E2K7 - How to Check "Send As" Permission for a Mailbox
Dear all,
I know "How to Grant the Send As Permission for a Mailbox" as to http://technet.microsoft.com/en-us/library/aa998291%28EXCHG.80%29.aspx
But know I'd like to know how I can receive information on a mailbox-level regarding "Send As" permissions, i.e. who actually has "Send As" permissions on any given mailbox using Powershell.
Regards
Alex
November 4th, 2010 1:57pm
Hi,
Try this:
Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”)} | FT -Wrap
Regards from www.windowsadmin.info
Free Windows Admin Tool Kit Click here and download it now
November 4th, 2010 3:29pm
Hi,
well, that looks good. Unfortunately I still have some user accounts that are able to send emails in the name of another user, i.e. they can use Outlook to send a new email while selecting another user in the "From" field. This email is then successfully
transmitted to its destined recipient with the selected user in the "From" field. The email looks genuine and checking the options states that this email is sent from the user contained in the "From" field. No clue that another user did
this like "Send on Behalf of".
I checked group memberships of thos users who are able to send "faked"emails as well as "Send on Behalf of" rights. Nothing could be found. Any ideas? Any help would be greatly appreciated
Alex
November 9th, 2010 10:58am
Hi Alex,
Do you mean someone can send emails as another people while he doesn’t list when you run the cmdlet provided by ManU?
Please try to verify whether the user has the “send as” permission by following the steps below:
1.
Open the
Exchange Management Console.
2.
Navigate to
Recipient Configuration.
3.
Click
Mailbox.
4.
Right-click the mailbox which you want to view who actually are granted the send as permission in the right panel.
5.
Choose
Manage Send As Permission.
6.
And now we know who have been granted send as permission.
Please feel free to let me know if someone can send email as specific mailbox but he has not been list when you perform the steps below.
I look forward to hearing from you.
Best regards,
Serena
Free Windows Admin Tool Kit Click here and download it now
November 11th, 2010 12:32pm
Dear Serena,
this is exactly the problem. Someone can send emails as another person while he or she doesn't have the "Send As" right. When I rund the cmdlet provided by ManU the person ist NOT listed. When verifying the "Send As" permission with the
Exchange Management Console as described by you the person is NOT listed either.
Alex
November 11th, 2010 1:11pm
Hi Alex,
Have you check whether your user associate with an external account in his Outlook?Because the associated external account for a mailbox can send messages as the
mailbox owner without the Send As permission.
If your user does not associate with another external account in Outlook, please verify whether the user who can send email as another user have the Full Mailbox
Access permission and Send on Behalf permission for the mailbox owner. Because when user 1 has both the Full Mailbox Access permission and Send on Behalf permission on the mailbox of user 2, the user 1 can send email as user 2.
Please refer to my original post to verify whether user has the Full Mailbox permission on the mailbox. And you can view Send on Behalf permission by following the
steps below:
1.
Open the
Exchange Management Console.
2.
Navigate to
Recipient Configuration.
3.
Click
Mailbox.
4.
Right-click the mailbox which you want to view who actually are granted the send on behalf permission in the right panel.
5.
Click
Properties and go to the Mail Follow Settings.
6.
And then choose
Delivery Option, click Properties.
7.
So we can see who have Full Mailbox Access permission on the specific mailbox.
And here is more information,
Understanding Send As Behavior in Exchange 2007:
http://technet.microsoft.com/en-us/library/dd421860(EXCHG.80).aspx
Please feel free to let me know if you have any questions.
Best regards,
Serena
Free Windows Admin Tool Kit Click here and download it now
November 12th, 2010 10:38am
Alex please try this command. You can place the alias of the user within this command where I have "alias of user" and run this. This will provide you send as permission user by user. Now if you would like to have this to pull all users on a certain server
then use the -server parameter and specify the server. If you have over a 10,000 users then put the parameter -resultsize:unlimited so that you can get all the info. Please let me know if you have any further questions.
Get-Mailbox -identity alias of user" | Get-ADPermission | where { ($_.ExtendedRights -like *Send-As*) -and ($_.IsInherited -eq $false) -and -not ($_.User -like NT AUTHORITY\SELF) } | Select User, extendedrights, identity
April 27th, 2012 8:54am