Exchange 2003 Send As problem
Is this an Exchange 2003 security hole?Users are allowed to send e-mail messages as if they were the actual recipient, even though the permissons for Send As are denied. For instance mail box owner 'A' can send mail as if they were mailbox owner 'B' using the 'From Field' in Outlook and vice-versa. The individuals mailboxes don't have this set in the Outlook delegate option either, which again doesn't show users as having Send As rights.Under Security -> Advanced, when I click Add and type the username that I'd like to deny Send As for, this still has no effect. I've even moved users into test 'OU's' with no inheritance and only the 'Domain Users Group' from the top level, but still the recipient can Send As. I'm running fast out of options, I'd like to be able to turn Send As off globally throughout the whole Exchange, or remove the 'From Field' in Outlook across the whole domain, using Landesk or other options to roll out the update .i.e to every PC. Non of our users require Send As, Send on Behalf maybe? but not Send As. My next step is to try and find a way to run a report script to see which users Exchange thinks have the "Send As" right applied. Anybody know of one? I've already applied this security patch to try and resolve the problem, rebooted the Exchange server even though I didn't need to, but to no avail. Please help !This was the patch below: Send As permission behavior change in Exchange 2003 Article ID : 895949 Last Review : October 25, 2007 Revision : 5.1
January 23rd, 2008 8:19pm

A user needs to be given the right to Send-As. This can be set on user basis in the Domain Partition but also on Exchange object level in the Configuration partition. You say that all users are allowed to Send-As any user in the forest. Well that leds me to believe that it is either set for ' Everyone' at the Domain root level or at the Admingroup or Organization level in the Configuration Partition. Check the domain root or your Users OU (if you have one) and check the ' Effective Permissions' for a particular user. Also check any ' Effective Permissions'in the Configuration partition. Drill down to the Exchangedatabases under Services -> Microsoft Exchange -> <org name> ->Administrative Groups > <admin group> -> Servers -> <ServerName> -> Information Store > <storage group name>. Look at the security tab of one of the databases and select the Advanced button. On the Tab ' Effective Permissions' you can enter a random user account and see what the effective permissions are. Check to see if the user has Send-as and ' Administer Information Store' there.. If either AD partition contains any Send-as permissions, investigate further to see where those permissions are inherited from. Please DO NOT set explicit deny permissions yourself. This may break stuff elsewhere. Cheers, Mark
Free Windows Admin Tool Kit Click here and download it now
January 26th, 2008 11:07am

When looking at the effective permissions for a user or group, 'AD' states its inherited from the top level > sampledomain.com (obviously I've put sample in place of our real domain name). When looking at the top level, it doesn't show the 'send as' tab in any of the groups, or the ability to take away this permission anywhere?If I could just edit the hidden group 'Authenticated Users' and deny there, like you can with built-in system groups, i'm sure the problem would go away.Is there a way to turn this off, i.e. run a script or from within the schema?
February 7th, 2008 4:58pm

FINALLY!!!!!!!!!!!!!!!!!! I figured it out. I've had this problem forever... I've always been able to "Send As" as myself... I could pick any security group I wanted to send as and it worked. Why? Well I'm an Administrator... Permissions are there. I wanted a few people that are not even close to being administrators to be able to "Send As" the Distribution List. So when someone would get an e-mail from the regarding certain topics, the DL would show up as the "From" address. In my case, "Public Relations" would show up. Could NOT get anyone other than myself to get the send as to work even with the security permissions and everything. One thing I overlooked.................... Open a Security Group > Security Tab > Advanced >Owner tab. EVERYONE that has ANYTHING to do with anything in that Owner tab is able to use the "Send As" functionality. If you have a Security Group in that list that includes everyone in the company, then you'll have to remove that and create a security group for "Send As" and add only the people you want. I now have total control over communications going in and out of the company. So if someone leaves or gets tossed, the e-mail correspondence go to the distro list instead of the individual! WOOHOO! Sorry for the informality... I'm just too excited that I have finally figured this out.
Free Windows Admin Tool Kit Click here and download it now
February 21st, 2008 2:10am

I was so excited when I saw your email, but now I'm flumoxed. When you say open a Secutrity Group, do you mean in Active Directory? Because when I open my group, there is no Security tab. Any clarification would be most appreciated!! TIA~ ~~~~~~~~~~~ Belay that -- I just realized that I didn't have Advanced Features turned on. Never mind. :-D
March 19th, 2008 9:35pm

Make sure you turn on the Advanced View in the ADUC to see the security tab.
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2008 1:15am

Hi UKMARKH,I have the same problem. Did you fix it? How?Please help!
February 20th, 2009 11:00pm

Hey UKMARKH...Suddenly I'm also having the same problem! I know for a fact that this WASN'T a problem a few weeks ago while setting up additional mailboxes for a few users. I had to specifically grant those few people Send As rights to those new mailboxes since they weren't able to do so until that permission was given. Now ALL of my users can change the Fromto any other user & send email so it appears as it came from that other person! Yikes!
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2009 8:37pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics