Exchange 2007 - Send As Permission
Hello, I have Exchange Server 2007 installed on my Windows Server 2008 system and am using an ASP.NET web application to send an e-mail message when certain events occur. My problem is that I have everything set up and functioning properly, the e-mail message is sent with the designated e-mail address and I receive the e-mail message with no problems. In order to do this, I have a generic e-mail address that I created for my domain and granted that generic e-mail address "Send As" permission for a different domain e-mail address and use the generic e-mail address in my ASP.NET web application for security purposes.
My problem is the "Send As" permission seems to disappear very frequently. It seems that I need to go into the Exchange Management Console and grant this Send As permission every time my server is rebooted, or even after going into Exchange Management Console to "Look around" and see what I have set up. Does anybody know if there is a way to make the grant of Send As permission permanent so I don't have to constantly re-grant it? I have applied SP1 to Exchange Server 2007 and am always sure to apply the most recent patches, etc. as soon as they are released.
Thanks in advance!
Tim
July 5th, 2008 5:08am
Hello Tim,
Before going into problem, I justed wanted to give some brief history about 2 permissions "Send As" and "Receive As".
Send As is an Active Directory extended right anddescribed inPermissions Whitepaper, Domain Admins have full control over every object within their domain partition. Thus they have the send As extended right on all user objects. Therefore they can spoof any of those user accounts through a mail application, like Exchange.
Receive As is a different beast all together. By default, root domain admins and root Enterprise Admins are explicitly denied the Receive As right at the organization container level. This means that members of those privileged groups cannot log in to any mailbox data. This permission is inherited down to all stores. There are also other ways to gain mailbox-access.
Coming to your specific problem, please confirm me that the Account is part of any domain admins or Enterprise admins group.
If yes, then you need run following for the distingusihed name of AdminSDHolder, which is resposible to refresh permissions and reset with default permissions on it.
Syntax is
DSAcls "<DN of AdminSDHolder>" /I:T /G "\<alias of User account>:CA;Send As"
Also run following cmdlet in Exchange Management Shell.
Get-Mailbox -Identity <alias of User Account> | Add-ADPermission-AccessRightsend-As
NOTE: You can use LDP or ADSIEdit.msc tools to pull out the distinguished name of AdminSDHolder. AdminSDHolder resides under CN=System in the domain naming context.
For more details about the DSACLS KB281146 and technet article for Add-ADPermission
http://technet.microsoft.com/en-us/library/aa996343.aspx- How to allow mailbox access.
I hope this pernamently resolves your issue.
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2008 7:49am
Thank you Bala, I will try what you suggest.
Tim
July 6th, 2008 9:45am
Dear customer:
Thanks for Balas reply. He is right.
Active Directory uses a protection mechanism to make sure that ACLs are set correctly for members of sensitive groups. The mechanism runs one time an hour on the PDC operations master. The operations master compares the ACL on the user accounts that are members of protected groups against the ACL on the following object:
CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>
Note "DC=<MyDomain>,DC=<Com>" represents the distinguished name (DN) of your domain.
If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the adminSDHolder object (and ACL inheritance is disabled). This process protects these accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit where a malicious user has been delegated administrative credentials to modify user accounts. Be aware that when a user is removed from the administrative group, the process is not reversed and must be manually changed.
The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or you install Windows 2000 Service Pack 4:
Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
Additionally the following users are also considered protected:
Administrator
Krbtgt
So first, please check whether the user that you grant sends as permission for it belongs to the above group. If so, open ADSIEDIT.msc, Check"Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here" option on the adminSDHolder. And replicates all the DC, and grant send as permission for the user again via EMC, check whether the send as work fine.
For more information about adminSDHolder, please refer to MORE INFORMATION section in the following article:
Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/kb/817433/en-us
Additionally, for more information about Exchange 2007 Permissions, please refer to the following documents:
Exchange 2007 Permissions: Frequently Asked Questions
http://technet.microsoft.com/en-us/library/bb310792.aspx
Hope it helps. If you have any question, please feel free to let me know.
