Trying to allow a user to send as from a distribution list on Exchange 2010. I ran the following command: Add-ADPermission -identity "Algentis - HR" -user mwong -AccessRights ExtendedRight -ExtendedRights "Send as" The users gets an access denied NDR error message in Outlook (both cached and non-cached mode) as well as OWA. Here is the exact NDR: Delivery has failed to these recipients or groups: someone@external.com You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk. Please help!

Can you double check using ADUC to see if the cmdlet actually took affect? ADUC, properties of the group, security tab. Also how long did you wait?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

When I go to the security group in ADUC and open the security tab there is an entry for the user there, scrolling down I can see that "send as" is check marked. I made this change one week ago and as of this morning the user still gets access denied when trying to send as this group.

Hmmm, can you check the group, security tab, advanced is inheritance checked?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Yes, inheritence is checked.

That's strange try running set-mailbox mwong -Database <samedatabaseitscurrentyon> to see if you can force to clear\update the cache. Setting send-as is a pretty straight forward task but in some instances it still doesn't work. If the above doesnt work, move the mailbox and if that doesnt work reboot the server. Maybe the store cache is not acting propertly and needs a restart. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Getting a warning form that command that scares me: "Rehoming mailbox "mwong" to database "Mailbox Database 0540166603". This operation will only modify the mailbox's Active Directory configuration. Be aware that the current mailbox content will become inaccessible to the user." Should this command be run after hours? Do you know approximately how long their mailbox will be inaccessible for?

Are you sure you're setting to the same maibox he's on? Let me test to see if you still get that when re-homing to the same mailbox. It's no big deal though even if you accidently re-home to the wrong DB all you have to do is re-home it back and no issue. I've done it in the past. But let me check if that warning is expected for the same DB.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Yeah that warning is expected even if you re-home to the same DB.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

I applied the above command about 16 hours ago and had the user test a few minutes ago. It is still not working.

Can you do get-adpermission DLGroup |fl Is self missing on either the DL or the mailbox user? Did you do a migration from previous version of Exchange? Can you do another test with a new DL and a new test user? James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Output of that command included (removed what seemed to be irrelevent): User : NT AUTHORITY\SELF Identity : Algentis.office/KinetixManaged/Users/Distribution Lists/Algentis - HR Deny : False AccessRights : {GenericRead} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : ALGENTIS\mwong Identity : Algentis.office/KinetixManaged/Users/Distribution Lists/Algentis - HR Deny : False AccessRights : {ExtendedRight} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All For the user: User : NT AUTHORITY\SELF Identity : Algentis.office/KinetixManaged/Users/Active Users/Mai Wong Deny : False AccessRights : {ReadProperty, WriteProperty, ExtendedRight} IsInherited : True Properties : {Private-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All It does work on a new DL with a test user.

I forgot to add this server was migrated from Exchange 2003.

When you did the get-adpermission group |fl I see that mwong is listed there once, but it should be listed twice. It it's not listed twice then it's missing. User : domain\mwong Identity : corp.dom/Groups/Distribution Groups/testDL Deny : False AccessRights : {ReadProperty, GenericExecute} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None Can you remove him via ADUC and then add him back using ADUC and not powershell? Give it a few mins after then test again. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

So I wanted to check if the user was listed twice; I reran the command and now I do not see the user listed at all. There are a number of entries that appear to be SID's, for example: User : S-1-5-32-554 Identity : Algentis.office/KinetixManaged/Users/Distribution Lists/Algentis - HR Deny : False AccessRights : {ListChildren} IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All Do you know why I would have multiple entries like the above?

Those are just unresolved SIDS, meaning they are no longer exist as objects in AD or were from unresolved SIDS if you did a domain\forest migration. Try to use ADUC to set the send as and not powershell.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

The permission is set in ADUC, however when I run the get command I no longer see the user on the ACL.

Strange, works just normally for me when I use ADUC and then run get-adpermission to verify. Can you do the same with your test group and your test user? Sounds like maybe a replication problem or this particular group object is hosed. You might have to disable it then mail enable it again so all the exchange attributes are re-stamped. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Try to send mail through OWA, it may work. If it is, then it's Outlook issue. Solution: Have user update the offline address book (click Send/Receive tab, click Send/Receive groups and select Download Address Book). Better yet, 1) Close Outlook 2) Delete the offline address book folder under C:\Users\username\AppData\Local\Microsoft\Outlook\Offline Address Books (I assume its Windows 7 computer, look under C:\documents and settings\username\. for XP computers). 3) Open Outlook and let it download new OAB. Other Possibilities are, 1) You just gave Send-As permission for the user. Then, you have to wait for few hours. (you may restart Information Store to take effect the permission right away, who wants to do it? 2) Users Outlook got bad/outdated cached contact information. Search for *.NK* files under users profile and delete it. Obviously Close the Outlook first before you delete the *.NK* files. Please check this from your end & if you face any issue or have any query please let me know. Check the below mentioned link for your reference. http://anandthearchitect.wordpress.com/2011/07/17/exchange-2010-you-cant-send-a-message-on-behalf-of-this-user-unless-you-have-permission-to-do-so/

Does not work through OWA either. I will try disabling/re-enabling the group.

"Enable send as permissions on distribution groups in Exchange 2010" --Type the below in, but change 'GroupName' to the name of the group and 'UserName' to the name of the user you wish to grant these permissions to: Set-DistributionGroup GroupName -GrantSendOnBehalfTo UserName