpdesk  -GrantSendOnbehalfto ‘Kim@contoso.com’

when you run get-mailbox ‘helpdesk ' | ft Name,grantsendonbehalfto , you will see following

GrantSendonBehalfto : Kim@contoso.com

This isn’t what we expected, we wanted to add another user to the existing permissions but instead existing list was overwritten.

when you modify a multivalued property, you must ensure that you append / remove the values accordingly , Without Overwriting the

Existing list.

 

The general syntax :

Add one or more values to a multivalued property   :  @{Add="<value1>", "<value2>", "<value3>"}

Remove one or more values from a multivalued property    : @{Remove="<value1>", "<value2>", "<value3>"}

Here are some examples :

Ex1.

set-mailbox ‘HelpDesk’ –Grantsendonbehalfto @{add=”john@contoso.com”,  “chris@contoso.com”, “kim@contoso.com

 image

 Ex2:

Get-Mailbox | Set-Mailbox -GrantSendOnBehalfTo "user1", "User2", "User3", "User4"

 Ex3:

get-mailbox Helpdesk | set-mailbox –grantsendonbehalfto ‘john@contoso.com’

$a = get-mailbox ‘Helpdesk’ | select-object grantsendonbehalfto
$b = get-mailbox ‘Kim’ | select-object grantsendonbehalfto

$a.grantsendonbehalfto += $b.grantsendonbehalfto[0]

get-mailbox HelpDesk |set-mailbox -grantsendonbehalfto $($a.grantsendonbehalfto)

 

Ex4: ( Bulk Addition on permissions)

Here is a simple requirement . you have a requirement to assign GrantsendonBehalfto permissions on all mailboxes with out overwriting existing Permissions.

1 - First Export all the existing permissions

get-mailbox -resultsize unlimited | select-object displayname,GrantSendOnBehalfto >> c:\sendonBehalfpermissions.csv

Here is an example : Eah user has Grantsendonbehalfto permissions assigned ,

get-Mailbox | Select-Object displaynane,grantsendonbehalfto | ft  -a

DisplayNane     GrantSendOnBehalfTo

Test 01              {Contoso.Com/RESEARCH/Test 04}

Test 02              {Contoso.Com/RESEARCH/Test 04.Contoso.Com/Users/Test 01}

Test 03              {Contoso.Com/RESEARCH/Test 04.Contoso.Com/Users/Test 01}

Test 04              {Contoso.Com/RESEARCH/Test 05.Contoso.Com/Users/Test 01}

Test 05              {Contoso.Com/RESEARCH/Test 06.Contoso.Com/Users/Test 01}

Test 06              {Contoso.Com/RESEARCH/Test 04.Contoso.Com/Users/Test 01}

 

2 - Assume there is a requirement to assign User account "Test.10" with GrantsendOnBehalfto permissions on all the mailboxes with out overwriting existing permissions

  I call all the mailboxes at once and run following followingcmdlet to append the permissions.  

 Get-Mailbox -resultsize unlimited | set-mailbox -GrantSendOnBehalfto @{Add="Test.10"}

once cmdlet is completed run following cmdlet to see if new user is appended to existing permissions,

get-Mailbox | Select-Object displaynane,grantsendonbehalfto | ft  -a

DisplayNane     GrantSendOnBehalfTo

Test 01              {Contoso.Com/RESEARCH/Test 10, Contoso.Com/RESEARCH/Test 04}

Test 02              {Contoso.COM/RESEARCH/Test 10, Contoso.Co/RESEARCH/Test 04, Contoso.Com/Users/Test 01} ---->  user account has been added / appended to existing permissions.

Test 03              {Contoso.COM/RESEARCH/Test 10, Contoso.Com/RESEARCH/Test 04.Contoso.Com/Users/Test 01}        

Test 04              {Contoso.COM/RESEARCH/Test 10, Contoso.Com/RESEARCH/Test 05.Contoso.Com/Users/Test 01}

Test 05              {Contoso.COM/RESEARCH/Test 10,Contoso.Com/RESEARCH/Test 06.Contoso.Com/Users/Test 01}

Test 06              {Contoso.COM/RESEARCH/Test 10, Contoso.Com/RESEARCH/Test 04.Contoso.Com/Users/Test 01}

 

* P.S:  Any views or opinions presented in this blogpost  are solely those of the author and do not necessarily represent those of the company. Please do validate these cmdlets provided

here meets your requirement and do test them before using it on your production mailboxes.

 -Manju


Comments (5)

  1. Eugenio says:

    Wow life savior

    I read in 3 places, that it wasn’t possible to remove users using grantsendonbehalf.

    That worked like a charm.

    TY

  2. Dianne says:

    I am getting the same error but some of my results are different. I have 5 users in the Outlook delegates list…two of which are no longer in the address book. One of the active ones need to be removed. I went into adsiedit and removed the one that is
    still in the address book. The other two weren’t present. I have given myself full access to the mailbox to no avail. The error is the same from Outlook 2010 and Outlook 2013 and on different machines so the registry hack won’t work. get-mailbox | select name,
    grantsendonbehalfto only produces 3 records but the other three still exist in the Outlook delegates list. Any help will be appreciated.

  3. Michel says:

    Why does your get-mailbox [user] -GrantSendOnBehalfTo return the UPN and ours returns the Display Name? (The latter is quite a nuisance since it is not necessarily unique.)

  4. shankar D meher says:

    this is really very very helpful article for me.

  5. halo_mmm says:

    what would be the exch2007 equivalent of:
    set-mailbox -identity "MBOX" -grantsendonbehalfto @{add="alexanders","aprilt"}
    ??

Skip to main content