Rock Wang - MSFT
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2008 11:11am
*** Rock, I really appreciate your help with this and the information. Yes, the user I am granting the Send As permission to is in one of the protected groups. I will try your suggestion and get back with the results.
Tim
July 8th, 2008 4:57am
Hello again Rock! I am having trouble following your suggested steps once I have launched the ADSIEDIT.msc snap-in. I think this is because I am using Windows Server 2008 and not Windows Server 2003. The KB article you site was also very helpful and did give step-by-step instructions for allowing inheritance on the adminSDHolder object. However, it does so on Windows Server 2003, and the options that are being presented to me on Windows Server 2008 are a little different. I must tell you that I am a novice at this kind of stuff, but consider myself fairly tech savvy as I am a T-SQL and .NET application developer. If you could point me in the direction of an article, book, etc. that would have step-by-step directions for doing this on a Windows Server 2008 system, I would greatly appreciate it.
On a side note, in-case anyone is interested I developed a work around for this by writing a Windows PowerShell script to re-grant the SendAs permission and used the Windows Task Scheduler in Windows Server 2008 to schedule the script to run every 5 minutes - remember, told you I was a developer!
Thanks again Rock!
Tim
Free Windows Admin Tool Kit Click here and download it now
July 8th, 2008 5:54am
Tim, I've been following your post and I'm having the same issues on a 64Bit 2003 install. I've made all the aforementioned changeds to AD and the permissions are still being revoked at regular intervals. Do you think you could send info on the script you wrote? I'm not good with scripts but I need a temporary fix as the only account this is affecting is the president of my company. (On a MAC using mac mail....Ugh.) Any help is appreciated. Thanks B BGentry@bdiusa.com
July 30th, 2008 12:08am
Hello B, the script that I wrote utilizes the PowerShell command line utility. I am not certain whether or not this was around for Exchange Server 2003? Anyway, I will be happy to provide you with the script if you could check if the computer you are using has the PowerShell command line utility.
Let me know!
Tim
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2008 4:01am
Rock, I have read this and am experiencing the send as permission deleting after one hour. However, both the user being assigned permission and the user being given permissions are not members of any of the protected groups you mentioned. The highest mebership they have is "Domain User. "Appreciate a suggestion as to why the "send As" permission in being deleted. Using Exchange 2007 SP1 on standard server 2008Minstral
March 17th, 2010 8:05am
Adding a user to a protected group increments the AdminCount AD property on the user. Removing them from a protected group does not decrement this property, and the AdminSDHolder process will continue to reset their permissions even after they have been removed until the AdminCount is manually set back to 0.
If the belong to a security group that has been added to a protected group, the AdminCount property of the security group will be incremented, and then all members of that group will be incremented. If the security group is removed from the protected group, but it's AdminCount is not reset, all new members of the group will still get their AdminCount incremented when they are added to the group, and if you set it to 0 it will get re-incremented as long as they are a member of that group.
Short Version - don't rely on just checking if they belong to a protected group now. Check their AdminCount, and manually set it to 0 if it isn't already. If it still gets set back, start looking at the Admin Count propert of the security groups the belong to. You may find one of those that also needs to be reset.
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2010 2:24pm
Hello,
"My problem is the "Send As" permission seems to disappear very frequently."
this issue happend with me on windows server 2008 standard edition and exchange 2007 sp3 with user accounts members of Protected Groups
and this is the way I solved it retaining the same membership for problem users in server 2008 protected Groups
start menu - Right click Command Prompt - Choose Run as Administrator
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=local" /G "\SELF:CA;Send As"
Then add the permission [SELF - Send As] for problem users from EMC or Active Directory Users and Computers
You should change the domain name with your own
I put this hoping to help someone there stucked from this issue
Ahmed Badr
http://www.ValueSYS.net
November 23rd, 2010 2:48am