Domain Admins have Send As feature by Default?
We have discovered that all our Domain Admins can utilise the "send as" feature and send on behalf of any other user, by default. How do we go about resolving this, so that this is not the case anymore?
June 10th, 2008 5:29pm
Hi,
I feel by default Domain Admin group has Deny - Send As permission on all mailboxes so just check the permission on mailbox/server if deny is not selected.
ESM -> Administrative Groups -> <Admin Group> -> Servers -> <Server Name> -> Right Click & Properties -> Security and verify the Domain Admin has Deny Send As permission if not then you can give explicitly.
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2008 6:15pm
I tried this already and Domain Admins is denied send as access, but this still doesnt stop us sending on behalf of others!
June 10th, 2008 6:42pm
Clarify: Domain Admin has Send As right to all mailboxes
Collect unmentioned info:
Version: windows server, exchange [03/07]?
Notes: domain admin has send as right by default in ex07, but based on your description, it seems to be ex2k3, right?
Troubleshooting:
1. Add a registry in HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin
Type: REG_DWORD
Name: ShowSecurityPage
Data: 1
2. Check the permission in ESM
a. Right-click your org icon on the top level of ESM
b. Go to Security tab
c. Check permission on Domain Admin is ok.
d. Also check your Server and Mailbox objects, make sure the Allow the inheritable permissions to propagate.. has been checked
3. Run Domainprep to make sure that everything is ok at the permission
PS: Wait until all the permissions propagate to child objects
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2008 12:22pm
Hi, Funder, Does you give it a try? How's the result?
June 27th, 2008 1:28pm
Hi James,
Sorry for the delay!
I am running ex2k3, and did everything suggested except running Domainprep, but the issue still remains.
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2008 4:01pm
Have you checked in the exchange delegation wizard to make sure they don't have permission in there?
Checked security on your server, your mailbox store, and your protocol server?
I think the question is, how are the domain admins able to send as? Are you say creating an Outlook profile and adding someone else's mailbox to it?
August 28th, 2008 7:25am
Hi Dustin,
It appears that Domain Admins are listed in the exchange admin delegation wizard as having Exchange full administrator rights (inherited). Should I take them out then?
What I mean when I say that domain admins can send on behalf of others is as follows: when we (domain admin) open up Outlook to send an email we can send on behalf of another user by using the users name in the "from" field, which should not be allowed.
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2008 1:28pm
Hi Dustin,
Thanks for your help. This is the reason. Well done!
Fudner.
August 28th, 2008 1:36pm
Hi All!
what do you do, Fudner?
I don't understand.
I have same problem with exchange 2003 sp2...
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2008 3:04pm
It appears that Domain Admins are listed in the exchange admin delegation wizard as having Exchange full administrator rights (inherited).I believe that by taking out Domain Admins from this list will ensure that the issue is resolved.
September 3rd, 2008 1:56pm