Exchange 2010: Manage "Send-As" Permission only Works on the Mailbox Server Where "Public Folder" was Created.

Exchange 2010 can only add "Send As" permissions to mail-enabled public folders for which the Owner of the AD object corresponding to the PF is an Exchange 2010 server. For Example In a environment  with many Exchange 2010 servers, If a "Public Folder" is created using Exchange 2010 server PF console on E2010 server MB01 (in Our Example), it is possible to grant "Send-As" permissions on the Public Folder from the same console. However, if the 2010 Public Folder console is run from another E2010 server, granting Send As permissions fails with following error .

Add-ADPermission pF01 -User user01 -ExtendedRights send-as

Active Directory operation failed on DC01.Corp.M16.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 + CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
 + FullyQualifiedErrorId : B3EE6A10,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

 

When Public folder is created From a specific Server, Only the specific Exchange 2010 PF server will have the permissions to modify the "Send-As" Rights, As that server is the Owner of the Ad Object that corresponds to mail-enabled Public folder. When run the Add-ADPermission cmdlet to manage 'Send-As' permission on public folder from the Other Exchange 2010 server Other than where PF was created, Exchange will be access denied to modify the permissions on mail-enabled PF Object In MESO.

- Additionally you can verify AD Permissions using DSACLS , ADPermission or windows PowerShell.

When manage "Send-as" request is sent using Exchange Management shell or GUI , Scope are verified and validated before presenting the credentials of the user for modification ,

"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '(!((Exists(ConfigurationUnit))))'"
"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '<null>'"
"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '(!((Exists(ConfigurationUnit))))'"
"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '<null>'"
"GetConnection","Returning connection to DC01.Corp.M16.com:389"
"ADSession::ExecuteModificationRequest using DC01.Corp.M16.com:389 - Sending ModifyRequest request for CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com"
"DirectoryException","Caught System.DirectoryServices.Protocols.DirectoryOperationException with 50(0x32), message=00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0" 

 This is generic ACCESS Denied Error.  

Currently The Exchange Trusted Subsystem (ETS) is not granted sufficient rights to create a Manage "Send-As" permissions on Publicfolder Objects in MESO Container in AD. Currently ETS can only manage the Send-as Permissions for these objects.
==  This is a problem when you have several public folder servers and many people are allowed to create public folders, and if you are managing "Send-as" permission on public folder objects in AD. because you cannot manage them from every server, other than where they are created.

 

There are couple workarounds to fix :

A : It is very manual method, If you use ADSIEdit to change the Owner of the PF object in AD to be Exchange 2010 server B or C or D , then you can grant Send As permissions from server B OR C or D. but not from server A anymore.

so not an easy fix.

B : Assign Permissions on MESO Container for ETS ( Exchange trusted Subsystem) to "Modify Permission" . [ Similar to /Preparead ]

Open ADSIEDIT =] Navigate to the properties of the MESO ( Microsoft Exchange System Objects) container -- Select "Security"  tab ---> Select “advanced” Tab at the bottom " ---> In the Add Permissions window Select  “add” button ---> Add “Exchange trusted subsystem

And assign “Modify permissions” . Permission

Select “This object and all decedent objects"

     

==  Now "Send-as" Permissions for Mail enabled public folders can be managed from any Exchange 2010 server in the Organization.

Manju